Filed under About Me

Experiencing Healthcare: Words You Don’t Want to Hear

HIPAA 2013

Julie Meadows-Keefe

Experiencing Healthcare: Words You Don’t Want to Hear

“We can’t do this procedure today.”

These are words you don’t want to hear after you sit in a waiting room for over one hour drinking cupfuls of glow-in-the-dark foul tasting Kool-Aid and watching front yard makeovers on HGTV.

These are words you don’t want to hear when you’re wearing one of those fashionable exam gowns with an IV needle in your arm and with that arm bent outside of a CT scanner after being told “don’t breathe” so a scout image can be taken to get the general geography of your abdomen and colon.

Yet these are the words I heard last week when I went for an abdominal CT with contrast to determine the etiology of some rather intense abdominal pain and nausea.

What the Heck Happened?

Why was this procedure terminated almost before it started?

What we had was a failure to communicate.

You see, the day before the attempt at CT, I had another diagnostic procedure done at another facility-a hospital here in my town. The hospital procedure the day before was a barium swallow. This, like the radioactive Kool-Aid, was also delightful. You first take a shot of bitter pop-rock-type crystals on your tongue and chase it with water. Then you drink a thick barium shake, followed by a thinner barium shake and x-rays are taken as the material eases down your digestive tract. Being an engaged patient, at one point I was watching the action on the screen. (Since there was no HGTV).

As I was leaving the hospital after the barium swallow I was exhorted several times to “drink copious amounts of water” to expedite the barium’s departure from my system. I was NOT told to “refrain from abdominal CT scans for the next few days.

One reason the hospital didn’t tell me that was because they didn’t know I had it scheduled for the next day. They didn’t ask and I didn’t tell. It didn’t occur to me.

So the next day I present myself at the imaging facility and they ask on the history form if I’ve had other tests and I write “barium swallow.” They didn’t ask me the date of the swallow and I didn’t tell. It didn’t occur to me. And, it didn’t occur to the facility to ask either, before treating me to the kool-aid.

And, most disturbingly, it did not occur to the doctor’s office that they should not have scheduled me for a CT the day after a barium swallow. The doctor’s office does not use electronic ordering and the nurse was literally calling the different facilities to get dates for the procedures and to hand me my written orders. She was very stressed with papers and charts stacked on her desk.

This problem probably would not have arisen had I been scheduled for both procedures at the hospital. However, cost most likely figured into the equation of where I was sent for the procedures. The imaging center did not have the equipment or staff for the barium swallow.

The imaging center was also not equipped to be able to communicate electronically with the hospital or my physician’s office.

And there was no system in place at the doctor’s office that would alert a scheduler that she shouldn’t schedule an abdominal CT the day after a barium swallow.

So after the IV was removed from my arm and I was dressed and ready to go, the technologist at the imaging center was able to show me the picture of my belly with all the barium. I swore that I had followed the edict to drink lots of water after the barium swallow. He advised me that even if I had consumed enough water to fill a small pool, the barium would still have interfered with the acuity of the CT.
Much Anger and Frustration Ensued

I left the imaging center furious at the time I had wasted. I began asking myself what purpose such a fruitless morning could serve in my life and then it occurred to me that it perfectly illustrated the need for Health Information Exchange which is something near and dear to my heart. When systems can’t communicate and when data is not integrated, time is wasted and resources are unnecessarily consumed. This leads to higher costs and inferior care. Also, the miscommunication with my studies didn’t lead to any life-threatening issues, which could occur in more complicated procedures and situations.

My experience with the CT also exemplified the virtues of an intuitive EHR which would have built in a way to alert a provider that tests shouldn’t be scheduled at certain intervals. Much like a pharmacist is alerted by an automated system when you have a potentially harmful drug interaction, an EHR with electronic ordering would have been reminded that the CT should have been done first.

Should I Have Just Gone to the ER?

As I was driving home from the CT that wasn’t, I also thought back to a night earlier in the week when I was up because of the pain. It was around 11:30 pm and I thought that I should just go to the ER and have it solved. I wasn’t sleeping anyway and when I checked the ER’s website it told me that the wait time was less than 10 minutes. Granted, the co-pay is hefty but the benefit was that I arguably could have gotten all the testing I needed at one time, in one location and with pain meds to boot. However, having worked in healthcare so long I know that ER overuse is a huge problem and that my pain was not a true emergency. So I self-rationed.

Why Write About It?

I had to write a blog post about this so I could say I got something beneficial from the experience. The benefit is that I saw the value in systems I spend a lot of time working with and thinking about and that I am passing the experience along so that it can benefit others and show an example of how precious and costly healthcare resources are wasted when providers can’t readily communicate with one another. Plus now I have a story to tell!

And, one piece of advice: if you just had a barium swallow yesterday, don’t drink the Kool-Aid today.

Tagged ,

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?

 

 

 

Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,

How to Scrub Your PHI

Thinking too much about meaningful use

Julie Meadows-Keefe

Protected Health Information (PHI) is Personal

Protected health information (PHI) is some of the most personal information that exists about you and I.  It includes things like our date of birth, height, weight, address, contact numbers, family member names, medication history and more.  Generally an individual receiving health care knows that their PHI will be used for their treatment, for payment and for certain health care operations.  Do they also know that their PHI can be sanitized (de-identified) and used for research?

PHI Can Be De-Identified, and therefore, less personal.

At long last, the HHS Office of Civil Rights (OCR) has issued guidance regarding how health insurers, clearinghouses and medical providers should strip patient records of identifying information, in order to permit data to be exempt from privacy restrictions and used in clinical and research studies.

The HHS guidance presents two methods by which health care companies can satisfy a so-called de-identification standard contained within the privacy rule of the Health Insurance Portability and Accountability Act, affectionately known as HIPAA.  These two methods are expert determination and safe harbor.  OCR’s guidance is designed to assist covered entities to understand de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

The HIPAA Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following certain de-identification methods. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

If a covered entity decides to de-identify information via the expert route, the guidance states that the following criteria are met:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;

 

Interestingly, OCR takes pains to state that there is no particular credential necessary for this expert.  If the matter becomes one of OCR enforcement, OCR would look at a particular expert’s qualifications on a case-by-case basis. The expert does not necessarily need to be a statistician.

If a covered entity decides to de-identify by entering the “safe harbor” there is a rather exhaustive list of what information must be removed.  This includes names, street addresses, complete ZIP codes, telephone numbers and social security numbers.  OCR points out that only 3 data points-date of birth, gender and zip code uniquely identify over ½ of US Citizens.

PHI is Irresistable to Researchers and Others Because it is a Rich Resource

My personal take on this dates back several years when I recognized that HITECH was invariably tied to the Affordable Care Act in the following ways:

  1.  HITECH has incentivized health care providers through both a carrot and stick approach to adopt electronic health records.
  2. HITECH established funding for networking health care providers to share this data.
  3. HITECH, through the mechanism of meaningful use has developed a methodology for collecting health data on all patients.  This includes things like smoking status and body mass index.
  4. The Affordable Care Act ties patient outcome and cost of care to reimbursement.
  5. To control health care costs and maximize better health care outcomes, it makes sense to draw from all available data to see what treatments work best for high-cost chronic conditions that strain the health care system such as heart disease, asthma and diabetes.  The data has to come from somewhere.
  6. Privacy advocates and others are concerned that our health information will be grist for the research mill whether we want it to be or not.
  7. Many individuals are concerned about privacy breaches involving their most sensitive personal information.
  8. On the other hand, researchers, policy-makers and others are salivating over the rich data that now exists to answer many compelling questions and bring us further down the road to curing cancer and other devastating illness.

Varying interests must be balanced moving forward, but one wonders if a patient will be able to fully comprehend that their health information may be scrubbed and used for research.  Perhaps we all have a moral obligation to contribute to the body of scientific research aimed at helping us all live healthier lives.  But at what point could such research be used to deny care on the basis that it has been proven that in most cases a particular treatment succeeds very seldom yet is very expensive.

 

We enter into a brave new world.  May patients, providers and the public remain engaged on the topic of PHI. Please leave a comment if you’d like to join the discussion!

Tagged

What is a Health Plan?

Health Plans Under HIPAA

The law is just a part of my identity

Julie Meadows-Keefe

 

 

 

 

 

 

 

Health Plans are important to Americans.  HIPAA applies to health plans, health care providers and health care clearinghouses.

 What does HIPAA Consider a Health Plan?

Today, I want to focus on its applicablity to health plans 45 CHR 160.102(a)(1). Health plans are probably familiar to you.  These are most often known as health insurance companies.  More specifically, a health plan means an individual or group plan that provides or pays the cost of medical care.

I’ll provide a quick list of further definitional aspects of what consitutues a health plan.  A health plan can have one or several aspects of the following:

(i) A group health plan;

(ii) A health insurance issuer;

(iii) An HMO (Health Maintence Organization);

(iv) Part A or Part B of the Medicare program;

(v) The Medicaid program;

(vi) An issuer of a Medicare supplemental policy;

(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;

(ix) The health care program for active military personnel under title 10 of the United States Code;

(x) The veterans health care program under 38 U.S.C. chapter 17;

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);

(xii) The Indian Health Service program under the Indian Health Care Improvement Act;

(xiii) The Federal Employees Health Benefits Program;

(xiv) An approved State child health plan under title XXI; providing benefits for child health assistance;

(xv) The Medicare+Choice program under Part C of title XVIII;

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals;

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

What’s not considered a health plan under HIPAA?

Any discussion of what a health plan includes should also include a list of what’s excluded from the definition of a health plan.  These exclusions include:

(ii) A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

 Under HIPAA, there is a rather specific laundry list of what is and isn’t a health plan.

It’s intuitve to think you already know what a health plan looks like for general purposes, but I hope that it was helpful to receive more details regarding how HIPAA defines a health plan.

If your organization would like further training, please contact me at

julie@esq140.com

 

 

“Human Error” Avoidance: the Google Earnings Misfire

Julie Meadows-Keefe

Julie Meadows-Keefe

“Human Error” Avoidance: the Google Earnings Misfire

 

Google rules the world. As someone who teaches companies and individuals about crisis communication, I followed with interest this weeks as Google shares were halted from trading on the NASDAQ due to an early release of earnings.  I waited for the Investor conference call to air on CNBC to see how Google would communicate about it.  Notably, very early in the call, the Director of Investor relations introduced CEO Larry Page.  Mr. Page has been keeping a low profile recently due to an unspecified illness.  In spite of having a hoarse voice, Mr. Page did get on the call to address the earnings report.  He apologized for the “scramble on release” of the earnings report.   He indicated that the “printers” sent them out early as a result of “human error”.  This referred to how earlier in the morning, RR Donnelley, the financial printer advised Google that they had filed Google’s 8k earnings statement without authorization.  Mr. Page then quickly moved things forward, stating that revenue was up 45%  year on year and that this is “not bad” for a teenaged company only fourteen years old. He went on to discuss the simultaneous disruption and opportunity that has been brought about by the abundance of mobile devices.  The challenge Google faces moving forward are monetizing mobile ads and devices as users shift away from pc’s.  There are currently ½ billion androids in the world.  1.3 million Androids are being added each day. Google shareholders were unpleasantly shocked to find out that at one time today, their stock had lost approximately 10% of its value.   Google and its financial printer RR Donnelley face both financial and reputational harm from today’s misfire.

 I see a few things that Google did well today:

 

  • It brought out CEO Larry Page after a period of illness-related absence to directly address the concerns related both to the premature release of the report and to the contents of the report itself.  Google utilized Mr. Page even though his voice was hoarse.
  • Mr. Page addressed it first thing.
  • Mr. Page emphasized how well Google is positioned to meet future challenges.

Google stock recommenced trading prior to the end of the business day.

 

A few things seemed to be missing:

 

  • Too much time elapsed from when the stock stopped trading to when it resumed trading, giving pundits and analysts opportunity to speculate.
  • Google did not seem to be out in front of the issue.
  • Google seemed too quick to blame RR Donnelley and did not own ultimate responsibility for when its own earnings report was released.

Google did not outline steps to demonstrate how it will avoid this in the future.

 

Observing this situation with Google unfold this week on cable and via the web demonstrated to me the following:

 

  • Even in an environment where computer glitches, viruses and even malicious cyber terror can and do sabotage companies, there is a still an active role for humans to take in making mistakes.
  • Human error will always be a variable, but processes can be put in place to reduce their likelihood.
  • When approaching a crucial deadline, there can never be enough communication and verification that everyone knows what role they are playing at what time.
  • There is a communication strategy in place in case something goes wrong.
  • The event is analyzed to identify exactly what happened and what will be done to assure that lessons are learned and the mistake is not repeated.
  • If a mistake like this can happen to a company like Google, it becomes even more important for smaller organizations to have policies and procedures in place to execute required tasks.

 

Google is a dominant global brand that is trusted and brings enormous value to both its users and investors.  This “glitch” will most likely soon be forgotten and the company will continue to be a global leader as it extracts lessons-learned and moves forward into a world that it has impacted perhaps more than any other company has before.

 

Please contact me @julie@esq140.com if you have questions about crisis communication and management.  Learn more about me here.

 

Tagged

Networking on Social Media Works

The 140:  Social networking has helped me grow professionally. 

The hash#:  #reachout.

As a former lawyer for a state agency, I never had to worry about bringing in business. It was there in spades. I had a good LinkedIn network, many Facebook friends and twitter followers. But meeting up with those folks was not something I had time for. It was frowned upon,  because it took away from the time you had to devote to tasks.
In the last few months, I reached out to many folks in my networks. I shared about myself and what I thought I could do to help them. I found out how they could help me. I asked for help I went to tweetups. I met twitter followers.  I sent notes to people expressing interest in their projects. I volunteered to guest post on their blogs. I started my own blog. And now I have a new opportunity, network members who are now new colleagues, and followers who are friends. And some Facebook friends are more deeply rooted in my life, adding value to my life every day. I am more confident in my networking and will gladly meet for lunch or coffee. So the key for me in adding value to my social network is to take it into the network of reality. Be bold. Say “let’s meet up” and have a fun and engaging time hearing about the person, the work they are doing and their mission in doing it. Brainstorm. As more professionals strike out on their own, you will be surprised at how open and responsive folks can be.

How do you feel about what you’ve read?  Leave a comment and enjoy your day.

 

Tagged

The Law Consists of Words

The law is just a part of my identity

Julie Meadows-Keefe

 

 

The law is just a bunch of words. Many many words.

 

Do you doubt that a lawyer can communicate in 140 characters or less? I can. I challenge myself to do this daily.  You can follow me on twitter at esq140. I am keep this blog because 140 characters isn’t enough to develop a truly meaningful discussion.  Twitter is a spark to get things started.

I’m a lawyer with a passion for communication and education.  I like talking to people about interesting things which may or may not relate directly to the law.

I graduated law school in 1993.  I have seen the evolution of law practice, and, indeed, our lives during this time.  It is hard now to imagine our lives without today’s technology.  The speed of developments challenges us to keep up and understand the legal challenges in our wired environments.

My aim in keeping this blog is to educate and entertain both the lawyer and non-lawyer about the intersection (and I might say collision) between techonolgy and the law. Technology has also impacted the practice of medicine.  This is a topic of great interest to me.

My first job in a law firm….

In 1997, my first job out of law school was representing doctors, hospitals and clinics in malpractice cases.  I was 24 years old and just starting my career.  It made a lasting impression because almost without exception, all of the providers I became involved with representing were gifted and dedicated professionals who, in spite of their best efforts, treated a patient who had a bad result.  It’s now 2012 and since then, I have had a wide and varied career, but I have never been far from health care and health care providers.  What I have seen since 1997 is that the health care delivery system has been increasingly burdened by regulation and increased pressure on health care providers to treat more patients more efficiently and for less money.   The regulatory environment is in a state of flux.  My interactions with providers have revealed again and again that they are feeling pressure, stress and frustration trying to keep up with it all.  My objective for this blog is to engage and educate health care providers on legal developments affecting providers to keep providers profitable, productive and compliant.

And the requisite disclaimers:

Although many posts on this blog may discuss the law, please do not construe anything in this blog as legal advice.  Your reading of this blog does not constitute legal advice.  Your comment and any response I provide is not legal advice.  This blog is for information, education and entertainment only.  If you want the law applied to your specific set of facts, please hire an attorney and form an attorney client relationship with that individual.  The opinions and views expressed on this blog are mine and mine alone and do not represent the views of anyone with whom I may practice.

Again, nothing on this blog should be construed as legal advice.  For legal advice, please contact an attorney licensed in your jurisdiction.  If you comment and I respond, you should not consider it legal advice.

The material on this blog is copyrighted under the author’s legal name.

You may e-mail me at julie@esq140.com

You may check out my linkedin

You may comment if you are not a spammer.

Enjoy learning with me about the law.

Tagged , , , ,