Spring 2013 | Anesthesia Business Consultants

800.242.1131

eAlerts

Successfully Competing In Anesthesia Services Today

Michael R. Hicks, MD, MBA, MHCM, FACHE
CEO, EmCare Anesthesia Services, Dallas, TX
From the Spring 2013 issue of The Communiqué

Recently I had the pleasure of speaking with anesthesia residents and faculty at a well-known progressive academic anesthesiology department. Opportunities like this are among the high points of my professional life because I invariably know more when I leave these presentations than when I arrive. This time was no different.

My recent professional focus has been on working with hospitals and health systems to identify workflow enhancements and quality improvement initiatives to streamline care delivery and deliver greater total value. On a more theoretical level, I have been identifying and developing novel ways to produce comparable or better perioperative medical care in terms of price, quality, and service by using nontraditional processes or clinicians in nontraditional ways. With few exceptions, however, these latter efforts fall mainly into what one would call product development—showing promise but not yet ready for prime time.

The topic, then, for this visit was the role of disruptive innovation in theshaping of anesthesia practices in the future and how the nature of competition among those providing anesthesia services might change with new entrants and funding mechanisms. Before venturing into the world of disruption and how things might look radically different, however, I felt strongly that the residents needed some background and explanation of the market as it currently exists so that the disruptive innovations I highlighted would have context as they were introduced to the audience. As a result, I began with an overview of both the business models of traditional private practice groups and the larger regional and national practices as well as some of the evolving global models for health care delivery that I see developing around the country.

As the presentation proceeded, a key discussion point centered on the drivers of capital flow into the specialty, particularly the sources of funds that would deliver the expected return on the invested capital. Very early a question arose as to what unique skills and competencies are possessed by large practices and private equity investors that lead to their belief that they will be successful and that the success will last. In other words, why do investors and owners of managed anesthesia practices believe that there is profit to be derived from what they do and where is the profit derived? Simply put, what is the nature of competition in anesthesia currently, what is strategic versus operational effectiveness, and what is necessary to be competitive today? Practices and management companies succeed today not with their ideas but with their execution.

Sustaining vs. Disruptive Innovation

At their core, essentially none of the competitive competencies being sold by anesthesia management companies are in the category of disruptive innovations. Instead, successful companies within the anesthesia space are still focused on implementing and executing sustaining innovations. These product offerings include “advances” such as increasing the adoption of the anesthesia care team model, better management practices built upon fiscal and behavioral discipline, increased alignment with institutional goals, embracing a culture of transparent outcomes measurement, and quality and process improvement that most other industries have long taken for granted.

These product attributes, while still, sadly, radical to many in anesthesia, are merely sustaining innovations and not disruptive. The activities themselves are not even strategic in the business sense. Even the smallest of practices in the anesthesia marketplace have the ability to adopt and implement all of the aforementioned product offerings. In fact, these activities are more appropriately described as improvements in operational effectiveness. One view on the concept of operational effectiveness was developed by Michael Porter, a thought leader in the area of strategy and competitiveness, to differentiate activities that can be done by many (competing by doing things we both do, only better) from activities that can only be done by a few (strategic differentiation) (Porter, 1996).

At its essence Porter argues that few companies should be able to successfully compete solely on the basis of continual improvements in operational effectiveness because of the rapid dissemination of best practices. This is particularly true for process-driven specialties such as anesthesiology. The fact that large regional and national companies are successfully competing for practices is less about their strategic differentiation than it is about the reticence of incumbent groups to adapt to changing times and make the difficult decisions needed when dealing with improving operational effectiveness.

What then, as the residents in the audience asked me, should they—and existing groups—do today to remain competitive in the current marketplace?

Strategies to Remain Competitive

First, actively manage the performance of the practice and its members with an emphasis on the latter. Unfortunately, many practices like to believe, and try to function as if, they offer a homogenous level of quality and service to their patients, surgeons, and facilities. They generally do not offer this, and most of the practices deep down know it. Ironically, most everyone else in the building knows it as well. Differing skill sets, attitudes, and motivations among clinicians mean that without some form of measurement and management being brought to bear, the care and service delivered will be uneven and predictably so. The ability to provide leadership, manage people and situations, and make difficult staffing decisions isa large part of the product offering by successful practices.

One of the fundamental problems that groups face is an inability to make management decisions for the future that might cause some immediate pain. Some of this is due to generational issues within the field. Like me, many of the leaders of groups are older and have a relatively short timeline to retirement. The idea of investing in the future of the practice means incurring some financial pain now for a return to be delivered later. If your professional life timeline is measured in months or even a few years, as in the case of the leadership of many groups, there is no possibility of return down the road. In fact, this is a significant reason that many groups solicit acquisition offers now to the potential detriment of younger members of the practice.

Second, seek ways to lower the cost of your product before someone does it for you. Large regional practices and national companies get an audience for just a few reasons. Poor quality of anesthesia care is almost never one of them. If your practice receives subsidization I promise you that it is viewed as a cost on the hospital’s income statement and will be treated like one. Provide high quality services and the hospital may well be willing to pay you for them. However, you should still actively seek ways to reduce the financial burden on the hospital, if possible. If nothing else the exercise itself will educate the practice for the next difficult contract negotiating session and send a powerful message that you aren’t seeking a handout. This will involve developing familiarity with facility operations and workflow including activities outside of the operating rooms. Many processes and people have an effect on surgical patient flow and are drivers of cost for both the facility and your practice. The science behind these investigations is called operations management and, as an added benefit, knowledge of this branch of management will be part of the future of our specialty anyway. A useful beginning reference with practical tools is the work by Ronen (Ronen, Pliskin, & Pass, 2006).

Third,embrace the concept of nonpunitive measurement, accountability, and the virtues of the quality improvement process as put forth by Deming, Berwick, James, and others (Berwick, 1989; Deming, 2000; James, 1989). Not only is it inevitable that increased individual transparency in terms of outcomes is coming to anesthesia, it is desirable. More important, it is already here. Unfortunately some of you don’t know it yet. If your hospital has an electronic health record, a surgical information management tool, or a pharmacy management system, then it has a record of many of your activities as well. For example, do your patients need more or less opioids than those of your associates? Is it possible that your nerve blocks are not as effective as your peers’? Are pain scores for your patients recorded? Think there could be a correlation? Fortunately, I think, clinicians and institutions have been living in an era where health care has been data rich and knowledge poor. One of the current big ideas in the business world involves the concept of “big data” (McAfee & Brynjolfsson, 2012). Increasingly, technology is allowing the connecting of the myriad number of seemingly disparate data points and creating opportunities for evaluation, correlation and possibly even causation.

Instead of resisting it or putting it off until forced to accept it, offer to take ownership of the measurement and the management of the findings. Yes, it will be initially awkward, even painful, to learn objectively that not everyone in the practice has the same proficiency in the administration of regional anesthesia or engenders the same level of confidence from nursing and surgical colleagues. In reality, however, it is likely just a validation of what everyone including the hospital administration, surgeons, and nursing staff already know. There are a number of easily read resources to gain a working knowledge of these concepts (Carey & Lloyd, 1995; Provost & Murray, 2011).

Fourth, learn how to communicate and most importantly negotiate well. Every interaction that we have in the perioperative process is at its essence a negotiation. Conversations with surgeons and nursing staff about patient prepared-ness, scheduling of cases, or even the discussions of anesthetic options with patients and families are at their heart exercises in negotiation. Sadly, while business education should be a fundamental part of medical school and residency training, it remains largely unavailable to most medical students and residents. Furthermore, these skills are frequently poorly modeled for residents during training.

On a fundamental level this is a disservice to our specialty and to us. On a practical and competitive level excellence in negotiation is a fundamental business skill for anesthesia practitioners. Note that the negotiation skills to which I refer are not positional tactics based on zero-sum scenarios with winner and loser outcomes, but the daily exchanges requiring integrative approaches to solving mutual problems that have risks, benefits, and tradeoffs. Here, desired outcomes are decisions based on collective needs and respect. Fortunately there are a number of resources available to gain some basic understanding of these concepts (Marcus, Dorn, & McNulty, 2011; Shell & Moussa, 2007).

Readers should note that those who excel at this form of communication also excel at both listening and understanding the perspective of those on the other end of the particular issue at hand.

Fifth, the role of the anesthesiologist is going to evolve over the next several years. Changing delivery and payment paradigms as well as the realities of disruptive innovations in perioperative medicine will create unique challenges as well as unique opportunities for the profession. My best advice for those in training or newly in practice, given from the perspective of someone long in the business as well as a potential employer, is to continue developing skills that cannot be easily replaced or are needed regardless of the delivery system changes that ensue. Leadership and communication skills, expertise with quality and process improvement, and maybe most important, the skill and comfort managing the perioperative care of clinically challenging patients will be needed regardless of delivery system changes or disruptive innovations.

Finally, realize that knowing and doing are fundamentally different aspects of competition but both provide the fundamental answer to the questions posed by the residents on the nature of competition in the anesthesia business. If you don’t know what to do then execution is irrelevant. However, practices fail, even those run by sophisticated health systems or management companies, not for a lack of knowledge but for a lack of execution. When both practice leadership and line practitioners understand that their failures are for lack of execution and not for lack of direction the path forward becomes much more clear. In this case, and at this particular point, execution can trump strategy. How long this remains true, of course, is subject for another discussion.

Berwick, D. M. (1989). Continuous improvement as an ideal in health care. N Engl J Med, 320(1), 53-56.
Carey, R. G., & Lloyd, R. C. (1995). Measuring quality improvement in healthcare: a guide to statistical process control applications. American Society for Qualit.
Deming, W. E. (2000). Out of the crisis (1st MIT Press ed. ed.). Cambridge, Mass.: MIT Press.
James, B. C. (1989). Quality management for health care delivery. Hospital Research and Educational Trust.
Marcus, L. J., Dorn, B. C., & McNulty, E. J. (2011).Renegotiating health care: Resolving conflict to build collaboration. Jossey-Bass.
McAfee, A., & Brynjolfsson, E. (2012). Big data: the management revolution. Harv Bus Rev, 90(10), 60-6, 68, 128.
Porter, M. E. (1996). What is strategy? Published November.
Provost, L. P., & Murray, S. (2011). The Health Care Data Guide: Learning From Data For Improvement. Jossey-Bass.
Ronen, B., Pliskin, J. S., & Pass, S. (2006). Focused operations management for health services organizations (1st ed. ed.). San Francisco, CA: Jossey-Bass.
Shell, G. R., & Moussa, M. (2007). The Art of Woo: Using Strategic Persuasion to Sell Your Ideas. Portfolio (Hardcover).

Michael R. Hicks, MD, MBA, MHCM, FACHE is a physician executive based in Dallas, TX. He leads the anesthesia division of a national physician practice management firm as well as managing a large regional physician-owned anesthesia practice. In addition Dr. Hicks is a consultant for a national hospital and ambulatory surgery center company. He can be reached at michael@hicks.net.

What Defines Success in Today’s Healthcare Environment?

From the Spring 2013 issue of The Communiqué

It is a privilege to bring you another article from Michael R. Hicks, MD, MBA, this time on Successfully Competing in Anesthesia Services Today. Throughout his career as an anesthesiologist and executive, Dr. Hicks has developed unique insights into the qualities that make for success. As a physician, he writes for his peers honestly and without trepidation. Dr. Hicks’s wisdom is among the most valuable information we have published in the Communiqué. In the current issue, he addresses anew the concept of disruptive innovation in anesthesia practice—but as he notes, “successful companies within the anesthesia space are still focused on implementing and executing sustaining innovations” such as quality and process improvement and “better management practices built upon fiscal and behavioral discipline.” The needed innovations will come from five different strategies identified by Dr. Hicks:

Actively manage the performance of the practice and its members, recognizing that neither the group nor its individual clinicians should be seen as commodities;
Seek ways to reduce your cost to your hospital, and in the process learn about operations management;
Embrace accountability and use your data;
Learn how to communicate. “Every interaction that we have in the perioperative process is at is essence a negotiation,” and
Continue developing your special professional skills.

Keep in mind, Dr. Hicks also counsels, that both direction and proper execution of a strategy are requisites for success. For the time being, given the state of the competition, execution can even trump strategy.

One way to lose to the competition is to fail to recognize it, according to our frequent contributor Mark F. Weiss, Esq. Mr. Weiss invites you to consider Are You Making This Mistake Concerning Competition? “This” mistake would be neglecting the threat from within the group. Other group members sometimes offer not only direct competition, e.g., by breaking off to form their own group, but they may also enable an outside group to take the place of the incumbent. It is important to build protective measures around the partnership/owner/employee relationship.

As anesthesia practice leaders, we have to stay on top of another “big C” compliance. Vicki Mykowiac, Esq. discusses the importance of preventive strategies in her article Anesthesia and Chronic Pain Compliance Risk Areas: Compliance Advice from Benjamin Franklin and Francis Bacon. If we listen, the government tells us clearly how to get into—and how to stay out of—trouble.

With the publication of the federal government’s final regulations on the HIPAA Privacy, Security and Breach Notification in January, 2013, we entered into a new era of HIPAA rights and responsibilities, which Neda M. Ryan, Esq. reviews in HIPAA Omnibus Rule: What Anesthesiologists Must Do Now.

Christopher Ryan, Esq. focuses on one very important aspect of security—preventing loss of confidential information from cell phones and tablets— in Taking Security on the Road: Steps You Can Take to Secure Your Mobile Devices.

Finally, some less obvious compliance risks come from the new technologies themselves. Joette Derricks, CPC reviews the limitations of electronic health records and the erroneous documentation that they can easily engender in Health Information Management Challenges in the World of EHR.

One recurring topic that we have not touched upon in this issue is payment for anesthesia and pain medicine services. As we go to press, the two percent across-the-board cut to Medicare physician payments mandated by the federal budget sequester is set to begin on April 1, 2013, CMS confirmed in a recent announcement. We know by now that budget deals happen down to the wire, and we hope that our worries about sequestration will be moot by the time you read the Communiqué. Whatever happens, we can assure you that we will continue to keep you up to date.

With best wishes,

Tony Mira
President and CEO

HIPAA Omnibus Rule: What Anesthesiologists Must Do Now

Neda M. Ryan, Esq.
Clark Hill, PLC, Birmingham, MI
From the Spring 2013 issue of The Communiqué

On January 25, 2013, the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued its long-awaited Health Insurance Portability and Accountability Act of 1996 (HIPAA) final omnibus regulations (Final Rule). The Final Rule modified the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (HIPAA Rules) and is comprised of four sub-rules:

Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act;
A final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure as set forth by HITECH;
A final Breach Notification rule; and
A final rule modifying the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA).

While the Final Rule is effective March 26, 2013, compliance with the provisions of the Final Rule is not required until September 23, 2013. This eight month window between the release date and the compliance date allows covered entities, including anesthesiologists, time to understand their roles under the Final Rule, and take action where necessary to ensure compliance by September 23. This article summarizes some of the key elements of the Final Rule applicable to anesthesiologists and their practices.

Business Associates

The Final Rule renews a focus on business associates and their subcontractors, beginning with revising the definition of “business associate.” Business associates are now defined as those persons (other than members of the covered entity’s work force) or entities that perform certain functions or activities that involve the creating, receiving, maintaining or transmitting of protected health information (PHI) for a specified function or activity (e.g., claims processing or administration, data analysis, processing, or administration utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, repricing). Additionally, the Final Regulations specify that a business associate includes the following:

A health information organization, e-prescribing gateway, or other person or entity that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI;
A person offering a personal health record to one or more individuals on behalf of a covered entity; and
A subcontractor that creates, receives, maintains or transmits PHI on behalf of a business associate.

Specifically excluded are healthcare providers to whom a covered entity discloses PHI for purposes of treating the individual, plan sponsors to whom a group health plan makes disclosures, a government agency determining eligibility for or enrollment in a government health plan, and a covered entity participating in an organized health care arrangement that performs certain functions.

Consistent with previous regulations and practice, covered entities must enter into Business Associate Agreements with business associates. The Business Associate Agreements must meet specific requirements, and set forth the parameters within which business associates may use and disclose PHI. Covered entities are not required to enter into direct agreements with subcontractors of their business associates. The responsibility has been placed on the business associates to ensure a contractual relationship exists between them and subcontractors that ensure compliance with the HIPAA Rules.

In line with the new focus on business associates and subcontractors, the Final Rule specifies that business associates and their subcontractors may be directly liable for certain Privacy and Security Rule violations. Therefore, business associates and their subcontractors must endure full compliance with HIPAA.

Notice of Privacy Practices

Covered entities must modify their Notice of Privacy Practices (Notice) to comply with changes in the Final Rule. Notice is required to communicate to the individual the ways in which the covered entity may use and disclose PHI, the covered entity’s duties with respect to protection of the PHI and the individual’s rights relative to his/her PHI. Typically, Notices must be delivered to patients not later than on their first encounter, and must be posted in a clear and prominent place on the covered entity’s website.

The Final Rule does not require the Notice to include a list of all situations requiring authorization. Rather, the Notice must contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization, as well as a statement that other uses and disclosures not described in the Notice will be made only with authorization from the individual. Moreover, if the covered entity intends to contact an individual for the purpose of fundraising for the covered entity, the Notice must contain a statement regarding fundraising communications and the individual’s right to opt out of receiving such communications. Finally, the Notice must contain a statement that affected individuals have the right to be notified following a breach of their unsecured PHI.

Pursuant to the changes in the Final Rule, anesthesiologists should review their Notices and update them as necessary to reflect the new requirements—or at least verify that the facility in whose Notice anesthesia is included is updated. Notices should also be updated on any websites that the practice may have. While existing patients do not need to receive a copy of the updated Notice, they must be made available upon request. As always, it is prudent to document in the patient’s file when Notices are given to them.

Individual Access to PHI

Except for limited circumstances, individuals have the right to receive and review a copy of their PHI in a designated record set. With certain exceptions, a designated record set is made up of the records maintained by or for the covered entity that is used, in whole or part, to make decisions about that individual, or that is a provider’s medical and billing records about that individual.

The Final Rule requires, for PHI maintained electronically, upon an individual’s request for an electronic copy of his/her PHI, the covered entity must provide that individual with access to the electronic information, in the electronic form and format requested by the individual, if it is readily producible. If the information is not readily producible, it must be delivered in a readable electronic format (e.g., MS Word or Excel, text, HTML, or text-based PDF) that is agreed to by the covered entity and the individual. Individuals must be given access to their records within 30 days of the request, regardless of whether the records are in paper or electronic format and whether paper records are stored off-site. Notwithstanding this timeframe, covered entities will have an opportunity for a one-time extension of 30 days.

Anesthesiologists maintaining electronic records should be reviewing their HIPAA policies to ensure they reflect this change in the HIPAA Rules. Moreover, anesthesiologists must ensure that they can grant patients’ access to their PHI within 30 days of the request.

Requesting Restrictions on Uses and Disclosures

Individuals have the right to request restrictions on the use and disclosure of their PHI for treatment, payment or operations (reasons for which a covered entity is generally not required to obtain authorization for the use and disclosure of an individual’s PHI), disclosures to those who are involved in the individual’s care or payment for care, or disclosures to family members. A covered entity is not under an obligation to grant this request; however, those covered entities agreeing to comply must abide by the restrictions.

The Final Rule expands the individual’s right to request restrictions without the covered entity’s right to deny the request. Specifically, for individuals who have paid the healthcare provider in full out-of-pocket, healthcare providers must grant requests to restrict disclosures to the individual’s health plan.

While certain uses and disclosures are required by law and thus cannot be circumvented by an individual requesting restrictions, anesthesiologists should review and revise their policies and procedures with respect to individuals’ access to their own PHI. Moreover, any forms used to process such requests must also be reviewed and revised, as necessary. For those anesthesiologists who have not been in the practice of granting restrictions, they must develop a process to comply with requests by private pay patients requesting restrictions on information disclosed to their health plans.

Breach Notification

In addition to the modifications listed above, the rules pertaining to breach notification were considerably amended. Prior to the Final Rule, “breach” was defined as a use or disclosure of PHI that posed a significant risk of financial, reputational, or other harm to the individual. A breach was presumed if the impermissible use or disclosure resulted in harm to the individual.

However, the standard by which “breach” is measured significantly changed under the Final Rule from a “risk of harm” standard to a “low probability that PHI has been compromised” standard. In other words, an impermissible use or disclosure of PHI is presumed to be a breach unless it has been demonstrated that there is a low probability that the PHI has been compromised. Therefore, breach notification is necessary in all situations, unless it is demonstrated that there is a low probability that the PHI has been compromised or an exception applies.

To determine whether the low probability standard has been met, the OCR set four factors that must be considered when performing a risk assessment:

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification of the information;
The unauthorized person who impermissibly used the PHI or to whom the disclosure was made;
Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.

Following consideration of the factors, the risk assessment must evaluate the overall probability that the PHI has been compromised.

In addition to revising the definition of breach, the requirement that the Secretary be notified of breaches involving fewer than 500 individuals was revised. Because some breaches may go undetected for long periods of time, notification must be made to the Secretary within 60 calendar days after the end of the year in which the breach was discovered.

Investigations and Penalties

The Final Rule requires the OCR to investigate any complaint of a HIPAA violation when a preliminary review of the facts indicates that there may be a violation due to willful neglect. Willful neglect is defined as conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated. The OCR may exercise its discretion in conducting a compliance review or complaint investigation in instances where culpability may be less than a willful neglect.

Importantly, the Final Rule increases the Secretary’s discretion to choose between an informal and formal resolution of investigations or compliance reviews. This change allows the Secretary to impose civil monetary penalties without pursing an informal resolution process (previously, an informal process was required to attempt to resolve issues involving noncompliance).

In 2009, the HIPAA tiered penalties were incorporated into the HIPAA Rules pursuant to HITECH. Violations of the HIPAA Rules could result in penalties of up to $1.5 million. In determining the amount of any civil monetary penalty, the Final Rule sets forth the following four factors to be considered:

The nature of the violation;
The nature and extent of the resulting harm;
The history of prior compliance with HIPAA; and
The financial condition of the covered entity or business associate.

Reality Check—HIPAA Enforcement is On the Rise

If the increased penalties and flexibility by the Secretary to impose the penalties is not alarming enough, enforcement is a very real issue that many covered entities face. A sampling of some of the settlements that have occurred in the last year include the following:

January 2, 2013 – A $50,000 settlement with a hospice, arising out of a stolen laptop containing over 400 patients’ PHI (notably, this settlement represents the first HIPAA breach settlement involving less than 500 individuals)
June 26, 2012 – A $1.7 million settlement with Alaska Medicaid arising out of a report to HHS involving a stolen thumb drive containing PHI of more than 500 Alaska Medicaid beneficiaries
May 24, 2012 – A $750,000 settlement with a Massachusetts hospital arising out of a report of disclosures made to the Attorney General regarding 473 unencrypted data tapes that were sent to a third party to be erased, but only one of the three boxes of tapes arrived
April 17, 2012 – A $100,000 settlement with a physician group arising out of a report to HHS that the physician practice was posting clinical appointments for its patients on publicly accessible website calendar
March 13, 2012 – A $1.5 million settlement with a private insurance company arising out of disclosures made under the Breach Notification Rule involving the theft of 57 unencrypted computer hard drives from a data closet

An in-depth review of the facts of each of these cases revealed that the main cause for the civil penalties was what the OCR found during the investigation. Most of the time, the investigation revealed significant deficiencies in compliance that may not have been directly related to the initial complaint.

In light of its recent pilot audit program and continuous press releases regarding settlements and penalties, the OCR is ramping up its HIPAA enforcement and no covered entity is immune from scrutiny.

What You Can Do Now

While the Final Rule does not significantly alter the way anesthesiologists have been operating under HIPAA in recent years, it does signal a need for groups to revisit their HIPAA policies and procedures, update them as necessary, and educate their workforce on those updates. The following are some specific steps anesthesia practices should be taking now:

Review, revise, and update HIPAA policies and procedures as more specifically described in this article;
Identify which relationships will fall under the definition of “business associate” and ensure that there is a Business Associate Agreement with that entity;
For those relationships previously identified as being that of a business associate relationship, ensure the Business Associate Agreement complies with the updated regulations;
Review and update, as necessary, the Notice to properly reflect new requirements of the Final Rule; and
Ensure all members of your group and workforce are educated on the new requirements and policies, and be sure to document the date of the education and who attended.

While these recommendations are specific to the revisions in the Final Rule, all anesthesia groups should regularly engage in self-audits of their compliance with their HIPAA policies and procedures, update the HIPAA policies and procedures to reflect deficiencies discovered in audits, and regularly educate the group and its workforce on the HIPAA policies and procedures and any updates that have been made. Taking these steps and documenting them will best position a group if and when it is audited or investigated by the OCR.

Neda M. Ryan, Esq. is an associate with Clark Hill, PLC in the firm’s Birmingham, MI office. Ms. Ryan practices in all areas of health care law, assisting clients with transactional and corporate matters; representing providers and suppliers in health care litigation matters; providing counsel regarding compliance and reimbursement matters; and representing providers and suppliers in third party payor audit appeals. She can be reached at (248) 988- 5884 or at nryan@clarkhill.com.

Are You Making This Mistake Concerning Competition?

Mark F. Weiss, Esq.
The Advisory Law Group, a Professional Corporation, Los Angeles, CA
From the Spring 2013 issue of The Communiqué

“The Competition”

These days I hear that term from more and more anesthesia group leaders, and I’m sure that you’re thinking about it more than you’d like.

From the Latin root competitionem, its meaning originated in the sense of rivalry, of a contest for something. Since at least the 1790s, it’s been used to describe rivalry in the marketplace.

Ask yourself what “the competition” means to you. What comes to mind?

In working with anesthesia group leaders across the country, my regular experience is that they envision the competition as another anesthesia group, whether from across the county or across the country. These days, the image that often first comes to mind is that of the predatory staffing-service model.

I certainly can’t fault these group leaders because, especially these days, there is tremendous competitive pressure from outside entities coveting your facility contracts.

So, for most group leaders protecting their practice from competitors involves looking outward to block outside groups from breaching the walls of your facility relationships.

Accordingly, the best of those group leaders would be doing all they could to create an Experience Monopoly^TM, the unique experience that the group provides to its “customers:” hospitals, referring physicians and patients, one that, even if the competitors could observe what was going on, they couldn’t replicate. And, those group leaders would be taking other action to create barriers to block entry into their market by those outside competitors.

Of course, that focus on outside competitors and the action taken to keep them at bay and to render them ineffectual, are both necessary and required.

Unfortunately, if that’s all that’s done, your group is still at risk.

That’s because being so intently focused on outside competitors can blind group leaders from seeing another, often equally lethal, predator seeking to capture your group’s business; a predator so dangerous it might destroy your group’s ability to survive.

Let me use an example from outside of healthcare to illustrate this second category of threat.

A country can take great efforts to protect state military or even physical access to a sensitive installation by, among other things, erecting barriers, both physical and virtual, to outside intrusion. Similarly, industry spends countless millions of dollars each year protecting essential trade secrets from competitors.

But that’s only part of the story, because as much as a country’s military and as industry have to be concerned about protecting their secrets from someone who’s on the outside, they have to be equally concerned about guarding against espionage from someone who’s already on the inside—by someone who is thought to be “on the team.” That same point applies to your anesthesia group.

Yet, unfortunately, protecting against competition from within is a weak point for most anesthesia groups. The reality is that many groups don’t fail simply because of competition from an outside competitor; they fail from within due to the actions of, and sometimes competition by, members of their own group who break off to directly compete with their former group or who facilitate an outside group’s ability to displace it.

Protecting against competition from within requires much more effort and detail than most groups incorporate within their “owner” documents (their shareholders agreement or partnership agreement) and within their employment agreements and subcontractor agreements.

Although in some states, the direct approach to preventing competition, covenants not to compete, is unenforceable, the correct approach is to build a series of protective measures against competition around the relationship between the group and each of its physicians, whether owners or employees/subcontractors. You can conceive of these protective measures as a series of interlocking spines or spears, each designed to provide protection. One particular measure standing alone might be compromised, but together, as a systematic structure, they provide far more potent protection.

By adopting a wide range of protective measures, groups reduce, and if possible, prevent, competition from within, whether it’s actual direct competition by group members or their facilitation of direct competition by a third party to whom those group members hand the key to the group’s economic engine.

Focusing on threats from without is hardwired into most anesthesiology group leaders. Group leaders must be just as diligent in focusing on threats from within.

Mark F. Weiss, Esq. is an attorney who specializes in the business and legal issues affecting anesthesia and other physician groups. He holds an appointment as clinical assistant professor of anesthesiology at USC’s Keck School of Medicine and practices nationally with the Advisory Law Group, a firm with offices in Los Angeles and Santa Barbara, CA. Mr. Weiss provides complimentary educational materials to our readers at www.advisorylawgroup.com. He can be reached by email at markweiss@advisorylawgroup.com.

Taking Security on the Road: Steps You Can Take to Secure Your Mobile Devices

Christopher Ryan, Esq.
Giarmarco, Mullins & Horton, P.C., Troy, MI
From the Spring 2013 issue of The Communiqué

The creation of the Medicare/Medicaid Electronic Health Record (EHR) Incentive Program (commonly known as the “Meaningful Use Program”) gave physicians and hospitals a strong incentive to integrate EHRs into their practices. (For more information regarding Meaningful Use, see “Proposed Meaningful Use Stage 2—What it Means to the Anesthesia and Pain Communities” published in the Spring 2012 issue of the Communiqué.) As part of their EHR system, many anesthesiologists have started using mobile devices such as laptops, tablets and smartphones. If used properly, these devices allow access to patients’ EHRs from anywhere that a WiFi connection (or cell phone signal) is available. This often results in quicker responses to questions from patients, families, and other providers. While the use of mobile technology has benefits, anesthesiologists choosing to utilize this technology must pay special attention to making sure they do so in a manner that conforms to their group’s or facility’s security policy and protects the privacy of the information.

This article will outline some of the various mobile security tools anesthesiologists can implement to aid in protecting their patient’s EHRs.

Draft a Mobile Use Policy

Anesthesia groups should develop and implement a mobile use policy, or include specific provisions in their security policy regarding mobile use. To develop a mobile use policy, the group must first decide whether it will allow its employees to access EHRs via mobile devices at all. Assuming this will be permitted in some fashion, the group must consider whether anesthesiologists will be permitted to use their personal mobile devices, or whether only “company owned” devices will be permitted to access secure information. Groups should also contemplate whether all mobile devices are permitted to access EHRs or whether access will be restricted to certain types of technology. For example, a group may decide that laptop computers are permitted to access EHRs, but tablets and mobile phones are not. Groups may also want to implement some of the various specific suggestions contained in this article. After an effective policy is drafted, the group should train its employees on the provisions of the policy and how they can achieve compliance with the same.

Follow Your Organization’s Policy

Reading and complying with the group’s or facility’s policy is the number one step anesthesiologists should take when implementing mobile technology and choosing which mobile security techniques to utilize. A group’s or facility’s policy may contain specific requirements that are not discussed or that differ from the items outlined in this article. Questions concerning a group’s or facility’s policy, or how to best secure a mobile device, should be directed to the group’s or facility’s Security Officer. Depending on the type of mobile device the anesthesiologist intends to use, the manner in which EHR is accessed, and the software the group or facility uses to store the EHRs, some of the items outlined below may not be applicable to all anesthesiologists. The Security Officer will assist the anesthesiologist in making sure he or she is using mobile technology in a manner that is compliant not only with the HIPAA Security Rule, but with the laws applicable in their specific jurisdiction.

Physical Security

Keeping mobile devices physically secure is the most obvious type of mobile security. Because mobile devices are, by definition, “mobile,” they are easily stolen or misplaced. While nobody can completely prevent their mobile devices from being stolen, everyone can take steps to decrease the likelihood of a theft. Instead of leaving a laptop on the back seat of a car, providers should consider locking it in the trunk or not leaving it in a car at all. Do not leave a tablet sitting on the table at the coffee shop; instead, bring it with you when you get a refill of your coffee. If an anesthesiologist uses his or her cell phone to access patient information, he or she should not let their child borrow it on the weekend. Finally, if it is utilized in public areas, anesthesiologists should consider protecting the screen of their mobile device from being viewed by unauthorized individuals by using a privacy filter.

Passwords

Simply having a password to gain access to mobile devices is not enough. Providers need to make sure that they choose unique passwords that are not easy to guess. Studies have suggested that the most common passwords include “123456,” “password” and “iloveyou.” Common categories of passwords include using your telephone number, spouse’s name or pet’s name. These common passwords should be avoided because they are relatively easy to guess. Instead, anesthesiologists should use a password that is easy for them to remember, but hard for unauthorized users to guess. Generally, passwords should be at least six characters in length, and should include upper and lower case letters, one or more numbers, and one or more characters such as “!”, “#” or “@”.

Anesthesiologists should also remember that using the same password for all accounts means that if someone gains access to one account, he or she gains access to all accounts. Therefore, anesthesiologists should use unique passwords for each piece of software that allows them to access EHRs, change their passwords frequently, and never store passwords in unsecure locations. For example, placing a sticky note on a laptop that says, “Password: ComMun!que2013ABC” renders an otherwise strong password virtually meaningless.

Auto-Logoff or Timeout

Most, if not all, mobile devices have built-in features that automatically log the user off (or lock the device) after a set amount of time of inactivity. Anesthesiologists should turn this feature on, and they should require a password to be entered in order to “wake” the device.

Saving Information Locally

Information may be stored on the mobile device itself, or it may be accessed remotely. The benefits of storing information remotely (i.e., not storing information on the device itself) is that the information is more likely to be up-to-date and require additional authentication to access the information beyond simply having access to the device. Some organizations may choose to allow anesthesiologists to store information locally on the device so that it can be accessed at any time without a connection to the internet. Having locally stored information means that if the anesthesiologist’s mobile device is lost or stolen, an unauthorized user may be able to obtain patient information with greater ease. (See “Remote Wipe” below). If information is stored locally, anesthesiologists should be sure to frequently back the information up to a secure server. Doing so means that if your device is misplaced or stolen, the information will not be lost.

Remote Wipe

Many mobile devices contain a feature that allows the owner to erase the memory or hard drive of the mobile device remotely in the event it is misplaced or stolen. Check with the manufacturer of your device to learn more about whether your device contains this feature, and if it does, make sure it is set up and ready to be activated. If it does not, talk to your Security Officer and consider investing in software that allows this capability.

Firewall/Virus Scan

A firewall is a tool that monitors incoming and outgoing activity and blocks certain transmissions according to the user’s specifications. For example, a firewall may be programed to prevent file sharing. Virus scanning software is designed to identify potentially harmful files and quarantine or delete them as necessary. Both of these tools should be utilized by anesthesiologists, and importantly, must be kept up to date.

Where to Go for More Information

Utilizing mobile devices in a medical setting improves patient care by allowing anesthesiologists to quickly access patient information from anywhere. In the event a mobile device is stolen or misplaced, or if an anesthesiologist feels his or her mobile device’s security may have been compromised, they should immediately contact their organization’s Security Officer. Providers can also visit www.healthit.gov for more information about implementing health information technology, or contact a qualified attorney.

Christopher Ryan, Esq. is an associate at Giarmarco, Mullins & Horton, P.C. in Troy, MI. Mr. Ryan practices healthcare law, working with healthcare providers in the areas of corporate formation and dissolution, contract negotiation, and health compliance. Mr. Ryan also practices litigation with a special emphasis on defending healthcare providers faced with claims of medical malpractice. He can be reached at (248) 457-7154 or at cryan@gmhlaw.com.

Keep in Touch
Twitter
Facebook
LinkedIn

Our Locations