CMS is currently testing a new payment model seeking to avoid hospitalizations by funding nursing homes and practitioners for more extensive intervention.
On August 27, 2015, CMS reported that seven organizations will test the efficacy of the new payment model for nursing home operators and practitioners by funding higher intensity interventions in the nursing facilities for residents who may otherwise be hospitalized. The goal is in recognition of the fact that treatment at nursing homes is less expensive than hospitalizations.
The Centers for Medicare & Medicaid Services has been working with seven “Enhanced Care and Coordination Providers” (ECCPs) for the past three years to gather information. These organizations may apply to test the new payment model.
While this should come as no news to anyone involved in revenue cycle management for nursing homes or hospitals, the agency said that “improving the capacity of nursing facilities to treat common medical conditions as effectively as possible within the facility has the potential to improve the residents’ experience at lower cost than a hospital admission.”
Significantly, the model also includes payments to physicians, NPsand PAs– which makes me wonder if part of this initiative will also include increased responsibilities for the nurse practitioners and physician assistants.
This model is currently scheduled to run from October 2016 to October 2020.
Today was the absolute worst day ever
And don’t try to convince me that
There’s something good in every day
Because, when you take a closer look,
This world is a pretty evil place.
Some goodness does shine through once in a while
Satisfaction and happiness don’t last.
And it’s not true that
It’s all in the mind and heart
True happiness can be obtained
Only if one’s surrounding are good
It’s not true that good exists
I’m sure you can agree that
It’s all beyond my control
And you’ll never in a million years hear me say that
Today was a good day
Please, Now read from bottom to top
In reviewing the various reports of HIPAA breaches as a subset of the almost every day occurrence of significant data breaches, and the recent reports of significant data breaches of information that is either entrusted to the government (e.g. medical and/or credit information) or information that the government is both logically and legally responsible for safekeeping, there seems to be a significant disconnect. With respect to HIPAA, the current regulatory environment seeks a very high level of compliance with significant fines and governmental interventions in the case of a breach, but when the government drops the ball, the most we can expect is OOPS, and maybe not even that.
Without going through the litany of recent governmental breaches, I will highlight the White House’s recent confirmation that the Office of Personnel Management suffered a SECOND cyber attack in which the data of 4.2 million Federal employees was stolen. In addition, the April 2015 report of the Office of Inspector General (OIG) reported the results of its audit of the security controls of the Department of Health and Human Services (HHS) which identified numerous deficiencies.
Imagine a father heartily puffing on a cigar, and a mother vigorously inhaling the smoke from her cigarette lecturing their teen about the dangers of smoking, while at the same time (in the name of proper parenting skills) advising their child of the consequences they would administer if their child began smoking. I imagine that at least to some, this scene would seem somewhat hypocritical.
I fully understand that there must be limitations on the ability for private citizens to sue the government and/or its employees carrying out governmental functions (sovereign immunity), but the real question is the propriety of placing standards on private industry before one cleans up one’s own house.
You may find this to be HIPAA-Critical (hypocritical)or you may feel that there is a critical need for the protections that HIPAA mandates and therefore, immunity and consequence free breaches are appropriate.
Irrespective of the answer, to the extent we can trust the government with private medical information (PHI) for its healthcare exchange, and to the extent that, at some level, the government may be competing with medical providers (e.g. various forms of Medicaid) is it appropriate to have two standards?
What do you think?
Identity theft is so prevalent that we are almost desensitized to its effects – unless of course we’re speaking about its victims who are left with the unenviable task of sifting through the rubble and trying to re-create their medical and/or credit identities. What is surprising is that the very laws that were enacted ( HIPAA etc. ) to protect patient privacy hinder the victims of medical/identity theft from accessing THEIR OWN medical records. The Wall Street Journal had an illuminating article regarding the rise of medical/identity theft ( How Identity Theft Sticks You With Hospital Bills ). There is no way to offer absolute protection under all circumstances. I am reminded of the tragedy that occurred when the captain and flight attendants could not gain access to the cabin of a German Wings flight, because the cabin was virtually impregnable as a safety measure against terrorists. The very measures that were put into effect to protect the passengers were the ones that ultimately cost them their lives. We cannot totally escape the Law of Unintended Consequences, but in making rules or drafting laws it is helpful to be aware of the potential for looming risks.
There are many lessons that the Medical Community– Covered Entities, Business Associates and their subcontractors – can learn from the Ashley Madison hack. Please forgive me if I omit the prurient details and/or any “holier than thou” statements about the AM business, except to say that it was a site that needed security, dealt with highly sensitive and personal matters, and the very people who sought to obtain a “full delete” of their personal information, are the ones who apparently were caught “flapping in the wind” – please forgive the pun.
- How could a subscriber/patient/doctor or medical provider (CE, BA or Sub) have known that the information they retained made them a prime target?In the case of Ashley Madison, assuming itdid not possess the native intelligence to realize that we live in an age of website breaches, the WSJ.com actually warned/predicted that Friend Finder networks (a website with similar appeal to individuals seeking extracurricular activities) was hacked, and that Avid Life Media (owner of AM), which was seeking to raise $200 million in an IPO,warned that “investors will have to think of hack attacks as a risk factor.” In the case of CEs BAs and their subcontractors, and in addition to HIPAA, HITECH and the Omnibus Rule, the internet is replete with stories of both medical and nonmedical private information being hacked.
- How could the information have been safeguarded? In the case of AM, prepaid credit cards, anonymous browsing and encryption would or could have mitigated or eliminated the risk. On the Medical side, awareness and compliance with the regulatory requirements (which incidentally, includes encryption as a safe harbor) would similarly substantially mitigate the risk and the amount of damage a breach may cause. Starting with a risk analysis, proper security and privacy protocols, management oversight, and adequate resources devoted to regulatory compliance would go a long way.
The basic problem is that the NIMBY (not in my back yard) type of denying reality has a way of catching up and exploiting vulnerabilities. The new reality is that with every passing day, more private information is being entrusted to others. Cyber security is playing a cat and mouse game with hackers and ignoring the realities of the digital age can lead to embarrassment, financial loss (or ruin) and governmental scrutiny and fines.
What do you think?