A little March Madness, and a lot of security concerns

I’m sure if I spent enough time on ESPN’s Web site I could download the X-rays. I’ve heard breaking news about sprains, breaks, concussions, migraines, anxiety attacks and in one memorable broadcast, an in-game bout of diarrhea.


I've been watching my beloved Michigan State Spartans squeak into the Final Four. Game announcers have all commented on the fact that MSU’s team is walking wounded: Kalin Lucas has a torn Achilles’ tendon; Chris Allen has plantar fasciitis in his foot; Delvon Roe has a torn meniscus in his knee.

I’m sure if I spent enough time on ESPN’s Web site I could download the X-rays. I’ve heard breaking news about sprains, breaks, concussions, migraines, anxiety attacks and in one memorable broadcast, an in-game bout of diarrhea. Equally memorable, I remember watching a University of Michigan football game where a star receiver got taken off in a stretcher … and the broadcasters were told that due to the HIPAA medical privacy law, no information would be released about his condition.

As a couch schlub, I really, really want to know if a player who got knocked out of the game is going to stay knocked out. But I’m not really sure I should know; don’t these kids have some rights to medical privacy and have a say whether they want the information in the public forum? I wouldn’t even question the practice, since it’s been ongoing since sports have been on TV and even college teams can get X-rays and other diagnostic procedures performed virtually at court side.

Never would have given it a second thought if one college hadn’t done it differently. At the very least, someone should think twice before going public--I’m sure the diarrhea sufferer would have liked the opportunity to massage the wording on that press release. Gastrointestinal trauma? External pelvic event?

****** 

On the subject of data security/privacy, you kinda have to feel for Blue Cross Blue Shield of Tennessee. Late last year the Blues plan found out that 57 hard drives--containing information on around 500,000 members--had been stolen from a call center facility. By all accounts the insurer jumped all over it, immediately opening multiple investigations and throwing personnel and money in to get a handle on the situation--500 staff have worked on the project to identify and contact potentially affected members.

Being diligent comes at a price--about $7 million, to be exact. That’s how much Blue Cross Blue Shield of Tennessee has spent on the data breach, and they’re still working, and still spending. The costs of data breaches have not been much of a story in health care I.T. because, well, we haven’t really paid much attention to them. We’ve reported an awful lot about the costs of securing data, but not much about what happens when the horse gets out of the barn because data breaches and HIPAA privacy/security violations have been handled quietly and privately by the Office for Civil Rights.

But you probably know that’s all changed. As we’ve reported, the OCR in the Department of Health and Human Services has created a Web site (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html) that lists health care data breaches that affect 500 or more individuals. The site was authorized under HITECH’s breach notification rule, which hasn’t gotten as much attention as the gazillions of dollars the feds are handing out for EHR adoption. Breach notification requires organizations to alert the OCR AND THE LOCAL MEDIA about data breaches of that magnitude.

But we’re on the story, and we will have plenty to write about (already have, in fact).  Data breaches affecting 500 people sounds like peanuts, unless of course you are one of the 500 and just woke up to find out your private medical information, and in some cases your Social Security number and other info to boot, is in the hands of Lord knows who doing Lord knows what.

Something else to consider when you look at the numbers: the Ponemon Institute found that some studies tagged the average cost of investigating a data breach as high as $197 per record. So a “small” data breach might cost you $100,000, and I wouldn’t expect much help from an insurance policy.

 *****

 A couple years ago I did a podcast with Martin Callahan at TransUnion Healthcare (http://www.healthdatamanagement.com/podcasts/-26315-1.html). Our conversation focused mainly on revenue cycle management issues, but he predicted that another accounting issue was going to trip up hospitals: IRS Form 990, which requires not-for-profit hospitals to document charity care and other community benefits. The problem, he said, was that too many hospitals were defining charity care as bad debt and unreimbursed Medicare bills. Doing so, he predicted, was going to come back to haunt a lot of facilities.

So it caught my attention when I read in the Chicago Tribune that the Illinois Supreme Court last week upheld a lower court ruling that stripped Provena Covenant Medical Center’s property tax exemption because the Urbana, Ill.-based hospital failed to justify its tax-exempt status through charitable care. Standard & Poor predicted Provena could be on the hook for up to $10 million. The ruling didn’t affect the not-for-profit status of other Provena Health hospitals in Illinois. But it hurts, bad. I’m not sure that it was solely accounting rules that tripped up Provena, or whether they simply weren’t being very charitable. But I’m guessing the former.

The IRS is indicating it’s going to look hard at compensation and benefit levels for execs at not-for-profits, which it’s authorized to do under IRS 990.  The rule has been lurking around for years, but keeps getting more complex and dangerous for hospitals not keeping their eye on the ball: The IRS is also using 990 to analyze tax-exempt bond funding for not-for-profits. Don’t expect to see a spike in hospitals losing their not-for-profit status—but keep your eyes open for news about 990 occasionally being used to used to drop the hammer on a hospital or a high-profile case about an exec’s exorbitant pay. In the times we live in, the feds are looking for some scapegoats in the realm of financial excess, and they have a lot of tools in their arsenal.

 *****

Our company switched this year to high-deductible plans coupled with health savings accounts. I’ve had the pleasure of handing my HSA card over to front-office staff at multiple facilities in the past few months (my kids must enjoy the doctor’s office/ER because they find ingenious ways to end up there). 

In most cases, front-office befuddlement, like they asked for a payment card and I had handed them an ice cream cone. I’ve given a couple presentations at financial forums where organizers asked me to explain EHRs or health information exchanges to the bean counters. And after I’ve been politely shooed off the stage, the bean counters have gone back to asking how in the hell they’re supposed to process HSA payments at the point of service.

Guess they need to keep talking. HSAs have been around since 2004 or so and they’re still perplexing employees, employers, hospitals, group practices, accountants, you name it. I’ve managed to get myself some education, but I’m in no position to educate front-office staff at the pediatrician’s--or, and this is a frightening prospect, maybe I am?

A study from the Manhattan Institute for Policy Research (report: http://www.manhattan-institute.org/html/mpr_08.htm) provides some exhaustive research on HSA-qualified plans. One finding is, unsurprisingly, that few consumers are familiar with HSA plans or understand how they work.  But all parties better figure this out because that’s the way the wind is blowing. We’ve been finding kernels of the massive health care reform bill that apply to the health I.T. market, but processing payments on new types of plans likely will be an issue soon enough. And if HSAs are still causing confusion, imagine how government-backed programs are going to wreak front-office havoc.

 

More for you

Loading data for hdm_tax_topic #reducing-cost...