Since Alexa is now programed to be compliant with HIPAA privacy rules, it’s likely similar voice assistance technologies will soon become available in US healthcare as well
Shortages of physicians and other types of caregivers—including
histopathologists
and pathology
laboratory workers—in the United Kingdom (UK) has the UK’s National Health Service (NHS) seeking alternate
ways to get patients needed health and medical information. This has prompted a
partnership with Amazon to use the Alexa virtual assistant to
answer patients healthcare inquiries.
Here in the United States, pathologists and clinical
laboratory executives should take the time to understand this development.
The fact that the NHS is willing to use a device like Alexa to help it maintain
access to services expected by patients in the United Kingdom shows how rapidly
the concept of “virtual clinical care” is moving to become mainstream.
If the NHS can make it work in a health system serving 66-million
people, it can be expected that health insurers, hospitals, and physicians in
the United States will follow that example and deploy similar virtual health
services to their patients.
For these reasons, all clinical laboratories and anatomic
pathology groups will want to develop a strategy as to how their
organizations will interact with virtual health services and how their labs
will want to deploy similar virtual patient information services.
Critical Shortages in Healthcare Services
While virtual assistants have
been answering commonly-asked health questions by mining popular responses on
the Internet for some time, this new agreement allows Alexa to provide
government-endorsed medical advice drawn from the NHS website.
By doing this, the NHS hopes to reduce the burden on
healthcare workers by making it easier for UK patients to access health
information and receive answers to commonly-asked health questions directly from
their homes, GeekWire
reported.
“The public needs to be able to get reliable information
about their health easily and in ways they actually use. By working closely
with Amazon and other tech companies, big and small, we can ensure that the
millions of users looking for health information every day can get simple,
validated advice at the touch of a button or voice command,” Matthew Gould, CEO of NHSX, a division of the NHS that focuses
on digital initiatives, told GeekWire.
The
Verge reported that when the British government officially announced
the partnership in a July press
release, the sample questions that Alexa could answer included:
Alexa, how do I treat a migraine?
Alexa, what are the symptoms of the flu?
Alexa, what are the symptoms of chickenpox?
“We want to empower every patient to take better control of
their healthcare and technology like this is a great example of how people can
access reliable, world-leading NHS advice from the comfort of their home,
reducing the pressure on our hardworking GPs (General Practitioners) and
pharmacists,” said Matt
Hancock, Secretary of State for Health and Social Care, in the press release.
MD
Connect notes that the NHS provides healthcare services free of charge to
more than 66-million individuals residing in the UK. With 1.2 million
employees, the NHS is the largest employer in Europe, according to The
Economist. That article also stated that the biggest problem facing the
NHS is a staff shortage, citing research conducted by three independent
organizations:
Their findings indicate “that NHS hospitals, mental-health
providers, and community services have 100,000 vacancies, and that there are
another 110,000 gaps in adult social care. If things stay on their current
trajectory, the think-tanks predict that there will be 250,000 NHS vacancies in
a decade,” The Economist reported.
UK’s Matt Hancock, Secretary of State for Health and Social Care (above), defends the NHS’ partnership with Amazon Alexa, saying millions already use the smart speaker for medical advice and it’s important the health service uses the “best of modern technology.” Click here to watch the video. (Video and caption copyright: Sky News.)
“This idea is certainly interesting and it has the potential
to help some patients work out what kind of care they need before considering
whether to seek face-to-face medical help, especially for minor ailments that
rarely need a GP appointment, such as coughs and colds that can be safely
treated at home,” Professor
Helen Stokes-Lampard, Chairman at the Royal
College of General Practitioners, and Chair of the Board Of
Directors/Trustees at National
Academy of Social Prescribing, told Sky News.
“However,” she continued, “it is vital that independent
research is done to ensure that the advice given is safe, otherwise it could
prevent people seeking proper medical help and create even more pressure on our
overstretched GP service.”
Amazon has assured consumers that all data obtained by Alexa
through the NHS partnership will be encrypted to ensure privacy and security,
MD Connect notes. Amazon also promised that the personal information will not
be shared or sold to third parties.
Alexa Now HIPAA Compliant in the US
This new agreement with the UK follows the announcement in April
of a new Alexa
Skills Kit that “enables select Covered Entities and their Business
Associates, subject to the US Health
Insurance Portability and Accountability Act of 1996 (HIPAA), to build
Alexa skills that transmit and receive protected
health information (PHI) as part of an invite-only program. Six new Alexa
healthcare skills from industry-leading healthcare providers, payors, pharmacy
benefit managers, and digital health coaching companies are now operating in
our HIPAA-eligible environment.”
Developers of voice assistance technologies can freely use
these Alexa skills, which are “designed to help customers manage a variety of
healthcare needs at home simply using voice—whether it’s booking a medical
appointment, accessing hospital post-discharge instructions, checking on the
status of a prescription delivery, and more,” an Amazon
Developer Alexa blog states.
The blog lists the HIPAA-compliant Alexa skills as:
Express
Scripts: Members can check the status of a home delivery prescription and can
request Alexa notifications when their prescription orders are shipped.
Cigna
Health Today by Cigna (NYSE:CI): Eligible employees with one of Cigna’s
large national accounts can now manage their health improvement goals and
increase opportunities for earning personalized wellness incentives.
Swedish
Health Connect by Providence St.
Joseph Health, a healthcare system with 51 hospitals across seven states
and 829 clinics: Customers can find an urgent care center near them and
schedule a same-day appointment.
Atrium
Health, a healthcare system with more than 40 hospitals and 900 care
locations throughout North and South Carolina and Georgia: Customers in North
and South Carolina can find an urgent care location near them and schedule a
same-day appointment.
Livongo,
a digital health company that creates new and different experiences for people
with chronic conditions: Members can query their last blood sugar reading,
blood sugar measurement trends, and receive insights and Health Nudges that are
personalized to them.
HIPAA Journal notes: “This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of HIPAA Privacy Rules, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.”
Steady increases associated with the costs of medical care
combined with a shortage of healthcare professionals on both continents are
driving trends that motivate government health programs and providers to
experiment with non-traditional ways to interact with patients.
New digital and Artificial
Intelligence (AI) tools like Alexa may continue to emerge as methods for
providing care—including clinical laboratory and pathology advice—to healthcare
consumers.
Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies
about breaches of protected health information were issued in June.
Collectively, the following three lab companies announced that the data of more
than 20 million patients was compromised:
What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.
Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
No Knowledge, $100-$50,000 fine, $1.5 mil annual
limit.
Reasonable Cause, $1,000-$50,000 fine, $1.5 mil
annual limit.
In the notice, HHS stated, “the Department recognized that
section 13410(d) contained apparently inconsistent language (i.e., its
reference to two penalty tiers ‘for each violation,’ each of which provided a
penalty amount ‘for all such violations’ of an identical requirement or
prohibition in a calendar year). To resolve this inconsistency, with the
exception of violations due to willful neglect that are not timely corrected,
the [interim final rule] adopted a range of penalty amounts between the minimum
given in one tier and the maximum given in the second tier for each violation
and adopted the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical
laboratories, which must ensure the privacy of patients’ PHI, including being
keenly aware of how vendor business associates are handling their patients’
data.
In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in
reducing annual penalties providers may owe. Could lower annual CMP caps cause
organizations to relax strict PHI policies? Some privacy authorities urge
caution and raise concern about how incentives may be perceived by providers
and others.
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these
persistent failures is much less because the potential fines for failing to do
so will not be very large. Same is true for large breaches—if you breach 10
records, at a minimum penalty of $1,000 for a breach due to reasonable cause,
your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement,
minimum to maximum penalty violations were the same as noted in the tiers
above. The annual limits ($1.5 million), however, were the same for each of the
four tiers.
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without
knowledge, why should a potentially massive fine follow? While the discretion
existed, the interpretation will now be binding and remove the potential
uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to
safeguard their patients’ PHI under federal and state laws. And this includes
knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand
each vendor’s policies, procedures, training, and response in the event of a
breach,” James
Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the
Litigation Department at McDonald
Hopkins in Bloomfield Hills, Mich., told The
Dark Report (TDR).
“By being prepared, clinical laboratories can save
themselves many headaches,” he said. “Ultimately, these proactive steps may
help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice,
will help medical laboratory managers ensure the privacy and security of their
client’s PHI.
This is important for clinical laboratory leaders to watch, because medical labs often interface with hospital EHRs to exchange vital patient data, a key component of complying with Medicare’s EHR incentive programs. If claims of interoperability are shown to be false, could labs engaged with those hospital systems under scrutiny be drawn into the DOJ’s investigations?
Violating the False Claims Act
In May, Coffey Health System (CHS), which includes Coffey County Hospital, a 25-bed critical access hospital located in Burlington, Kan., agreed to pay the US government a total of $250,000 to settle a claim that it violated the False Claims Act.
CHS’ former CIO filed the qui tam (aka, whistleblower) lawsuit, which allows individuals to sue on behalf of the government and share in monetary recovery. He alleged that CHS provided false information to the government about being in compliance with security standards to receive incentive payments under the EHR Incentive Program.
According to a DOJ press release, “the United States alleged that Coffey Health System falsely attested that it conducted and/or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013. The government contended that the hospital submitted false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program.”
“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” said Stephen McAllister (above), United States Attorney for the District of Kansas, in the DOJ press release. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.” (Photo copyright: US Department of Justice.)
The Recovery Act allocated $25 billion to incentivize healthcare professionals and facilities to adopt and demonstrate meaningful use (MU) of electronic health records by January 1, 2014. The federal Centers for Medicare and Medicaid Services (CMS) released the incentive funds when providers attested to accomplishing specific goals set by the program.
The website of the Office of the National Coordinator for Health Information Technology (ONC), HealthIt.gov, defines “meaningful use” as the use of digital medical and health records to:
Improve quality, safety, efficiency, and reduce
health disparities;
Engage patients and their families;
Improve care coordination and population and
public health; and
Maintain privacy and security of patient health
information.
The purpose of the HITECH Act was to address privacy and security concerns linked to electronic storage and transference of protected health information (PHI). HITECH encourages healthcare organizations to update their health records and record systems, and it offers financial incentives to institutions that are in compliance with the requirements of the program.
When eligible professionals or eligible hospitals attest to being in compliance with Medicare’s EHR incentive program requirements, they can file claims for federal funds, which are paid and audited by the Department of Health and Human Services (HHS) through Medicare and Medicaid.
Institutions receiving funds must demonstrate meaningful use
of EHR records or risk potential penalties, including the delay or cancellation
of future payments and full reimbursement of payments already received. In
addition, false statements submitted in filed documents are subject to criminal
laws and civil penalties at both the state and federal levels.
EHR Developers Under Scrutiny by DOJ
EHR vendors also have been investigated and ordered to make
restitutions by the DOJ.
In February, Greenway Health, a Tampa-based EHR developer, agree to pay $57.25 million to resolve allegations related to the False Claims Act. In this case, the government contended that Greenway obtained certification for its “Prime Suite” EHR even though the technology did not meet the requirements for meaningful use.
And EHR vendor eClinicalWorks paid the government $155 million to settle allegations under the False Claims Act. The government maintained that eClinicalWorks misrepresented the capabilities of their software and provided $392,000 in kickbacks to customers who promoted its product.
Legal cases such as these demonstrate that the DOJ will
pursue both vendors and healthcare organizations that misrepresent their
products or falsely attest to interoperability under the terms laid out by
Medicare’s EHR Incentive Program.
Clinical laboratory leaders and pathology groups should carefully
study these cases. This knowledge may be helpful when they are asked to create
and maintain interfaces to exchange patient data with client EHRs.
Protecting patient privacy is of critical importance, and yet researchers reidentified data using only a few additional data points, casting doubt on the effectiveness of existing federally required data security methods and sharing protocols
Therefore, recent coverage in The Guardian which reported on how easily so-called “deidentified data” can be reidentified with just a few additional data points should be of particular interest to clinical laboratory and health network managers and stakeholders.
“We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth,” Culnane stated in a UM news release. “This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy.”
In a similar study published in Scientific Reports, Yves-Alexandre de Montjoye, PhD, a computation private researcher, used location data on 1.5 million people from a mobile phone dataset collected over 15 months to identify 95% of the people in an anonymized dataset using four unique data points. With just two unique data points, he could identify 50% of the people in the dataset.
“Location data is a fingerprint. It’s a piece of information that’s likely to exist across a broad range of data sets and could potentially be used as a global identifier,” Montjoye told The Guardian.
The problem is exacerbated by the fact that everything we do online these days generates data—much of it open to the public. “If you want to be a functioning member of society, you have no ability to restrict the amount of data that’s being vacuumed out of you to a meaningful level,” Chris Vickery, a security researcher and Director of Cyber Risk Research at UpGuard, told The Guardian.
This privacy vulnerability isn’t restricted to just users of the Internet and social media. In 2013, Latanya Sweeney, PhD, Professor and Director at Harvard’s Data Privacy Lab, performed similar analysis on approximately 579 participants in the Personal Genome Project who provided their zip code, date of birth, and gender to be included in the dataset. Of those analyzed, she named 42% of the individuals. Personal Genome Project later confirmed 97% of her submitted names according to Forbes.
In testimony before the Privacy and Integrity Advisory Committee of the Department of Homeland Security (DHS), Latanya Sweeney, PhD (above), Professor and Director at Harvard’s Data Privacy Lab stated, “One problem is that people don’t understand what makes data unique or identifiable. For example, in 1997 I was able to show how medical information that had all explicit identifiers, such as name, address and Social Security number removed could be reidentified using publicly available population registers (e.g., a voter list). In this particular example, I was able to show how the medical record of William Weld, the Governor of Massachusetts of the time, could be reidentified using only his date of birth, gender, and ZIP. In fact, 87% of the population of the United States is uniquely identified by date of birth (e.g., month, day, and year), gender, and their 5-digit ZIP codes. The point is that data that may look anonymous is not necessarily anonymous. Scientific assessment is needed.” (Photo copyright: US Department of Health and Human Services.)
“Open publication of deidentified records like health, census, tax or Centrelink data is bound to fail, as it is trying to achieve two inconsistent aims: the protection of individual privacy and publication of detailed individual records,” Dr. Teague noted in the UM news release. “We need a much more controlled release in a secure research environment, as well as the ability to provide patients greater control and visibility over their data.”
While studies are mounting to show how vulnerable deidentified information might be, there’s little in the way of movement to fix the issue. Nevertheless, clinical laboratories should consider carefully any decision to sell anonymized (AKA, blinded) patient data for data mining purposes. The data may still contain enough identifying information to be used inappropriately. (See Dark Daily, “Coverage of Alexion Investigation Highlights the Risk to Clinical Laboratories That Sell Blinded Medical Data,” June 21, 2017.)
Should regulators and governments address the issue, clinical laboratories and healthcare providers could find more stringent regulations on the sharing of data—both identified and deidentified—and increased liability and responsibility regarding its governance and safekeeping.
Until then, any healthcare professional or researcher should consider the implications of deidentification—both to patients and businesses—should people use the data shared in unexpected and potentially malicious ways.
Plans by large-scale employers to self-insure brings into question how clinical laboratories would submit claims and get reimbursed from inside and outside of a corporate provider/payer network
Clinical laboratories and anatomic pathology groups serving the nation’s hospitals and health systems may get increased network access to patients due to new developments in the health insurance marketplace. In recent months, both large corporate players and a number of smaller hospital systems have decided to form their own health insurance companies.
For example, six New Jersey hospital health systems announced they have taken steps to self-insure their employees by forming the Healthcare Transformation Consortium (HTC). This follows a similar joint agreement by Amazon, Berkshire Hathaway, and JPMorgan Chase to self-insure their employees as well. Inhouse medical laboratories and anatomic pathology groups that service these entities will likely find themselves part of new private provider/payer networks, which will impact how and when they get reimbursed for their services.
Both groups hope to slow skyrocketing healthcare costs, improve outcomes, and avoid having to navigate the increasingly complex insurance industry. Between the two groups, nearly one million employees will be insured directly by their companies.
Another reason these two events could be good news for the hospitals, doctor’s groups, and medical laboratories involved is they will no longer have to deal with narrow networks and mandates required of health plans subject to the federal Employee Retirement Income Security Act (ERISA) of 1974. This also may include regulations in the Health Insurance Portability and Accountability Act (HIPAA), which amended ERISA in 1996.
Local clinical laboratories will likely automatically become part of the combined provider group as well, which is good. But will they have to alter how they submit claims and get reimbursed for services rendered to a private corporate payment system?
Goals of Corporate Healthcare
In a press release, Amazon, JPMorgan Chase, and Berkshire Hathaway stated they are “partnering on ways to address healthcare for their US employees, with the aim of improving employee satisfaction and reducing costs.” A not-uncommon healthcare goal, these days.
One of the few concrete details in the release stated, “The initial focus of the new company will be on technology solutions that will provide U.S. employees and their families with simplified, high-quality and transparent healthcare at a reasonable cost.”
The six N.J. healthcare providers in the HTC include:
Together, they employ approximately 50,000 individuals who all will be enrolled in a single health plan, scheduled to go live January 1, 2019.
Kevin Slavin (above), President and CEO of St. Joseph’s Health in Syracuse, N.Y., told HealthLeaders Media. “Each of us have had our different strategies to reduce costs and improve care for our beneficiaries, but now we have six systems that can share those ideas and harness power together.” He added that they expect to see immediate cost savings per enrollee for hospital, outpatient, and medical laboratory services. (Photo copyright: St. Joseph’s Healthcare System.)
Stocks Fall in Response to Announcements
On the day that Amazon (NASDAQ:AMZN), JPMorgan Chase (NYSE:JPM), and Berkshire Hathaway (NYSE:BRK.A, BRK.B) made their announcement, UnitedHealth Group (NYSE:UNH), Anthem (NYSE:ANTM), and other healthcare companies saw their stocks fall. This demonstrates how disruptive such partnerships and coalitions can be in the healthcare marketplace, the New York Times reported.
They can be disruptive in more immediate ways, as well. For example, companies may use collected patient data to devise wellness programs they then offer their employees for free—even going as far as providing a financial incentive to participate. A healthier employee workforce means lower healthcare costs, but also less revenue to surrounding hospitals, physician’s practices, and medical laboratories.
What’s good for one group is not so good for the other, even though people are getting healthier in the long run.
And, to be fair, removing a million people from health insurance plans surely will negatively impact those companies’ finances, as well. The six HTC entities spend approximately $250 million annually for health benefits.
Kevin Joyce, VP of Insurance Networks at Atlantic Health System, a six-hospital health system in Morristown, N.J., told Healthcare Finance that, because the organizations involved in the HTC are healthcare providers themselves, the consortium has a particularly intimate knowledge of the issues causing the ever-rising cost of care.
“This is one of the ways to try to bend the cost curve,” he noted. “I honestly believe with the rise in high-deductible plans, trying to make healthcare more affordable should be the mission of both payer and provider. What makes us different from Amazon is that we as competitors came together to do this. This should have a ripple effect across all of our membership.”
Kevin Lenahan, CPA, Senior Vice President, Chief Financial and Administrative Officer, at Atlantic Health System agrees, adding, “It’s like-minded organizations that came together. We know each other. We all felt that we have a responsibility to improve quality, help transparency.”
Huge Obstacles on All Sides
In a CNBC interview covered by Inc. Magazine, Berkshire Hathaway CEO Warren Buffett emphasized that the obstacles such coalitions face are enormous.
“You talk about something that has $3.3 trillion in revenues presently going to people, and most people that are on the receiving end of the $3.3 trillion are happy with things.” He added, “If it was easy, it’d have been done.”
Nevertheless, both coalitions hope to serve as models for others. “By working closely with like-minded organizations, we can share best practices, learn from one another, and lead the transition from fee-for-service to value-based care, using our own benefit plans as proving grounds,” Joyce told Healthcare Finance.
As the trend to self-insure employees gains steam across corporate America, it will be interesting to see how the inhouse medical laboratories, and independent clinical laboratories and pathology groups that service these entities, are affected by the change.
