As Medicare audits resume, O&P providers juggle increased documentation demands while awaiting decisions on the draft Local Coverage Determination for Lower Limb Prostheses and prior authorization for certain durable medical equipment, prosthetics, orthotics and supplies. These issues make accurate, thorough documentation more important than ever.
Convenience at the cost of security
At the same time, while U.S. health care moves increasingly toward the use of electronic health records (EHRs) and other forms of digital documentation, data security issues continue to plague the field. A study by the PricewaterhouseCooper (PwC) Health Research Institute found that in the summer of 2014 alone, more than 5 million patients had their personal data compromised in health system privacy breaches. PwC researchers expect tension to continue to increase between mobile users’ need for privacy and their desire for convenience. The organization reported 65% of survey respondents said data security was more important to them than convenient access to imaging and test physician’s notes, diagnoses and prescriptions. The opposite was true, however, for fitness data, with 68% of respondents valuing convenience over data security.
In a PwC report on the survey findings, Bryan Kissinger, executive director at Kaiser Permanente who oversees the company’s Health Insurance Portability and Accountability Act (HIPAA) Security program said, “We have seen an increase in the desire for customers to have access to their data in real-time on their mobile devices. This demand for more convenient access increases the importance to provide this information in a secure manner.”
Patient trust in the privacy and security of their information is crucial to patient care, as 56% of consumers said in the PwC survey their concerns about the privacy and security of their medical information would affect their willingness to tell their doctors “everything” about their medical conditions, and 51% said it would affect their willingness to participate in clinical trials.
In addition, a study published recently in Annals of Family Medicine noted patients aged 50 years and older are less willing to share their health information electronically than adults aged 18 years to 34 years. Overall, 44% of patients surveyed were “not at all willing” to exchange diagnostic information and 40% were “not at all willing” to share digital images with clinicians through a mobile device. Most respondents were willing, however, to share general health tips, medication reminders, laboratory and test results, lifestyle behaviors, symptoms and appointment reminders.
Increased use in O&P
As noted in the January Cover Story of O&P News, O&P facilities have three software options for EHRs. Jason T. Kahle, MSMS, CPO, FAAOP, told O&P News in January the options were not yet cloud-based or user-friendly. But Kahle said he believes the Affordable Care Act is pushing all providers toward the use of EHR systems, which he expects to eventually become interoperable.
According to Charles W. Kuffel, MSM, CPO, FAAOP, practitioners can access limited office documents through smartphones if they use OPIE Software to record EHRs. Kuffel is chair of the National Commission on Orthotic and Prosthetic Education (NCOPE), and president and clinical director of Arise Orthotics and Prosthetics Inc.
“Other EHR programs may also have similar applications,” Kuffel added. “Additionally, programs from manufacturers that list products or orthometry forms are commonly used. A number of manufacturers provide applications that allow for secure data to be transmitted for the fabrication of prosthetic sockets, cranial molding [orthoses] and spinal [orthoses].”
While digital documentation is becoming more common in the O&P profession, officials said practitioners should not become too comfortable when it comes to security; in fact, they may need to be more vigilant, according to Jeff Price, MCP, chief operating officer, and Wendy Miller, BOCO, LO, CDME, chief credentialing officer, both of the Board for Certification/Accreditation (BOC).
“Protecting intellectual property, client data and other sensitive information is one of the biggest challenges for any organization in today’s marketplace,” Price told O&P News, noting both paper and digital documentation carry a unique set of challenges.
“Although paper can be shredded or locked in a filing cabinet, it also can be easily distributed in ways that are untraceable,” they said. “Electronic data can be transmitted in many different ways, but the chain of custody can be easier to trace or follow. Both types of data require accessibility limitations to prevent a data breach or unwanted intrusion,” he added.
Digital documentation in O&P has moved beyond EHRs and paperwork.
“Photo and video documentation is increasingly common in O&P practices and can sometimes be used as evidence of medical necessity, patient compliance and patient satisfaction,” Miller said.
As with most technology, use has evolved over time as users find the best fit for offerings.
“In the past, videos or photographs of patients were used to record a unique pathology to be able to consult with another practitioner about formulating a treatment plan for the patient. The focus has shifted dramatically to obtaining photographs and videos of the patient in order to justify the treatment plan to third-party payers,” Steve Fletcher, CPO, LPO, director of clinical resources for the American Board for Certification in Orthotics, Prosthetics and Pedorthics (ABC), said.
In addition, Fletcher said the use of mobile apps appears to be on the rise among O&P facilities. Apps, such as Dartfish Express and Coaches Eye, both of which are targeted for sports use, allow practitioners to use video capture and analysis to better evaluate patients, he said.
Guidelines and assistance
O&P education does not currently cover data security, sources said. Educational standards are set by NCOPE; however, no standards currently exist that directly address data security. In addition to requiring practices to follow HIPAA guidelines, accreditation organizations require practices to implement policies and procedures that address patient record confidentiality and security.
For example, ABC includes the following among its accreditation standards:
- “Your patient records must be reasonably protected from all risks. You must take appropriate measures to maintain backups of all patient data;” and
- “Except as required by law, any records that contain patients’ clinical, technical, social and/or financial information must be treated in a confidential manner.”
ABC-accredited facility owners have the chance to ask specific data security questions and ask for suggestions during their onsite accreditation surveys.
“Our surveyors often act as consultants and suggest ways for the practice to assure that they are maintaining secure records,” Fletcher said. “We will discuss things like, how often passwords are changed, what is each work station’s time-out set and how the physical environment is set up to prevent individuals from accessing patient information.”
Similarly, BOC has policies on items, such as visitor access control, protection of confidential information and Internet usage.
“Since BOC’s website provides resources that address the topic of data security, we do not receive many inquiries on this subject. One such resource is the ‘Information Management’ section of the BOC Standards Guide, which provides policies and procedures for managing digital and paper information and direct links to HIPAA security and privacy rules,” Miller said.
BOC’s website also includes contact information for its facility accreditation consultants, who can answer more specific data security questions.
In addition, Miller said, “If a practice has the financial resources to invest in professional data security expertise, compliance and information technology experts are available to supplement the guidance from BOC’s staff and website.”
HealthIT.gov, a resource from The National Coordinator for Health Information Technology, offers tips for health care providers and employees about protecting patient data. Among its tips for organizations to manage mobile device use are a risk analysis to identify possible threats and vulnerabilities, and a risk management strategy to put mobile device safeguards in place. The website also advises all mobile device users who work in a health care practice to install and enable encryption for any health information; to make sure remote disabling of information is available in case the phone is lost or stolen; and the installation of firewalls and security software to block unauthorized access and protect the device from viruses and other attacks.
Management of office data
Once O&P facility owners determine which systems to use and ensure they are following basic privacy and confidentiality guidelines, the next step is to create policies and procedures for their specific practices.
“ABC encourages facilities to review these policies on an annual basis at the minimum. If there is a change in a computer system or software program, the staff should be educated on the new ways that data will be saved and protected,” Fletcher said.
During an onsite visit for accreditation, Fletcher said, “Organizations need to demonstrate that all their employees have been educated about protected health care information. They need to be able to show evidence that employees have been trained on company policies in regard to how they access and protect confidential information.”
Fletcher suggested using staff meeting minutes as documentation of staff training and dissemination of the company’s policies and procedures.
In addition to policies for handling data and privacy, Price said practices need to develop a data-breach crisis plan. HIPAA guidelines and data security compliance experts are the recommended sources to help develop this plan.
Price added, “The policies, [data-breach crisis] plan and training sessions should be updated as needed and included in the employee handbook.”
Sources agreed facilities also need to have consent forms available for use each time a photo or video is taken of a patient.
“Consent forms should provide the patient with the opportunity to give explicit permission and specify all limitations for use of each image, and should include a description of the image, how the image will be used and by whom, a signature line and a date of signature,” Miller said.
An example of a release form, provided by Fletcher, states: “The undersigned agrees consent to being photographed and/or videotaped for use in patient records and clinical evaluations. The undersigned understands that these images will only be used for clinical and educational purposes.”
Patients will need to sign an additional or modified form for any photos or videos the practice plans to send via email, post online or otherwise share. Even with a signed release form, O&P professionals should approach data sharing with caution.
“Sharing patient photos or video by email is not the best practice,” Fletcher said, adding that information should be encrypted and only sent through a cloud-based software program that is compliant with HIPAA and other protocols.
“If the O&P practice wants to share a video of a patient with a physical therapist, for example, the therapist would need to have a login and password to access the cloud-based video,” he said.
Photos and videos should be stored using a secure cloud-based platform or an EHR system with built-in security, “definitely not on the individual practitioner’s mobile device,” Fletcher added.
Sources had extra recommendations for practices that can afford to pursue additional data security avenues.
“Assigning a HIPAA-compliance officer within a facility who is responsible for enforcing protected data [can be] beneficial,” Kuffel said.
Fletcher noted some practices may not be large enough to appoint a designated staff person to enforce HIPAA compliance; in this case, he said, “it may be worth checking into having a security risk assessment done.”
However, he noted, “Having the assessment done does not end a practice’s work. The assessment will typically provide a checklist of areas that need addressing. The real work begins in creating policies and procedures, and making sure they are implemented to address compliance with HIPAA.”
Price also suggested practice owners consult with their liability insurance providers to discuss cyber liability insurance.
“An insurance carrier is another resource that can advise business owners on data security to help them not only assess risk, but also improve their processes,” he said.
Insurance carriers also help business owners prepare for the worst.
“In the event there is a breach, cyber liability insurance coverage might help with the costs of defense, remediation and any communication/public relations services needed to address the situation with the public,” Price said.
Not every resource is a good fit for a particular facility, but sources all advised companies use the resources of the owner’s choice to create a plan that ensures employees take necessary precautions at all times.
“Whether by implementing end-user data security awareness training, intrusion detection systems [or] vulnerability testing or engaging employee behavior monitoring programs, practices should invest the necessary resources to protect their data,” Price and Miller said. “If a breach does occur and practices have planned for such a crisis, the situation can be swiftly addressed and rectified.” – by Amanda Alexander
- Boyles J. 2012. Privacy and Data Management on Mobile Devices. Available at www.pewinternet.org/2012/09/05/privacy-and-data-management-on-mobile-devices/. Accessed Jan. 22, 2016.
- Serrano KJ, et al. Ann Fam Med. 2016;doi:10.1370.afm/1888.
- Take steps to protect and secure information when using mobile devices. Available at www.HealthIT.gov/mobiledevices. Accessed Jan. 29, 2016.
- Top health industry issues of 2015. 2014; Available at www.pwc.com/us/en/health-industries/top-health-industry-issues/assets/pwc-hri-top-healthcare-issues-2015.pdf. Accessed Jan. 22, 2016.
Disclosure: Fletcher, Kuffel, Miller and Price report no relevant financial disclosures.