Taking the lead on health care data integrity

Download RFP
Health care IT providers may hold the key for keeping up with the greatly expanded expectations of legislators, regulators and the public. This article is part of a special report by Grant Thornton and TechAmerica
Health IT: Trust first, then transformative growth
Laws like the Patient Protection and Affordable Care Act (PPACA), the Health Insurance Portability and Accountability Act (HIPAA), and the American Recovery and Reinvestment Act (ARRA) have added reporting requirements that are far beyond what health care providers and their IT systems were designed to handle. Those providing health care IT services, whether internally or externally, can and should fill the gap by taking the lead on finding and implementing effective solutions.

Technology provides the backbone for health care organizations, enabling complex hospital systems to track treatment outcomes and fulfill reporting requirements. Interactive solutions link health plans and payors, ensuring the proper payments are made and enabling programs like PPACA health exchanges. And the expanding use of electronic medical records is creating new information links between patients and their care networks.

At the same time, the fast pace of regulatory changes has left many health care organizations struggling to keep up. The U.S. has major health systems and hospital networks of all sizes, but none are large enough to provide an overall, integrated solution to reducing IT and regulatory risks.

Fast fact: Hospitals generated $883.2 billion in revenue in 2013, an amount that is expected to grow 3.9% annually through 2018.1 Despite the market’s size, the largest provider commands only 5% of industry revenue — far less than the dominant participants in other industriesThis may change as the PPACA takes hold, which is likely to drive down prices and reduce reimbursements, creating incentives for hospitals to form larger and more integrated IT systems. Health care industry mergers and acquisitions rose 4% in the fourth quarter of 2013, and the total deal value of $43.6 billion represented a 79% increase from the fourth quarter of 2012.2 These new, consolidated providers are likely to include accountable care organizations — with incentives for bundled payments and quality of care — with the result being an increase in IT cohesiveness as these larger organizations create synergies to meet regulatory challenges.

This transformation is years away, however. For now, health care IT providers have the opportunity to take the lead on addressing the challenges that threaten to hold back data integrity advancements.

Data integrity needs don’t end there New regulations and industry fragmentation are not the only major challenges to maintaining data integrity. The following areas are also of particular concern to health care providers:
  • Data breaches — Since 2009, more than 29 million patient health records have been compromised in data breaches, and the number of records breached between 2012 and 2014 has increased by 138%. Reporting of breaches has increased since the HIPAA regulations impacting business associates took effect in fall 2013. Unfortunately, it’s still likely that many breaches go unreported or even undetected.
  • Third parties — Hospitals have the responsibility for data stewardship, even if they do not own the infrastructure or manage all the resources involved. The need for broader, more scalable technology means organizations increasingly rely on third parties for data infrastructure, management and applications. But as the role of third parties has increased, the rules and penalties around them have grown exponentially.
  • Accessibility and portability expectations — Many health care IT departments are juggling the protection of data networks while working to make the data more accessible to patients and providers. “We need to make sure that the providers’ environment is secure, but you need to demonstrate the reliability, curability and scalability of the technology,” says David Reitzel, national leader of Grant Thornton’s Health Care Advisory Services practice. “You need patient data that is secure, accurate, searchable and accessible in multiple environments, but that’s extremely challenging to promote.”
  • Multiple data providers — Six hundred different companies, ranging from health care claim clearinghouses to provider billing services, currently collect electronic medical data. Patients visiting a doctor’s office often have no idea who is handling the data, how well it’s protected, or even whether it’s accurate. Many of these companies are also facing the threat of consolidation, which can add to the complexity as companies combine data systems. “We’re not talking simply about the integration of health providers and IT companies. You also have the insurance companies who are part of the mix, and they have all the transaction data,” says Lisa Walkush, National Life Sciences Advisory Leader. “We’re looking at a holistic health care environment, and you have to take into account all of these parties.”
IT may help provide better governmental oversight Data breaches
A data breach of protected health information has occurred if any of the following are true:
• The patient is identifiable by the data.
• The person accessing the information is not an authorized user.
• The information is not for a legitimate and/or allowable purpose.
The government’s responsibility to deliver health care data integrity is under pressure. Performance issues, negative publicity, political posturing and public skepticism have added to the challenge. “The good news is that technology is the vehicle to drive very big shifts in the government’s role in health care,” says Tom Cocozza, health care IT leader for Grant Thornton’s Global Public Sector practice. “The government has the scale and ability to effect real change in its own systems, which can serve as an example and a template for private change.”

Grant Thornton is part of the solution
Grant Thornton is helping the National Institutes of Health (NIH) implement a third-party system that will allow it to bill insurers for elective procedures that patients receive at NIH facilities. The move, which comes in response to budget pressures, represents a cultural change for the NIH, which has not had to deal with issues such as billing and insurance claims in the past.
The Department of Veterans Affairs (VA) and the Department of Defense have attempted to provide some form of leadership, with mixed results so far. The goal is to improve access, cost-effectiveness and quality of care while reducing duplicate programs. However, neither agency has managed to crack the code on these improvements. Both have struggled with IT delays and other issues as they develop collaborative programs such as the Captain James A. Lovell Federal Health Care Center in Chicago.3 The VA is implementing a payor system for care that’s administered externally, which requires community providers to bill the VA. The VA receives a higher percentage of paper claims than many private providers, and the new regulations are pushing it to embrace updated billing and claims protocols.

Regulation is at the heart of change Regulation is what drives IT’s increasingly critical role in the health care industry. For example, last year the Department of Health and Human Services implemented changes in the HIPAA Omnibus Rule4 that broadened the definition of a “business associate,” setting new limits on how data may be used, redefining what constitutes a data breach and establishing new civil penalties for violations. Additionally, covered entities and their business associates are prohibited from selling patient information without the patient’s permission or receiving remuneration for protected information. These changes place greater burdens on health care IT providers, and underscore the need to develop strong risk management procedures to mitigate penalties and reputational risks.

Another potential compliance pitfall comes from the ARRA, which calls for hospitals to create a personal health record for every American by the end of 2014. According to the Centers for Medicare & Medicaid Services, funding for the program will be distributed over 10 years, and hospitals that fail to comply by Jan. 1, 2015, may lose as much as 1% of their Medicare reimbursements per year.5

Rules for mobile devices present further challenges. PPACA, HIPAA, ARRA, Tricare and FDA rules for these devices have created a dizzying array of regulations and policies at the federal, state, local and commercial levels. Unfortunately, these policies can be inconsistent, complex and even contradictory; more work needs to be done to integrate requirements.

“In health care, there are conflicting ideals,” explains Kathy Baird, vice president and general manager for Engility Corp. “You have to secure certain components of the data — but not all of it — because that flies in the face of data sharing.” Improved data standardization among providers, payors and the government will better coordinate the sharing of data, while maintaining a more comprehensive level of security, Baird advises.

Adding to the confusion, many regulations have not kept pace with technological advances. For example, with the expansion of personal search options, biopharmaceutical companies face significant restrictions on how they can communicate scientific information to the public about their products, including medically accepted alternative, or off-label, uses of approved medicines. Conveying this information to physicians and providers is one thing, but sharing it with patients is another.

Health care IT companies as leaders Health care IT companies have an opportunity to lead in the face of a fragmented health care ecosystem — doing so will increase technology adoption, fueling growth for health care IT products and services. Most importantly, finding efficiencies can contribute to the public good by helping to improve outcomes and lower costs. While the government keeps issuing new regulations — sometimes with conflicting requirements — only a small fraction of these are about integrating, consolidating or finding efficiencies across the regulatory spectrum. If this continues, the challenge will become even greater.

Health care IT companies can effect change by:

  1. Working to educate the legislative and executive branches on options for effective and practical policies
  2. Engaging the health care delivery and insurer communities to identify solutions and promote best practices that further strengthen the foundations for trust
  3. Working with patient and industry advocacy and research groups and think tanks to promote a robust and informed discussion of the benefits and concerns that threaten trust

Active leadership in implementing new and existing regulations is an important role for health care IT providers — one that they must step up and take on to create efficiencies and maintain public trust.

Contact us
Steven Perkins
Managing Partner
Technology Industry Practice
Grant Thornton LLP
T +1 703 637 2830

Liz Hyman
Vice President, Public Advocacy
Washington, D.C.
T +1 202 503 3621

Copyright 2015 Grant Thornton LLP and TechAmerica.

1 Kaulkin Ginsberg. “Market Segment in Focus: Non-Profit Hospitals,” April 10, 2014.
2 Irving Levin Associates Inc. “Health Care M&A Deal Volume Ends 2013 on a High Note, According to Health Care M&A News,” Feb. 3, 2014.
3 U.S. Government Accountability Office. “VA/DOD Federal Health Care Center: Costly Information Technology Delays Continue and Evaluation Plan Lacking,” GAO-12-669, June 26, 2012.
4 Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” Federal Register, Vol. 78, No. 17, Jan. 25, 2013.
5 Centers for Medicare & Medicaid Services. Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals, August 2014.