Readers Write 6/27/11

Submit your article of up to 500 words in length, subject to editing for clarity and brevity (please note: I run only original articles that have not appeared on any Web site or in any publication and I can’t use anything that looks like a commercial pitch). I’ll use a phony name for you unless you tell me otherwise. Thanks for sharing!

Will Meaningful Use and EMRs Help Jump the ACO Hurdle?
By Frank Poggio

The Accountable Care Organization (ACO) is the government’s latest attempt to improve quality of patient care and control the ever-escalating growth in healthcare costs. The Affordable Care Act (commonly known as the health reform law) encourages, via financial incentives and penalties, the formation of ACOs by organizing healthcare teams, technology, and knowledge around patient needs. 

As might be expected, there are many complex organizational, monetary, and other significant policy issues surrounding the ACO model of care delivery.

The ACO concept is not new to the healthcare world. In past decades, we called them PHOs (Physician Hospital Organizations) or HMOs (Health Maintenance Organizations).  Both of these in the 1980s and 1990s had only a small impact on healthcare costs. Many PHOs and some HMOs are still in existence today.

In fact, we have always had some form of ACO going as far back as 1939. For example, the Kaiser Health Plan, The Cleveland Clinic, Sharp HealthCare, Geisinger Clinic, and many others are basically ACOs. If they include an insurance component, they are more like an HMO.

The simplest definition of an ACO is a health care delivery system where the physicians and hospitals work under one corporation, have one set of synchronized patient objectives, and share in the profits  and losses from normal operations. Medicare wants doctors and hospitals to work together and accept one payment for all levels of care and accept the responsibility for coordinating the care of the patient across all modalities of care. 

Where ACOs work and why

The concept has worked at Mayo, Kaiser, and Cleveland Clinic because the attending docs are part owners of the hospital. They get paid a salary and bonus based on both the performance of their practice and the performance of the hospital and other health services.

For example, the physicians readily accept that fewer support staff will save the hospital money, which in turn could result in a year-end monetary bonus while hopefully improving patient care. That, in turn, can lead to more patient referrals and more revenues. The same is true for ordering fewer tests or procedures. Fewer tests equal less costs, and under a fixed payment system like Medicare DRGs, that means more profit.
 
But today, the independent physician makes his or her money seeing as many patients in his or her office as possible. The hospital is just a cost-neutral and convenient place for physicians to perform complex procedures. If an ACO is that simple and beneficial, why are there so few of them?

How did we get here?

Today and for the past half century, we have been in a situation where the person most responsible for “product definition” and most responsible for “bringing in the business” is not an employee of the hospital. That person is the attending physician, or sometimes called the independent practitioner.

It goes back to the establishment of the AMA and the AHA in the early 20th century. Both of these groups were focused on increasing utilization of hospital and medical services. Even at that time, just as today, medical care was relatively expensive. To drum up business, they both came up with the idea to sell a medical insurance policy.

Rather than work together, around 1940, the AMA founded Blue Shield and the AHA started Blue Cross. Each had similar, yet different objectives. Keep in mind that almost all doctors in the early part of the 20th century were independent practitioners and hospitals were places to be avoided.

In 1966, along came Medicare. If you go back and study the legislation of the day, you will find that physicians fought Medicare with a vengeance and wanted no part of the government or the institutional side of the package. Of course today, if you tried to take Medicare away, you’d have a rebellion — and not just from seniors. Medicare in 1966 solidified the doctor-hospital split via separate payment systems by creating Medicare Part A for hospital payments and Part B for physician payments.

Then in 1972, as the health insurance industry matured, the Federal Trade Commission became concerned that doctors and hospitals selling insurance was a little to cozy. The AMA had to spin off Blue Shield and AHA split with Blue Cross. Later, as the Blues saw themselves more as insurance companies than part of the medical establishment, many of the Blues merged and eventually morphed into today’s United Health, Wellpoint, etc.

To drive the hospital-physician wedge deeper, in 1993, Congress passed OBRA, which contained the infamous Stark amendment. The Stark amendment made it a crime for doctors to refer patients to a hospital in which they had a financial interest. The feds saw this as a conflict of interest that would drive up healthcare costs. 

The structure we have today — full physician independence — has been around a very long time. It has been repeatedly fortified through separate provider and piecework-based payment systems.

That raises today’s big question: who is accountable for all the care a patient receives? 
 
How can we create more ACOs?

Now, after more than a half century, the government has come to the conclusion that doctors working separately from hospitals with separate payment systems and different incentives is a counterproductive operating model. (too bad we didn’t see that coming when we initiated the Medicare-Medicaid systems.)

Under the duress of a very large federal deficit (in part, a result of healthcare costs), we are trying to reverse 70 years of misdirected legal and financial incentives. Under an ACO, the feds want both parties to work together, share the payments, and share the risks.

The ACO statute of April 2011 lists the following provider combinations as potentially eligible ACOs:

1. ACO professionals in formal group practice arrangements.
2. Networks of individual practices of ACO professionals.
3. Partnerships or joint venture arrangements between hospitals and ACO professionals.
4. Hospitals employing ACO professionals.
5. Such other groups of providers of services and suppliers as the Secretary determines appropriate.

Combinations 2 and 3 are what I call the “virtual’”ACO. Combinations 1 and 4 are more like the PHO/HMO of the past, or the Mayo model.

As stated by CMS, ACO compliance with the requirement to reduce costs and improve care may involve a range of strategies, which they state includes the following examples:

• A capability to use predictive modeling to anticipate likely care needs.
• Utilization of case managers in primary care offices.
• Having a specific transition of care program that includes clear guidance and instructions for patients, their families, and their caregivers.
• Remote monitoring.
• Telehealth.
• The establishment and use of health information technology, including electronic health records and an electronic health information exchange, to enable the provision of a beneficiary’s summary of care record during transitions of care both within and outside of the ACO.

Promote the virtual ACO

As can be seen from the compliance strategies, CMS is leaning heavily on HIT and EMR to help avoid some very difficult political battles. As an interim step, they are encouraging hospitals and physician groups to use EMR systems to build and support a virtual ACO.

In this scenario, the physician and the hospital would remain corporately separate, but the patient information and the payment would be shared. This dovetails with the new federal HITECH Act that promotes EMRs and stronger coordination of care via interoperability.

CMS has defined the five levels of ACOs and has set target dates for providers to achieve one of the levels. If a provider organization achieves an ACO level during the next five years, they will get a financial bonus. If they don’t, their Medicare payments will be reduced. Sounds like MU all over again.

Initially, the AMA was indifferent towards the ACO concept. AHA gave it mild support. But after CMS issued draft regulations in April noting the bonus-penalty provisions and the shared payment component, both associations came out strongly against it.

Of course, the 800-pound gorilla is who should run the ACOs, physicians or hospital executives? If there’s to be a single payment for Medicare patient services to the ACO, how do you split that payment?

CMS is staying out of this battle and leaving it to the docs and hospitals to fight it out. To say the least, AMA probably views it as the death knell for the independent physician practice, and AHA may see it as the surrendering of institutional autonomy to physicians.

I think it will be a long arduous road getting to real ACOs. Remember, the overall objective is to reduce the costs of healthcare. According to a CMS analysis of the proposed regulation, Medicare could potentially save as much as $2 billion over the first three years, so somebody’s ox has to get gored.

But as we stumble down this long and very bumpy road, I believe in the early years, the focus will be on the virtual ACO. The CIO’s office will be right in the middle of it. If you look at the Meaningful Use criteria for CCR, CCD, and interoperability, the first hurdle is staring us in the face.

Frank Poggio is president of The Kelzon Group.

During the first quarter of 2011 alone, there were media reports of inappropriate access to electronic Personal Health Information (e-PHI) of four sizeable healthcare organizations. This is damaging in terms of public relations, patient confidence, possible revenue loss, and increased costs to protect patients with exposed identifying details. It seems that many organizations are overlooking or delaying the need to perform a security risk assessment.

Yet under the HITECH Act, one of the core Meaningful Use measures is the requirement to “Conduct or review a security risk analysis … and implement security updates as necessary, and correct identified security deficiencies prior to or during the EHR reporting period to meet this measure.”

This measure is, therefore, a key task healthcare providers must conduct before attesting to their ability to meet Stage 1 requirements. Additionally, the risk analysis requirement in the HIPAA Security Rule is not only an integral part of meeting Meaningful Use for HITECH, but also for being in compliance with the law.

A risk analysis is the very foundation from which to build your information security compliance program. A security risk analysis should be conducted with active participation of internal auditors, IT leadership, and IT subject matter experts.

The Office for Civil Rights (OCR), the security watchdog for the Department of Health and Human Services (HHS), suggests that a covered entity use the National Institute of Standards and Technology (NIST) risk-based approach for doing a risk analysis, which encompasses nine primary steps:

1. System characterization to fully understand key technology components in your infrastructure.
2. Threat identification.
3. Vulnerability identification.
4. Controls analysis to assess the capabilities of your existing set of controls to meet your environment’s needs
5. Likelihood determination to assign likelihoods, considering the threat motivation and ability, the nature of the vulnerability, and current and planned controls
6. Impact analysis to analyze that impact, considering for each system the effects of lost confidentiality, integrity, or availability, and the effect of any current or planned mitigating controls
7. Risk determination, a combination of the impact rating and the likelihood determination
8. Control recommendations, a roadmap for planning controls for future implementation
9. Results documentation.

To prepare for Meaningful Use attestation, it is recommended to conduct the security risk analysis at both the technical design and system build phase when implementing a new EHR system. Additionally, it will be important to update the risk analysis further on in the MU Roadmap approximately four months prior to go-live.

As ongoing changes happen, new risk occurs. An annual risk assessment should become part of the compliance process; that is, the risk assessment can be merely updated as an addendum and not as an overbearing intrusion that competes with other organizational needs. A regular review of your risk posture is what is required to protect e-PHI. Too many new threat vectors and vulnerabilities are introduced into information environments each day. A reasoned, systematic, and consistent approach will help to achieve your organizational goals.

Spurred by the HITECH Act, the healthcare industry is embracing EHRs at an accelerating rate. This move carries with it a need for heightened responsibility since digital information can be copied, transmitted, or used so easily. As such, the risk accruing from this transition to electronic records must be well understood.

In its passage of HITECH, the US Congress took special consideration to note that security and privacy of patient records should be a paramount concern. In essence, HHS recognizes that the very success of the HITECH program rests in part on patients’ ability to trust provider information systems with sensitive information.

Jeff White is a principal with Aspen Advisors of Pittsburgh, PA.