Contact Us | Become a Member
Protecting a patient’s privacy is a top priority for medical practices. As technologies advance and HIPAA laws tighten, healthcare leaders need to be aware of how these technologies may affect their industry.
According to Healthcare Analytics Review, the most common way health systems are failing to protect data is “how the data flow(s) through the environment and the risks of each step.” New technologies such as wearable smart watches and voice assistants like Alexa and Siri, are affecting how health systems meet with their patients.
The issue with wearable smart watches is the data collected by the watches such as calories consumed, steps taken, and heart rate are not protected by HIPAA. But a problem may arise, according to Healthcare Analytics Review, when a patient wears a Fitbit and “downloads a smartwatch app that monitors health data points that are then integrated into an electronic health record.”
By taking it to this next step, the article states, “the developer is generating, collecting, storing, and sharing data on behalf of a covered entity – and, as a business associate, it must abide by HIPAA.”
Similarly, voice assistance technologies like Alexa and Siri do not currently comply with HIPAA. The most important thing to remember as a health system is that with the ever-expanding realm of technology, there needs to be a heightened awareness of how it can affect one’s HIPAA compliance.
Want to learn more about how technology is affecting the healthcare industry? Click on this MGMA Insight Article.
November’s election results are set to shake up healthcare in Wisconsin. But how far will Democrat Gov.-elect Tony Evers be able to go with a Republican Legislature? What are the chances of campaign promises like expanding Medicaid? And where are there areas for compromise?
On Dec. 11, we’re assembling some of the state’s best political and healthcare reporters to recap the year’s biggest stories, dissect the potential healthcare impact of the elections and preview the most important stories for 2019.
Registration is now open for the WMGMA 2019 Quarterly Payer Forums. New in 2019, the start time will be at 10:00 a.m. There is new location, the UW Health - Administrative Office in Middleton, WI. Members are invited to submit their questions the month prior by the 1st of the month.
March 18, 2019
June 17, 2019
September 16, 2019
December 16, 2019
The new and revised LCDs and articles were published in July, August, September and October 2018. Click on the links below to view the documents.
LCDs and Articles New Revised and Retired July - August 2018
LCDs and Articles New Revised and Retired August - September 2018
LCDs and Articles New Revised and Retired October 2018
Incorporating a well-trained Chief Privacy Officer (CPO) into your practice demonstrates that you are aware of the complexities your practice faces in this rapidly changing privacy and security environment. It is not only an investment in the successful, and profitable, operation of your practice, but also signals your willingness to embrace privacy and security complexities and prepare for the future, while reinforcing a message of respect for your patients’ privacy. When you hire a qualified CPO, you build trust with your patients and send a message that your practice values and invests in their privacy.
November 15, 12:00 p.m.
ACMPE UpdateSubmitted by Tom Ludwig, RN, FACMPEWMGMA ACMPE Forum Rep
Congratulations to the two newest Certified Medical Practice Executives from Wisconsin!
ACMPE 2019 Program Enhancements – Bachelor’s Degree Requirement
For Nominees pursuing Certification
If you do NOT hold a bachelor’s degree or have 120 college credit hours by Dec. 31,2018 you will need to:
If you have a bachelor’s degree, 120 college credits or are currently in the process of completing their degree, you will remain as a nominee and will need to begin working toward the following starting on Jan. 1, 2019:
For CMPEs pursuing Fellowship
If you do NOT hold a bachelor’s degree by Dec. 31, 2018 you will need to:
If you have a bachelor’s degree AND seven years of healthcare management AND two years in a leadership role; OR if you have a master’s degree with five years management, AND two years in a leadership role, you will need to begin work on the following starting Jan. 1, 2019:
MGMA- ACMPE Membership Incentives
Purchase MGMA membership plus the board certification application in one bundle and SAVE $50! Contact the national office at 877.275.6462 for details.
MGMA Website Updates (MGMA.org)
For more information about ACMPE Certification and Fellowship, please contact me at firstname.lastname@example.org.
This article originally appeared in the October 2018 MGMA Connection magazine. By David Finn
The healthcare industry in the United States has experienced its fair share of cyber incidents — from ransomware to distributed denial of service (DDoS) attacks and data breaches — in recent years. Breaches alone cost the healthcare sector $6.2 billion each year, and a single data breach (across all sectors) costs $4 million.
In healthcare, these costs include forensics, breach notification, lawsuits, fines and remediation costs. They also include diminished brand value and lost revenue. The latter is a bit easier to identify. Organizations know what their financial run rates were historically and leading up to the event, so short-term financial losses after the incident can be extrapolated. On the other hand, brand value can be hard to estimate because reputation is not a tangible asset.
That’s why it’s important for practice leaders to better understand potential intangible losses caused by a cyber incident or data breach. A 2017 study found that 45% of IT practitioners and 42% of chief marketing officers did not believe their senior management understood the importance of preserving their company’s reputation.
For large, publicly traded companies, stock prices drop an average of 5% immediately after a data breach is disclosed, but it’s not as easy to quantify for an industry in which many of the largest providers are private, not-for-profit organizations. Healthcare runs on trust. If patient trust is lost, those patients may walk if they have alternatives, which can result in a significant loss of revenue.
This threat goes beyond breaches, too. In 2014, Boston Children’s Hospital experienced a DDoS attack by the hacker group Anonymous following treatment of a young patient who was removed from her parents’ care by the state. While the hospital never closed, it had to shut down external websites as the attack continued. The incident happened during an annual fundraising event and shut down a website for sourced donations. “This was not a tens of thousands of dollars thing, it was significantly more than that,” the chief information officer said of the incident. The loss was significant enough that Boston Children’s filed a claim against the hospital’s cyberinsurance carrier for the event; however, because there was no breach of data, the underwriter didn’t process the claim. The hospital was able to protect patient data and avoid a breach, despite the financial impacts.
The loss of patients is another way cyber incidents can adversely affect a practice. One study indicated that 54% of patients said they would be very or moderately likely to change providers after a security data breach involving their personal health information. Those patients from that survey also said they would be most likely to switch providers if practice staff had caused the breach.
A separate study by TransUnion Healthcare found similar results: 65% of patients would be likely to switch providers after a data breach.
Changing providers may not be the worst news from the TransUnion study, however. Nearly one-quarter of respondents reported that security concerns inhibit their communications with their doctor: 9% said they always or often withhold personal health information and another 12% indicated that security concerns could lead them to withhold information from their doctors.
If caregivers don’t get a full picture of their patients’ history, treatment won’t be as effective and may actually be inappropriate and cause harm.
On top of this, an analysis of Department of Health and Human Services and Centers for Medicare & Medicaid Services data suggests more than 2,100 patient deaths annually could be attributed to hospital data breaches.
The study compared patient-care metrics at hospitals that have experienced a data breach to those that have not. One of the metrics was the proportion of patients who suffered a heart attack and died within 30 days of admission to a hospital. Analysis found the rate of patient deaths increased by 0.23% one year after a breach and by 0.36% two years after a breach — roughly 2,160 additional deaths per year. Researchers explained that a data breach both diverts funds from patient care and distracts physicians for years after the event. Disruption from remediation activities, regulatory inquiries, litigation and more can occur for years after the breach and result in delays to services that translate to quality of care issues.
The best way for organizations to reduce their risk and improve their ability to respond is by adopting a cybersecurity framework. The most widely adopted framework in healthcare is the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). Using this framework, organizations can create a risk-based, comprehensive and current approach to information protection and cybersecurity.
A 2018 study on cyber threats evaluated hundreds of facilities, including physician practices, against the NIST CSF on a six-point scale ranging from 0 or “incomplete” to 5, which indicates an “optimized process.” The findings showed that physician practices scored an average of 2.0 and 1.8, respectively, in the areas of “respond” and “recover,” compared to scores of 2.6 and 2.5 for hospitals/health systems and 2.8 and 2.9 for business associates.
Taking proper actions immediately after a cyber incident or data breach can reduce fallout. The better prepared your organization is, the sooner it will be able to identify the incident, what’s been affected, ways to limit its scope, what to do and how to respond — internally and externally — and how to recover from the event.
Published by the U.S. National Institute of Standards and Technology in 2014, the CSF offers guidance on assessment and improvement in private-sector organization’s ability to prevent, detect and respond to cyberattacks.
Updated most recently in April, the core area of the CSF is defined by five key functions applicable to any organizations. Those functions contain various categories relevant to cybersecurity:
1. Identify: Asset management, business environment, governance, risk assessment and risk management strategy
2. Protect: Access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology
3. Detect: Anomalies and events, security continuous monitoring and detection processes
4. Respond: Response planning, communications, analysis, mitigation and improvements
5. Recover: Recovery planning, improvements and communications
Adoption of the CSF often leads to development of a “current profile” of an organization’s cybersecurity work, which provides a baseline for a “target profile” of improvements.
Contact David at David.email@example.com.
Join us on October 29 for a webinar with Jackson Physician Search. With the physician shortage acute and intensifying, how do some organizations consistently outperform all others? Competition for talent in key specialties can make recruiting top physicians expensive and time-consuming. Healthcare executives are challenged to strategically meet their communities’ needs while physician recruiters must fill positions faster, more efficiently and at less cost than ever.
The solution can be found in “three smart moves” that will help you:
Join us Oct. 9 for our annual insurance CEO roundtable. Leaders will discuss the most pressing issues facing their industry, including the fate of the Affordable Care Act, prescription drug prices, value-based payments and more.
The event is Tuesday, October 9 at the Wisconsin Club in Milwaukee (11:30am – 1pm). Register now (link).
Wisconsin Medical Management Group Association563 Carter Court, Suite B, Kimberly, WI 54136920-560-5621 / 800-762-8968WMGMA@Badgerbay.co
MissionTo be a resource for information, education, networking, and advocacy opportunities for all medical group management professionals.