External Environment and Government Policy

1
External Environment and Government Policy

• HSPM J713

2
Learning objectives

• Understand the justification for government
  intervention in business
• List 5 ways government intervenes in the business
  of health care
• And why we need government to invest in IM
  technology for health care

3
Learning objectives

• Describe 8 components of HIPAA
• Health insurance Portability and Accountability
  Act
• Know how to assess an organizations readiness
  for transactions and code set development
• And know what transactions and code set
  development are

4
Learning objectives

• Say why privacy and security are important
• And what IMs role is
• Know 4 questions to answer in making privacy
  policy
• Describe IM leaderships role in responding to
  legislation
• Apparently, this is response within the
  organization, not response to the outside world.

5
Justification for government intervention in
business processes

• Fix market failure
• Allocative efficiency
• Public goods
• Externalities
• Imperfect information
• Monopoly prevention and competition promotion
• Distributive equity (fairness)
• Make health care a right

6
5 major ways government intervenes

• Public goods medical research
• External costs medical waste control
• and benefits
• Correct information problems FDA
• Anti-monopoly, pro-competition Antitrust laws
  enforced by the Justice Dept. and the Federal
  Trade Commission hospital mergers, for example

7
6 major ways government intervenes

• Redistribution programs Medicare and Medicaid
• Operates public enterprises VA hospitals

8
Why we need government to help pay for IM
technology

• Market doesnt force it
• Hospitals dont get paid for being more efficient
• External benefit of uniform standards for data
  and its communication

9
8 components of HIPAAs administrative
simplification requirements

• http//www.cms.hhs.gov/hipaaGenInfo/
• Employer identifier standard
• Each employer gets a number
• (employer role in providing health insurance)
• Enforcement civil and criminal penalties for
  non-compliance
• National provider identifies standard
• Each provider gets a number

10
8 components of HIPAAs administrative
simplification requirements

• Security standard for data handling
• Transaction and code sets standards
• Transaction moving data from one person to
  another. E.g. sending a bill to a payer
• Code set e.g. ICD-10 future? ICD-9?
• Service setting codes, indicating the type of
  institution giving the service
• Health insurance reform portable insurance
• Medicaid HIPAA Administrative Simplification

11
Is your organization ready for transaction and
code set development?

• CMS has a web page http//www.cms.hhs.gov/Educatio
  nMaterials/Downloads/HIPAAChecklist.pdf

12
ITs role in security and privacy

• Sensitive info about patients health care info
  tech
• Personal info about employees HR
• Proprietary and strategic information
  decision-support and financial systems

13
ITs role in security and privacy

• Sensitive info about patients health care info
  tech
• Patient-care operations
• Public health information systems
• Credible assurance of confidentiality encourages
  compliance or showing up to get help
• Medical research information system
• Institution review board
• Privacy and security requirements

14
4 keys to privacy policy

• Who has access to patient data
• What patient data is accessible (by whom?)
• What are OK purposes for obtaining patient data
• What circumstances justify obtaining patient data

15
The CIOs role in responding to legislation

• Environmental Scanning
• scope and breadth of the coming legislation
• industry associations help with this (lobbying)
• organizations readiness to comply
• gap analysis
• and Organizational Education

16
The CIOs role in responding to legislation

• and Organizational Education
• Recommending strategies to respond to legislation
• staff and expertise youll need
• hardware and software youll need
• clinical resources
• timeline for your compliance

17
NGT

• http//www.joe.org/joe/1984march/iw2.php

18
The CIOs role

• Information Security Policies and Procedures
• Planning for system failures, whether internal or
  due to natural or man-made disaster
• -- 3. disaster protection and recovery
• Controlling who accesses what information

19
4. Protecting info privacy

• Physical security
• Technical controls
• Management policies

20

21
Mayo Clinic model policy framework

• Access rights who may access data
• And for what reasons
• Release of info to patient, outside providers,
  payers, and others
• Special handling for particularly sensitive
  conditions
• (continues)

22
Mayo Clinic model policy framework

• Special handling for particularly sensitive
  individuals
• Employees
• Public figures
• Retention of medical information, what and for
  how long
• Data integrity (continues)

23
Mayo Clinic model policy framework

• Data integrity
• Authentication entered correctly?
• Completeness anything important missing?
• Revision handling
• Approved methods for communication
• (means like phone, letter, or e-mail?)

24
Summary