Title: External Environment and Government Policy
1External Environment and Government Policy
2Learning objectives
- Understand the justification for government
intervention in business - List 5 ways government intervenes in the business
of health care - And why we need government to invest in IM
technology for health care
3Learning objectives
- Describe 8 components of HIPAA
- Health insurance Portability and Accountability
Act - Know how to assess an organizations readiness
for transactions and code set development - And know what transactions and code set
development are
4Learning objectives
- Say why privacy and security are important
- And what IMs role is
- Know 4 questions to answer in making privacy
policy - Describe IM leaderships role in responding to
legislation - Apparently, this is response within the
organization, not response to the outside world.
5Justification for government intervention in
business processes
- Fix market failure
- Allocative efficiency
- Public goods
- Externalities
- Imperfect information
- Monopoly prevention and competition promotion
- Distributive equity (fairness)
- Make health care a right
65 major ways government intervenes
- Public goods medical research
- External costs medical waste control
- and benefits
- Correct information problems FDA
- Anti-monopoly, pro-competition Antitrust laws
enforced by the Justice Dept. and the Federal
Trade Commission hospital mergers, for example
76 major ways government intervenes
- Redistribution programs Medicare and Medicaid
- Operates public enterprises VA hospitals
8Why we need government to help pay for IM
technology
- Market doesnt force it
- Hospitals dont get paid for being more efficient
- External benefit of uniform standards for data
and its communication
98 components of HIPAAs administrative
simplification requirements
- http//www.cms.hhs.gov/hipaaGenInfo/
- Employer identifier standard
- Each employer gets a number
- (employer role in providing health insurance)
- Enforcement civil and criminal penalties for
non-compliance - National provider identifies standard
- Each provider gets a number
108 components of HIPAAs administrative
simplification requirements
- Security standard for data handling
- Transaction and code sets standards
- Transaction moving data from one person to
another. E.g. sending a bill to a payer - Code set e.g. ICD-10 future? ICD-9?
- Service setting codes, indicating the type of
institution giving the service - Health insurance reform portable insurance
- Medicaid HIPAA Administrative Simplification
11Is your organization ready for transaction and
code set development?
- CMS has a web page http//www.cms.hhs.gov/Educatio
nMaterials/Downloads/HIPAAChecklist.pdf
12ITs role in security and privacy
- Sensitive info about patients health care info
tech - Personal info about employees HR
- Proprietary and strategic information
decision-support and financial systems
13ITs role in security and privacy
- Sensitive info about patients health care info
tech - Patient-care operations
- Public health information systems
- Credible assurance of confidentiality encourages
compliance or showing up to get help - Medical research information system
- Institution review board
- Privacy and security requirements
144 keys to privacy policy
- Who has access to patient data
- What patient data is accessible (by whom?)
- What are OK purposes for obtaining patient data
- What circumstances justify obtaining patient data
15The CIOs role in responding to legislation
- Environmental Scanning
- scope and breadth of the coming legislation
- industry associations help with this (lobbying)
- organizations readiness to comply
- gap analysis
- and Organizational Education
16The CIOs role in responding to legislation
- and Organizational Education
- Recommending strategies to respond to legislation
- staff and expertise youll need
- hardware and software youll need
- clinical resources
- timeline for your compliance
-
17NGT
- http//www.joe.org/joe/1984march/iw2.php
18The CIOs role
- Information Security Policies and Procedures
-
- Planning for system failures, whether internal or
due to natural or man-made disaster - -- 3. disaster protection and recovery
- Controlling who accesses what information
194. Protecting info privacy
- Physical security
- Technical controls
- Management policies
20 21Mayo Clinic model policy framework
- Access rights who may access data
- And for what reasons
- Release of info to patient, outside providers,
payers, and others - Special handling for particularly sensitive
conditions - (continues)
22Mayo Clinic model policy framework
- Special handling for particularly sensitive
individuals - Employees
- Public figures
- Retention of medical information, what and for
how long - Data integrity (continues)
23Mayo Clinic model policy framework
- Data integrity
- Authentication entered correctly?
- Completeness anything important missing?
- Revision handling
- Approved methods for communication
- (means like phone, letter, or e-mail?)
24Summary