By Pat Speer

As financial pressures mount, some insurers are suspending - and sometimes killing - major IT initiatives, save privacy and security technologies. But some health care insurers are deploying these technologies to not only secure transmissions, but improve how they conduct business with their network partners, third-party administrators, providers, subscribers and even members.

When the Health and Human Services Office of Inspector General (HHS OIG) conducted surprise HIPPA audits during 2007 and 2008, health care organizations across the value chain realized as never before the importance of treating the mandate of delivering privacy, security and compliance as mission-critical.

Further, the Federal Trade Commission's Identity Theft Red Flag rules have been expanded downstream to include the health care provider, making it clear that similar mandates are flowing up and down the supply chain. Under the rules, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.

"This is the great challenge," says Merit Smith, VP and director of the health care practice at Robert E. Nolan, a Simsbury, Conn. consulting firm. "Regulators' approach and tolerance to Personal Health Information (PHI) security breaches has changed, and it's putting a lot of pressure on IT in terms of keeping systems up to speed yet safe and secure."

Smith says the number of privacy breaches that could be documented prior to the implementation of the privacy regulations amounted to a couple of thousand per year on about a trillion transactions, making the issue relatively inconsequential. "About 80% of those were misdirected faxes," he says, "so it's easy to compromise records, and it often occurs by accident. Tragically, breaches of all kinds (such as posting clinical test results on the Internet) have become more commonplace - everyone's tolerance for that has worn thin."

The environment that houses, transmits or touches sensitive data is becoming more complicated by the day, Smith adds. "We've fragmented our support systems - some are in Bangalore, some in Prague and some in people's homes," he says. "IT can deal with each challenge, but the complexity of sourcing, outsourcing and subcontracting is harder to manage, and harder to make sure you got it right."

All of this puts more stress on a health insurer's IT staff, which already is dealing with the multiple pressures of industry-wide competition, a complex, layered federation of stakeholders, a patient/member base that is hungry for control of their own health records, and the budget-cutting trickle down effect of liquidity and credit crisis issues.

Reaction to these issues typically means a call to action; health insurers are retrenching, reviewing their existing working environments and enterprises to determine if their business strategies remain sound.

In some cases, this exercise may bring to light best practices for ensuring the security and integrity of health information across the enterprise and/or the network. In all cases, it's likely to reinforce a "do more with less" mandate, forcing insurers and other stakeholders to leverage new and existing technologies in a way that creates a host of positives-from improved patient outcomes and associated reduced claims to additional business opportunities.

Numerous Stakeholders

At the network level, a number of security initiatives include ancillary benefits for insurers. As one of nine health information exchanges (HIEs) in the trial implementation of the U.S. Department of Health and Human Services' Nationwide Health Information Network (NHIN), CareSpark, a Regional Health Information Organization (RHIO) in Central Appalachia, is developing and demonstrating core services for the secure exchange of summary medical records, as well as information required for medication management and consumer empowerment use cases.

The HIE is working with Chicago-based Initiate Systems Inc., a provider of Enterprise Master Person Index (EMPI) software, to serve 750,000 residents and approximately 1,200 physicians in a 17-county area of southwest Virginia and northeast Tennessee. Demonstrating their medication management and consumer empowerment use cases at the 5th NHIN Forum in Washington in December 2008, Liesa Jo Jenkins, CareSpark's executive director, touted the accuracy and speed of the software. "It provides the highest level of confidence needed for matching of records and adoption of standards endorsed by NHIN," she says. Other benefits include improved services at the point of care and increased operational efficiencies and interoperability among applications, which contribute to successful health information exchanges, says Jenkins.

The Impetus

Insurer networks must accommodate a growing base of patients/members who want safe access to electronic health records (EHRs). The results of a recent survey reveal that 27 percent of American adults now say they are "extremely likely or somewhat likely" to create an online personal health record (PHR) to help track their medical history and medications.

"This movement is being driven by the availability of new technology, as well as by people's desire to take control of their own health care and have manageable access to their medical information," says Susan Semack, VP of Morpace Health Care Practice, the Farmington Hills, Mich.-based survey research and consulting firm that conducted the study of 1,015 adult U.S. consumers.

The likelihood of subscribing to these new online services does not vary by age-Americans aged 55 and older are as likely to create an online PHR as younger Americans. "Older Americans recognize the value of centralizing a long history of medical information, and many are not intimidated by using the Internet to create a PHR," adds Semack.

The popularity of this movement is growing as Internet giants Google and Microsoft, along with traditional online health service companies such as WebMD and Revolution Health, offer online PHR services at no charge. "As awareness of these kinds of services builds," Semack says, "many people will be open to using them."

Meanwhile, awareness of the NHIN initiative, which seeks to create a "network of networks" nationwide system of electronic medical records by 2014, is edging up. Currently, 56 percent report they are familiar with EHRs, compared to 50 percent two months ago.

Working with Providers

Insurers also have a vested interest in providing secure collaboration with providers and members to promote improved quality and efficiency of health care.

When Hartford, Conn.-based Aetna Inc. reviewed its provider portal strategy last fall, it did so with several goals in mind. "First, we are always looking to make it easier to do business with provider physicians and hospitals," says Paul Marchetti, head of Aetna's national networks and contracting services department. "By the same token, we take security and privacy very seriously-in fact, it's critical."

In overhauling its home-grown physician portal to offer a broader range of secure transactions, the insurer chose an external Software-as-a-System offering that included a role-based security feature.

"Most of the industry has a secure model, but they are limited to the insurer side," Marchetti says. "The technology we chose (the NaviNet portal from NaviMedix Inc., Cambridge, Mass.) enables the provider office to set the controls. The office designee, such as the office manager or doctor, decides who can access certain information and who cannot. For us, it is really important to give the provider that office-specific control."

A further review of the NaviNet offering brought to light standard elements already incorporated into systems Aetna's providers use everyday.

"The system allows for payer-branded silos and secure, single sign-on," says Marchetti, "and the system's content management features allow us to tailor our messaging, products and announcements.

"We know the importance of being able to work within the parameters of our providers' workflow. And with 700,000 physicians in the network, we want to be able to immediately and securely communicate specific information to them, such as patient eligibility and benefits specifics," he says.

Leveraging Benefits

Wellmark Inc., a mutual company that does business as Wellmark Blue Cross and Blue Shield of Iowa, insures and pays health benefit claims for more than 2 million members in Iowa and South Dakota. The insurer is seeing positive early results from its "Collaboration on Quality Incent and Reward Best Practices" primary care initiative, a partnership between Wellmark and its network physicians.

Contracting with Alpharetta, Ga.-based MDdatacor, which provides electronic and physical security measures and established stringent security procedures to protect medical information from unauthorized access, improper use, alteration and unlawful or accidental destruction, Wellmark has been able to provide a platform that helps doctors identify gaps in patient care. Additionally, the platform offers opportunities to enhance treatment for patients through secure access to clinical data. Not based on claims data alone, the "CareInformatix" platform securely captures data from all available sources, including electronic medical records, lab, registry and practice management systems and dictated transcriptions.

Similarly, Aetna's strategic use of its NaviNet portal takes it beyond both the security aspects of routine administrative functions and content-specific messaging to an initiative akin to Wellmark's. Its New York-based ActiveHealth Management subsidiary leverages the NaviNet portal's toolset to provide health management services, including disease management, clinical decision support and PHRs. Launched in May, the system uses evidence-based guidelines and claims data to produce rules that trigger clinical alerts.

"Everyone is using our toolkit in a different way," says NaviMedix VP of marketing Kendra Obrist, "and Aetna is no exception. But they look at the big picture - security, privacy, compliance, and are leveraging the technology to make it easier to do business with their providers."

"Aetna wants to securely bridge the gap between member and provider," notes Marchetti. "When the physician checks a member's eligibility, if there is a clinical alert set up for this member, we say 'yes, he's an eligible member, but he has not had a certain test in more than a year.' When the member shows up for the appointment, the physician is ready to address these issues. The ability to work securely in this environment and identify gaps in health care is foundational to what our benefit is - and what differentiates us as a health insurer."

Nolan's Smith says that as health insurers move forward into 2Q 2009, many may place a priority to regulatory compliance updates based on additional privacy laws, and many may focus on areas that require capital, where rapid growth is expected, or where the company feels most vulnerable - with their security and privacy policies.

"Their world is much more complicated, fragmented and, as a result, much less controlled, which means security and privacy are still mission-critical components," Smith says. "Leveraging this technology to reap other benefits adds value to the business plan. It's just good business."

This article was originally published in Insurance Networking News.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access