Government updates: GAO scores HHS on cybersecurity issues; patient issues largely omitted from EHR notes in VA study

The Government Accountability Office (GAO) latest report remains critical of HHS’ leadership on cybersecurity issues. Using the immense Change Healthcare data breach as a glaring example, GAO’s latest report released 13 November outlines HHS’s continued ‘challenges’ in ensuring that, among Federal agencies, it takes the lead in strengthening cybersecurity in the healthcare sector. For instance, HHS coordinates with the Cybersecurity and Infrastructure Security Agency (CISA), which is the national coordinating agency for critical infrastructure security and resilience. Where HHS comes up short (again) against GAO prior reports and recommendations is:

  • Weakness in tracking how healthcare organizations are effectively mitigating ransomware 
  • Not yet assessing how healthcare organizations are adopting the ransomware-specific practices outlined in the NIST (National Institute of Standards and Technology) cybersecurity framework centered on identifying, detect, protect, respond, and recover.
  • Inability to document the effectiveness of support HHS provides to healthcare organizations, such as guidance documents, training, job aids, and threat briefings to help the sector manage ransomware risks.   
  • Not conducting a comprehensive sector-wide cybersecurity risk assessment addressing IoT (Internet of Things) and OT (operational technology) devices and systems common in healthcare.
  • Using their Administration for Strategic Preparedness and Response (ASPR) to fully and consistently monitor its working groups supporting the healthcare sector on progress against goals, responsibilities, and on their collaboration.
  • The Centers for Medicare and Medicaid Services (CMS) has had requirements since 2020 with parameters that conflicted with those established by other federal agencies that share data with states, such as the Social Security Administration.
  • CMS has policies to assess states’ cybersecurity but does not coordinate with other federal agencies on the assessments.

GAO’s latest report recommended that:

  • HHS, in coordination with CISA and sector entities, determines the sector’s adoption of leading cybersecurity practices that help reduce ransomware risk.
  • HHS, in coordination with CISA and sector entities, develops evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk.
  • HHS includes IoT and OT devices as part of the risk assessments of the sector’s cyber environment.
  • ASPR takes action to fully and consistently demonstrate leading collaboration practices .
  • CMS 1) solicits input from relevant federal agencies on revisions to its security policy to ensure consistency across cybersecurity requirements for state agencies. 2) revises its assessment policies to maximize coordination with other federal agencies.

Highlights and full report 

EHR notes also come up short when it comes to issues brought up by patients–and include information outside the clinician-patient transcript. This observational study from the Regenstrief Institute by two Indiana University medical researchers at the VA found multiple discrepancies in EHR notes that are supposed to recap the actual conversation between patient and clinician during a primary care appointment versus the actual transcript. It took place at four primary care clinics at a midwestern Veterans Affairs (VA) Medical Center and one associated VA community-based outpatient clinic, all using the current VistA EHR. Video and audio recordings were used to create transcripts that were compared with the EHR notes.

The discrepancies were bi-directional. According to the study, “fewer than half of issues that patients initiated in discussion were included in notes, and nearly half of notes referred to information or observations that could not be verified.” There was also a difference in recording by who brought it up. For instance, psychosocial issues were common in patient-clinician discussions. “The researchers found that when the clinician initiated discussion about these issues, 92 percent of notes in the EHR included them, but when the patient initiated discussion, only 45 percent did.”

There were also gaps in quality that were questioned in the study:

  • 8% of notes lacked an assessment and plan. Were some assessments truly incomplete, and some important plans actually skipped?
  • 18% of notes were missing follow-up plans. Were some follow-up plans never arranged?
  • 26% lacked reports of diagnostic test results. Were such results simply absent or unimportant, or were important findings unavailable, difficult to access, or overlooked?

“We recognize that certain variations in EHR documentation stem from authors’ preferences or styles about how to organize or structure notes. At the same time, notes should not lack critical elements.” Reasons for omissions could include “lack of recognition of the significance of a problem by clinicians, forgetfulness while writing notes, insufficient time to complete records accurately and thoroughly; belief that the issue had already been addressed; or prioritization of other concerns.”

Both Drs. Michael Weiner and Richard Frankel are researchers in various aspects of health information technology to improve patient outcomes and doctor-patient communication. They are affiliated with the US Department of Veterans Affairs Health Services Research and Development Center for Health Information and Communication, as well as professors of medicine at Indiana University’s medical school. Regenstrief Institute article 12 Nov, BMC Primary Care published study 18 July 2024

HHS reorganizing ONC, ASTP in tech funding, talent bid; FDA’s Digital Health Advisory Committee named; GAO scores progress on VA Telehealth Access Program

Time to make lemonade? The US Department of Health and Human Services (HHS), in the midst of technical challenges such as AI and cybersecurity, has turned its weary eyes to a reorganization of a function that goes back two decades to the GW Bush administration. Technology has been under the purview of the Office of the National Coordinator (ONC) for Health Information Technology (HIT), currently Micky Tripathi, within HHS–but not entirely. The HHS solution is to rename ONC-HIT as the Office of the Assistant Secretary for Technology Policy, or ASTP, and to add in IT functions distributed to other offices within HHS. 

  • Not unexpectedly, HHS will hire three new technical experts: a chief technology officer (vacant for several years), a chief AI officer (currently held by Tripathi). and a chief data officer.
  • The new ASTP will also absorb the IT functions within HHS’ Assistant Secretary for Administration (ASA).
  • Another shift is being made to the HHS 405(d) Program, a partnership between the health sector and the federal government to align healthcare  cybersecurity practices. That moves from ASA to the Administration for Strategic Preparedness and Response (ASPR).

With this, ASTP hopes for more funding. Since the early 2000s, their budget has remained stagnant at $50-65 million, not including ‘paste ons’ for initiatives such as HITECH and 21st Century Cures. Healthcare Dive, Fierce Healthcare

Another alphabet committee formed to advise the Food and Drug Administration (FDA). The Digital Health Advisory Committee (DHAC) has been named to advise FDA on topics such as AI/ML, virtual reality, wearables, digital therapeutics, and remote patient monitoring (RPM). The chair will be Ami Bhatt, MD, chief innovation officer of the American College of Cardiology. A full list of the committee is in FierceHealthcare and the DHAC industry representative pool is here.

The Government Accountability Office (GAO) has more than a few reservations about the Veterans Health Administration’s Telehealth Access Program. The VA has had in place since 2019 a distributed telehealth program to enable veterans without internet access at home to obtain clinical telehealth services at outside locations. The Accessing Telehealth at Local Area Stations (ATLAS) pilot program works with private organizations, such as veterans service organizations, to provide locations where veterans can connect with VA clinicians for video consults. The problem is that 14 of 24 ATLAS sites active at the time had no veteran visits in Federal FY 2022 and 2023. Of the active 10, reports were favorable but not measurable. Where GAO scores VA is that the program lacked performance goals and related measures. VA going forward will implement goals and measures based on leading good practices and assess the effectiveness and efficiency of the ATLAS program on an ongoing basis. GAO report.

News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

Midweek news roundup: Optum exiting telehealth, laying off; Advocate Health selling MobileHelp; VA notifying 15M veterans re Change PHI breach, Oracle moving to Nashville–maybe? (updated)

Optum Virtual Care closing, staff layoffs in progress. Optum Everycare CEO Jennifer Phalen on an 18 April internal conference call announced that the unit would close. According to sources, some employees would have layoff dates in July. No further details were available on other layoffs or plans for integrating Virtual Care’s capabilities into other Optum units, except for generalities. “We are com­mit­ted to pro­vid­ing pa­tients with a ro­bust net­work of providers for vir­tu­al ur­gent, pri­ma­ry and spe­cial­ty care op­tions,” and “We con­tin­u­al­ly re­view the ca­pa­bil­i­ties and ser­vices we of­fer to meet the grow­ing and evolv­ing needs of our busi­ness­es and the peo­ple we serve.” a spokesper­son for Unit­ed­Health said to End­points, a biopharma publication from the University of Kansas which broke the story.

For Optum, this is the second shoe drop about layoffs and closures in less than two weeks. Reports from social media and layoff-specific boards indicated that thousands were being laid off, from their plans to urgent care and providers [TTA 23 Apr]. These were not confirmed by Optum nor by UnitedHealth Group. It’s not known if this unit’s closure was included in the total. 

The larger picture is that it is symptomatic of the sudden growth, then equally sudden consolidation, of general telehealth. Optum opened the unit in April 2021 as the pandemic entered year 2. Utilizing existing capabilities, UHG claimed it facilitated more than 33 million telehealth visits in 2020, up from 1.2 million in 2019. The number looks sky high but in that time of practices closing it was a free-for-all in telehealth–and ‘facilitating’ is a nebulous catchword that could mean a practice using Facetime, telephones, or an EHR/population health platform module. Commercial claims for telehealth have remained at 4 to 5% since (FAIR Health, Jan 2024). Even during the pandemic’s first year, telehealth claims hit a peak of 13 percent in April 2020 that dropped fast to 6% by August 2020. Well over 60% are for behavioral telehealth claims.

A leading indicator: Last June, Optum Everycare’s CEO from their 2021 start, Kristi Henderson, a former Optum SVP for digital transformation, departed to become CEO of Confluent Health, a national network of occupational and physical therapy clinics. It was about as far away as one could get from telehealth, digital transformation, and Amazon Care, her former employer that expired in 2022.

Apparently, UHG and Optum see no further need for a virtual care specialty unit, instead integrating it into plans and other Optum services. According to MedCityNews, industry analysts aren’t surprised. Both Amwell and Teladoc have had well-known struggles. The latest: Walmart, after investing millions into their unit that included full clinics and a virtual care service, also made news on 30 April that it is closing both. Also greatly on UHG’s mind: cleanup after the Change debacle, making Mr. Market happy, and the looming antitrust action by DOJBecker’s, Healthcare IT News, 

In another sign that healthcare investors are selling off ancillary businesses, Advocate Health is selling PERS provider MobileHelp. It “no longer fit the strategic priorities of Advocate Health” according to their 22 April audit report (see document pages 10 and 13) and was authorized last December.

Advocate, through its investment arm Advocate Aurora Enterprises, acquired both MobileHelp, one of the earliest mobile PERS, and sister company Clear Arch Health, a remote patient monitoring provider, in April 2022. Cost was not disclosed at that time but later was reported to be $290.7 million. The plan at the time was to combine both MobileHelp and Clear Arch with a senior care/home health provider earlier acquired by Advocate for $187 million, Senior Helpers. That company was sold in March to Chicago-based private equity firm Waud Capital Partners for an undisclosed amount. The MobileHelp sale is expected to close later this year. Buyer and price are not disclosed. The expected loss on the MobileHelp sale was figured into FY 2023 as part of an asset impairment write-down of $150 million, which Advocate said was “related to the expected loss on the sale of MobileHelp.” The PERS and RPM business is a largely consolidated ‘cash cow’ type of business that (Editor’s prediction) will be snapped up by another player like Connect America, Alert One, or a smaller player like ModivCare. Milwaukee Business Journal, Becker’s, Crain’s Chicago Business (requires subscription)

VA admits that some veterans may be affected by Change Healthcare data breach, PII/PHI disclosure. While Department of Veterans Affairs Secretary Denis McDonough at this time believes that “there’s no confirmation yet” that veteran data was exposed, the scope of the Change Healthcare breach has led VA to formally alert via email 15 million veterans and their families of the possibility. The email also included information “about the two years of free credit monitoring and identity theft protection” that Change Healthcare is offering to those affected by the attack. The VA maintains that the attack resulted in only a temporary delay in filling 40,000 prescriptions but did not cause “any adverse impact on patient care or outcomes,” according to a department spokesman. NextGov/FCW 26 April, 23 April 

In related news, HHS as of 19 April had not received any notification from Change Healthcare nor UHG. They are required to file a breach report as providers and also as covered entities. They have 60 days from the breach occurrence on 21 February to report, which is coming right up. Becker’s

If Larry said it, it must be true…assemble the moving boxes. At an Oracle conference in Nashville last week, Oracle chairman Larry Ellison said to Bill Frist of investment firm Frist Cressey Ventures that he planned to move the company to that city as “It’s the center of the industry we’re most concerned about, which is the healthcare industry.” It’s their second public Larry and Billy meetup in the last few months, the last in November at the Frist Cressey Ventures Forum where Ellison had previously touted Nashville. Ellison is investing in and building a 70-acre, $1.35 billion campus on Nashville’s riverfront. Oracle is currently HQ’d in Austin, Texas having moved in 2020 from Redwood City, California but with extensive facilities remaining in the state. Texas and Tennessee have one thing in common–a superior business climate. Both are long on lifestyle, though Austin is not as temperate (read, hot) as Nashville. What Nashville has that Austin doesn’t is being a healthcare hub. At least in Ellison’s view, healthcare is where it’s at and so is Nashville. So as long as he’s running Oracle from his manse on Lanai, Oracle does what Larry says. Healthcare Dive, Healthcare IT News, The Tennessean

More fun facts about Larry Ellison and Nashville: David Ellison, his son, is founder of Skydance Media, a major Hollywood production company (Mission: Impossible and others) and negotiating a zillion-dollar merger with Paramount Pictures. David’s wife is a singer trying to make it in Music City and they have a home there. Kind of like the age-old trend of moving the HQ near where the CEO’s living. On moving the HQ to Nashville from Austin, this would affect perhaps 2,500 workers based there currently. Most of Oracle’s workers are dispersed and work remotely. 6,400 of former Cerner-ites are still in Missouri and 7,000 remain in California. Big hat tip to HIStalk—scroll down and see more about Larry and Billy’s talk, which also covered cybersecurity, the NHS (which uses Cerner), and automating hospitals and the hospital-payer interface.

Is BlackCat/ALPHV faking its own ‘death’? (updated) HHS and CMS come to Change affected providers’ assistance with ‘flexibilities’

BlackCat/ALPHV blames the FBI for another ‘shutdown’ and exits, stage left. BlackCat put up a copy of the shutdown screen (left) that appeared on their old leak website back in December [TTA 22 Dec 23] on their new leak website, claiming that law enforcement shut them down. This was not confirmed by the FBI either way, but Europol and the NCA confirmed to Bleeping Computer that they had no recent activity involving BlackCat. The other tell was that the source code on both screens was different–it was served up on another server.

On a Russian hacker forum called Ramp, BlackCat/ALPHV claimed that they “decided to completely close the project” and “we can officially declare that the feds screwed us over. The source code will be sold, the deal is already being negotiated”. The source code is reportedly up for sale for $5 million.

As to the $22 million, BlackCat/ALPHV never admitted it was paid by Optum/Change (nor is Optum confirming), but the affiliate called “notchy” which didn’t get paid [TTA 5 Mar] shared (to Bleeping Computer) that “a cryptocurrency payment address that recorded only one incoming transfer of 350 bitcoins (about $23 million) from a wallet that appears to have been used specifically for this transaction on March 2nd.” That wallet distributed (seven) equal payments of $3.3 million in bitcoin to other wallets.

(Update) Speaking of “notchy”, let’s not forget that this affiliate claims to have 4 TB of PHI/PII data from Change that could be sold or leaked. Since they never got paid by BlackCat/ALPHV, it’s safe to assume that information will be up, so to speak, for grabs.

When it all adds up–the fake FBI ‘raid’, shutting down servers, the signoff on Tox of “GG’ (good game?), the cutting off of affiliates (which also confirmed this to DataBreaches.net–and may or may not have been paid)–it resembles an exit scam.

(Update) Another excellent summary about ALPHV in Krebs On Security also updates LockBit, which was seized in an international takedown in February, and about governmental entities they ransomwared.  To be continued….

The lobbying of HHS by Congress, the American Hospital Association, and UHG to help out providers has produced some results. On 5 March, Health and Human Services (HHS) issued a statement that summarized various ‘flexibilities’ and workarounds to aid providers who cannot access systems or have to resort to alternatives to ensure continuity of services to patients. These will be administered through the Center for Medicare & Medicaid Services (CMS) and range from prior authorization, advance funding, and claims processing for Medicare. From the statement:

  • Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch.
  • CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages.
  • CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
  • CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies
  • If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs. CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them.

Many payers are also making funds available while systems are offline. Hospitals may also face “significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration.”

The statement closes with a reminder of HHS’ December concept paper on cybersecurity strategy for healthcare. DataBreaches.net (full statement), Becker’s

(Update) More on how this is affecting patient care focusing on cancer treatment, from the point of view of a Community Oncology Alliance spokesman. In addition, how consolidation is making healthcare more vulnerable to cybercriminals, and comments on UHG and Federal processes and payment offers to date. HealthcareITNews.

And DDoS attacks and questionable downtimes are now common.

Editor’s Update 11 Mar: The DataBreaches.net website had a major DDoS attack on 7 March and was down for two days thru 8 March. It is now fully up and running with our links working.

Multiple US Government websites went down Thursday evening 7 March based on news reports: Department of Homeland Security (DHS), Customs and Border Protection (CBP), Immigration & Customs Enforcement (ICE), Citizenship and Immigration Services (USCIS), US Secret Service and Federal Emergency Management Agency (FEMA). The timing based on the State of the Union address to Congress is, well, interesting. Daily Express   Later reports announced restoration later in evening. Cyberincidents are not exactly unknown on government websites.

Short takes: Humana’s big MA loss (updated); Medicare telemental care bill back in Senate; HHS releases cybersecurity performance goals; Texas Healthcare Challenge hackathon 23-24 February

Humana apparently surprised Wall Street with their Q4 losses, driven by escalating Medicare Advantage (MA) costs.  While revenues ($26.5 billion) for MA’s second largest plan provider were up from prior year’s $24 billion, MA expenses drove an adjusted Q4 loss of $361 million under the insurance segment. From Humana’s earnings statement: “The sector is navigating significant regulatory changes while also absorbing unprecedented increases in medical cost trends. We believe the elevated MA medical costs are an industry dynamic, not specific to Humana, and that they may persist for an extended period or, in some cases, permanently reset the baseline.” On the earnings call, their CFO cited increased inpatient costs, especially for short stays, and more spending in outpatient surgeries and supplemental benefits–trends that Humana expects to continue into 2024 and even into 2025. Home health under CenterWell were tidily profitable and growing. Perhaps MA’s sector problems were the reasons why Cigna, selling off their MA plans, backed out of their acquisition/merger? Q4 press release, management remarks, Becker’s, Healthcare Dive

Updated Humana announced the appointment of a President of Enterprise Growth, David Dintenfass, to spearhead customer growth and retention. His background is not healthcare but Fidelity Emerging Growth Markets, with previous stints at Procter & Gamble and Bank of America. This assumes that the cost problem can be grown out of. Expect more departures and arrivals to roil Humana, as their current CEO moves to a planned retirement transition later this year and has already laid off staff in January Healthcare Dive

A bipartisan Senate bill proposes to continue coverage of virtual-only telemental health for Medicare beneficiaries. The ‘Telemental Health Care Access Act of 2023″ is sponsored by four Senators: Bill Cassidy, R-La., Tina Smith, D-Minn., John Thune, R-S.D., and Ben Cardin, D-Md. and is designed to make permanent the pandemic waiver of in-person requirements that expires at the end of 2024. The senators cited rural health and overall access to mental healthcare. Mental health remains the leading claim line for telehealth. Healthcare Dive, draft bill

The Department of Health and Human Services (HHS) published voluntary cybersecurity performance goals for healthcare and public health organizations. These fit within the HHS 405(d) Program and Health Sector Coordinating Council Cybersecurity Working Group’s Healthcare Industry Cybersecurity Practices as well as the NIST Cybersecurity Framework and the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Strategy. (Whew!) The two voluminous sets of goals, Essential and Enhanced, directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis. As noted earlier this week, there were 116 million patient records exposed in 2023 data breaches, doubling that in 2022.

HHS means well, but this is another ‘blood out of a rock’ situation. Health IT departments all over the US, from providers to payers, have had or are facing layoffs in the ongoing clash of business versus technology, which won’t cease because HHS would like it to. HealthcareDive, HealthcareITNews

The Texas Healthcare Challenge Hackathon is back! After three years dark, this year’s edition will be held this year 23-24 February in Dallas. Sponsored by the Health Wildcatters, a Dallas-based accelerator in the DFW area, it is open to just about anyone who can apply–you don’t have to code or hack. Friday kicks off with “problem pitching,” where participants form teams around identified issues, with Saturday starting with morning motivation and intensive team hacking, moving to participants developing viable solutions, assessing market potential, creating functional business models, and addressing risks with mentor support from industry experts. The day culminates in team presentations, with judges awarding cash and in-kind prizes to winning solutions. Learn more and apply here (application form is under the numbers, click on “Hackathon Sign-Up”). Sponsorship is the second button.

News roundup: ONC recommends ‘nutrition labeling’ for healthcare AI apps but Google moves forward; CVS’ health services rebranding as Healthspire (updated); Clover Health repots out of ACO REACH

Straining toward a model for AI app information? The latest grope by Federal regulators towards the “trustworthy use of artificial intelligence”, as the American Telemedicine Association terms it, is a labeling system that has been likened to ‘nutrition labeling’. This near-incomprehensible analogy to food labeling was proposed back in April by the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC), now headed by Micky Tripathi, Ph.D. This disclosure would consist of how the app was trained, how it performs, how it should be used, and how it shouldn’t, which does not sound onerous at all. The disclosures are designed to forestall issues around performance and bias that have previously appeared, such as Epic’s AI system designed to predict sepsis risk and an algorithm designed to flag patients needing assistance with complex treatment regimens. 

An optional proposed disclosure around how the app was trained and tested would be important to healthcare organizations but potentially problematic to developers. There are quite a few caveats expressed by Silicon Valley investors around hurting startups and even giants like Epic through over-disclosure of proprietary information, enabling reverse engineering and poaching of intellectual property. Everyone likes transparency, trust, safety, and efficacy, but the conundrum is to disclose what is needed for proper and cautious use without providing an entreé to IP. Wall Street Journal, Becker’s, ATA release and AI principles 

Google, predictably, damns the torpedoes, full speed ahead with healthcare AI. And intends to write the rules. They’ve deployed AI tools already with Mayo Clinic and HCA Healthcare–Mayo for medical records and research papers, HCA for clinical notes. EHR Meditech is using Google’s AI for clinical documentation and to summarize patient histories. Bayer is also working with Google. Their products include a licensed algorithm for breast and lung cancer detection, a tool for diagnosing diabetic retinopathy, and a question-answering bot. Google makes no secret that they plan to influence Federal efforts at setting standards by hiring lobbyists, most of whom are out of the Food and Drug Administration (FDA), and playing a large role in industry groups such as the Coalition for Health AI (CHAI).  If you believe that Google, Microsoft, Amazon (playing catchup), or other healthcare service companies like UnitedHealth Group’s Optum will twiddle their thumbs and wait for the Feds to set standards and (good grief) enforce disclosure on AI tools, this Editor has several lovely bridges for sale. POLITICO, Becker’s

CVS Health grouping health services and multi-payer assets under CVS Healthspire. Monday’s announcement at the Forbes Healthcare Summit will roll up new $20 billion acquisitions Oak Street Health and Signify Health along with 1,100 MinuteClinics, the CVS Caremark pharmacy benefit manager (PBM), CVS Specialty, and its new Cordavis operation that works with pharmaceutical companies to bring to market  biosimilars. The rebranding, a clever melding of ‘health’ and ‘inspire’, will start this month into 2024. It’s not revealed whether the current names will be sunsetted for CVS Healthspire, or whether they will keep their established brand names. The parallels are with Evernorth (Cigna), Optum (UnitedHealth Group), and Carelon (Elevance, the former Anthem) in creating a vertically integrated healthcare company. At Investor Day, CVS Pharmacy announced a cost-plus arrangement for retail prescriptions built on the cost of the drug, a set markup, and a fee that reflects the care and value of pharmacy services–clearly in competition with Mark Cuban CostPlus.  Forbes, FierceHealthcare, CVS release, Investor Day release  

Clover Health exits the advanced value-based primary care program, ACO REACH. Clover’s exit at the end of the 2023 performance year after two years disbands their practice arrangements for CMS’ advanced original Medicare shared savings program, formerly Direct Contracting, and provision of beneficiary services after completing their required wrapups and reporting. It is part of their recent moves to become profitable, focusing on their Medicare Advantage business and Clover Assistant management. They outsourced their Medicare Advantage plan administration to UST HealthProof for a savings of $30 million and laid off 10% of staff as part of restructuring. A 2021 SPAC on Nasdaq debuting above $16 that survived investigations by the SEC and DOJ now has shares trading currently under the $1.00 minimum for listing. Clover also finally settled seven shareholder lawsuits over its non-disclosure of the DOJ investigation at the time of the SPAC. Cleaning house is all part of living to fight another day, like other ‘insurtechs’ such as Oscar Health. Clover release, FierceHealthcare  Also: Looking back at insurtechs and their ‘disruption’,  Insurtechs in the widening gyre

This ‘n’ that: HHS settles *2017* ransomware breach, Carbon Health lays off 114 in restructuring, why oh why VC General Catalyst wants a $3B health system, when Larry Met Billy, a lexicon of workplace terms

It only took five years to levy a $100,000 fine. Doctors’ Management Services, a Massachusetts-based medical management company, had a ransomware attack back in 2017 that exposed 206,695 individuals to personal health information violations. The Health and Human Services (HHS) Office for Civil Rights (OCR), which is charged with actually enforcing penalties and remedies for data breaches, decided that Doctors’ management hadn’t done quite enough to protect their patients. The cyberattack was identified in December 2018, but Doctors’ didn’t report the breach to OCR until April 2019. Their network had been infected with GandCrab ransomware. After determining various protection failures, HHS put them on a three-year corrective plan to protect their data and collected the $100,000 fine, their very first. But still, nearly four years later? And with breaches, ransomware, and hacking going on every day?  Healthcare Dive

Another Covid unicorn comes down with a bang. Carbon Health, a 13-state network of primary care clinics along with virtual care in areas such as mental health, says ‘bye’ to 114 or 5% of its staff. It grew and got funded big during Covid as it set up testing and vaccine initiatives, achieving a valuation of $3 billion. In 2021, Covid accounted for 60% of their revenue, but as it waned in 2022, so did their revenue by 23%. To date, their funding has been over $622 million, with $100 million in January in a Series D funded by CVS Health Ventures. This isn’t their first big layoff–200 staffers said goodbye in January as well as 250 in mid-2022 which was about 8%. Becker’s

General Catalyst’s newest venture into Health Transformation Land, HATco, The Health Assurance Transformation Corporation, is in the market for a health system in the “$1 billion to $3 billion” range. Not too small to not have an impact in their communities, and large enough to have capabilities around value-based care plus a track record of excellence. This is to create their ‘blueprint’ for healthcare transformation. Interested parties should contact CEO Marc Harrison, MD. Their other plans to get there were announced at HLTH. As to why…General Catalyst has had a lot of experience with companies, and perhaps they feel they have a Better Way to Get There. Becker’s, TTA 10 Oct.

Of Note…The second wealthiest executive in healthcare, Oracle’s Larry Ellison, wasn’t too busy to hang out with the third wealthiest on Forbes’ list, former senator and HCA honcho Bill Frist, in Nashville at the inaugural Frist Cressey Ventures Forum. Ellison is also investing in a 70-acre, $1.35 billion campus on Nashville’s riverfront. It’s always nice to make nice with the neighbors, especially when they have major holdings in a large health corporation. Becker’s

To wrap up This ‘N’ That, Becker’s has a useful article that will keep you au courant on those workplace terms you see on places like LinkedIn. ‘Quiet quitting’, so popular in 2021-2, has had its day with layoffs leading to real ‘quitting’, leaving behind ‘grumpy stayers’ who try to get away with ‘Bare Minimum Mondays’. ‘Coffee badging’ was a new one on your Editor. The rest are catchy phrases for things as old as time in the workplace.

Short takes: follow up on Cano Health’s survival moves, eMed transitioning Babylon Health UK but Babyl Rwanda shuts, DEA extends telehealth prescribing for controlled substances thru 2024

Cano Health takes the reverse stock split option to stay solvent. In Cano’s latest telenovela episode, a familiar stratagem for companies to drive up a dangerously low share price is to reverse stock split, usually in a large ratio. Cano is facing delisting on the NYSE as its shares traded, as of 11 September, below the $1 minimum for 30 days. [TTA 29 Sept]  Shareholders are being asked to approve a 1 for 60 ratio with the board having the right to adjust it down to 1-for-5 and up to 1-for-100, for both Class A and B common stock. At the current share price of $0.21, a new share’s value would be $12.60. No meeting date has been set, though the press release bluntly states that 30% shareholder ITC Rumba, LLC and the 20% held by current and former members of management and the board intend to vote in favor of it, achieving the necessary simple majority. 1:60 does sound last-ditch, reminiscent of Babylon Health’s late 2022 moves in a 1 for 25 exchange, before attempting to go private–and we know how that turned out. Release

eMed transitioning Babylon Health services in the UK. A check on Babylon Health’s UK website provides FAQs for current users. It leads with promises to expand digital-first primary care services on this registration page for visits, and to develop a chronic care management service starting with medical weight management using Wegovy. The FAQs also state there will be no disruptions to GP at Hand. There is a rebranding (left/above) that sunsets the Babylon name but retains the stylized heart. 

Babyl Rwanda‘s separate website and the eMed pages for Babyl Rwanda are still up, but a local report from 24 September states that the company has ceased operations in Rwanda. As of August, the government was scrambling to find buyers and to maintain operations to 2.4 million Rwandans. “According to Julien Mahoro Niyingabira, the Rwanda Health Communication Centre (RHCC) Division Manager, the Ministry of Health is in discussions with Babyl Rwanda to ensure continuity of services despite the closure of Babylon Health.” How that will be possible without a buyer to pay employees and maintain the operation is debatable. The New Times (Rwanda)

As for the US, the Babylon Health US site also remains up and intact with a small disclaimer at the top that US services are no longer available and to contact your health plan. It is the same as on our last visit on 14 September. It is odd to see, after another month, that no one has disabled the US services or corporate pages such as Investors. This is possibly because the architecture for the US pages are off the UK site (the tab at top has the eMed logo) and nobody is in the US operation to take down the pages. The US operation, in Chapter 7 bankruptcy liquidation, is now in the tender hands of the US bankruptcy courts, where filings, documentation, and processes move slowly indeed with no further public news.

And when you can’t decide, extend. The Drug Enforcement Administration (DEA) and Health and Human Services (HHS) once again are extending Covid-time flexibilities for prescribing controlled substances through 2024.  After 38,000 comments on the proposed changes to rules after the last extension in May, DEA and HHS punted again on reimposing Ryan-Haight Act restrictions that would require in-person evaluations/visits prior to prescribing. This allows clinicians to prescribe Schedule II–V controlled medications via audio-video telemedicine encounters, including Schedule III–V narcotic controlled medications approved by the Food and Drug Administration (FDA) for maintenance and withdrawal management treatment of opioid use disorder. Final rules will be timed for Fall 2024. Another year’s breathing room for  6 Oct DEA announcement, Federal Register 10 October “Second Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications”, Healthcare Dive

Short takes: CVS’ $1.12M Q2 net income loss, forecast spurs 5,000 layoffs; Signify’s in-home kidney exams; Indonesia’s Halodoc $100M D; FeelBetter raises $5.9M; Medicare breach hits 612,000 beneficiaries

A mixed picture for CVS Health. Their Q2 reporting was almost schizophrenic, depending on whose reporting you read. Healthcare Finance highlighted their $1.12M net income loss–tiny when compared to the size of the company– but apparently one of the factors driving a layoff of 5,000 corporate, non-customer facing staff. From FierceHealthcare, CVS is still quite profitable at $1.9 billion, but that is down 36%. Revenue of $88.9 billion was up 10% from prior year. The results beat Wall Street analyst estimates of $2.12/share with adjusted earnings of $2.21/share. 

Despite the overall good picture of Q2, financial projections trended down for the full year. CVS in Q2 started a restructuring plan which cost $496 million in pre-tax income, expected to be completed by year’s end. 2023 is projected to have increased Medicare Advantage costs, higher drug utilization, and lower consumer spending expectations affecting retail operations. Added to their acquisition binge of Signify Health and Oak Street Health, which together totaled $18.6 billion, their 2024 earnings per share projections for 2024 fell from $9 to a range of $8.50 to $8.70. Timing was not disclosed for the 5,000-person reduction among corporate staff. It is not known whether this will affect Aetna and CVS Caremark (pharmacy benefit). CVS has 300,000 employees (75% full time) including part and full-time retail workers. They are also reducing corporate travel, plus the use of consultants and vendors. (CVS is known to have extremely low contractor rates already.) The restructuring is projected to save $700 to $800 million next year, but cold comfort to the 5,000 who won’t be there.  FierceHealthcare. We’ll see.

One of those CVS purchases, Signify Health, is moving forward with an in-home option for evaluating kidney function as part of in-home exams of Medicare Advantage members. This evaluation will include urinalysis and estimated glomerular filtration rate testing which are relatively simple and cost-effective to administer in-home. It fits within their in-home exam protocols and will support early detection and diagnosis of kidney disease plus management of those with chronic kidney disease for earlier and better treatment. End-stage renal disease (ESRD) costs $37.3 billion to Medicare. FierceHealthcare

Going far, far East to Indonesia, virtual health provider Halodoc scored $100 million in a Series D funding round. Lead investor was Astra International with Openspace and Novo Holdings. This brings their total funding to $245 million. Halodoc provides online and app-based health services for 20 million active platform users claimed. Services include telehealth, medicine ordering, lab test, and doctor appointment booking. They also manage third-party health insurance purchase and at-home health testing. Their network includes more than 20,000 medical practitioners, 3,300 hospitals, and 4,900 pharmacies. On the website, there are a wide variety of services, including wellness. Unfortunately, to read it, you’ll have to know Indonesian (Malay)–and there are some pictures of intriguing recipes there! Mobihealthnews

Contrasting this to an exceedingly modest raise by a new Boston/Tel Aviv medication management company, FeelBetter. Their $5.9 million unlettered raise was led by Firstime Ventures and Shoni Health Ventures, with participation from Random Forest VC, The Group Ventures, and previous investor Triventures for a total of $8 million. FeelBetter uses AI tools to create what they call Pharmaco-Clinical Intelligence to identify patients at risk and deliver insights on gaps in care to personalize medication management to change the risks of polypharmacy. Release, Mobihealthnews  They also issued a study on how FeelBetter could be used to effectively risk stratify emergency department use and hospitalizations among patients 65+ with multiple chronic conditions and complex medication regimens to avoid the 10-30% of hospitalizations that include medication issues. Release

No week seems to pass by without a data breach of some sort, but it’s unusual when Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) are attached to it. A contractor to the Medicare program, Maximus Federal Services, Inc. (Maximus), used a vendor, Progress Software, and their MOVEit Transfer software, which is a popular file transfer software for transmitting sensitive data. There was a vulnerability in this software that has previously been exploited by Russian ransomwareistes CLOP with Johns Hopkins currently being sued for their breach [TTA 19 July]. Maximus detected the unusual activity, an outside entity copying files, from 27 to 31 May. CMS is reporting that about 612,000 Medicare beneficiaries may have been affected by the breach which may have exposed personally identifiable information (PII) and/or protected health information (PHI). CMS and Maximus are notifying the beneficiaries this week and offering 24 months of free credit monitoring service. CMS release, Federal News Network, Progress page,  Deep Instinct backgrounder on MOVEit’s zero-day vulnerability

FTC, HHS OCR scrutiny tightens on third-party ad trackers, sends letter to 130 hospitals and telehealth providers

If you’ve checked on your legal department, they may resemble Pepper (left). Hospitals and telehealth companies have been put on notice by letter agencies HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) that personal health information–not just protected health information (PHI) covered by HIPAA–that can be transmitted to third-parties by ad trackers like Meta Pixel is now forbidden, verboten, not permitted. In the joint statement by OCR and FTC, hospitals, providers, and telehealth providers were explicitly told that use of these online trackers is being equated with violations of consumer privacy. Their release specified “sensitive information” such as health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Hospitals and telehealth companies also cannot plead ignorance of what their developers did, as the responsibility is being put squarely on them to monitor the data going to third parties out of websites and apps. 

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. At OCR, which historically had its hands full with HIPAA violations and data breaches, their scope has broadened. “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.” Both HHS and FTC can take action without the time-consuming legal actions that DOJ must undertake.

True to FTC’s renewed use of the 2009 Health Breach Notification Rule, the letter sent to 130 hospital systems and telehealth providers came down hard on anything that could be interpreted as personal health information. Even for health organizations not covered by HIPAA, the letter is explicit on their obligation to protect against disclosure to third parties and to monitor the flow to third parties even if not used for marketing. Without explicit consumer authorization, it can “violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” Previous TTA coverage on third-party trackers and FTC actions here. Health IT Security

Between the DOJ and FTC alone, with actions on ad trackers and changes to antitrust guidelines, they have made the spring and summer of 2023 a most interesting and busy one for hospital and healthcare company legal departments. It’s even more amazing that given this background and on notice, Amazon just keeps flouting basic regulations about health information usage, such as for Amazon Clinic–which to date has not rolled out. TTA 27 June

‘KillNet’ Russian hacktivist group targeting US, UK health info in Ukraine revenge: HHS HC3 report

Warnings about DDoS (distributed denial of service) ramped up at the end of last year–only three weeks ago. Here’s one reason why.KillNet” is a pro-Russian hacktivist (hackers who advance a cause) group that recently claimed responsibility for DDoS attacks as payback for US and UK military support of Ukraine. A senior member of KillNet with the nom de guerre Killmilk has threatened the US in general “with the sale of the health and personal data of the American people because of the Ukraine policy of the US Congress”. 

The US Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3)’s Analyst Note (link to PDF) gave two examples of KillNet claims:

  • A “US-based healthcare organization that supports members of the US military and claimed to possess a large amount of user data from that organization”
  • Hacking threats against the NHS, specifically ventilators in hospitals and the Ministry of Health. This was in reaction to the May 2022 arrest of a 23-year-old alleged KillNet member accused of being connected to attacks on Romanian government websites. KillNet demanded his release in return for not attacking. Daily Mail  

Other institutions are hardly exempt. In the UK, KillNet DDoS attacks in November reportedly affected Bankers Automated Clearing Service (BACS), the London Stock Exchange, and the official website of the Prince of Wales. Computer Weekly

DDoS attacks are their leading weapon. KillNet uses publicly available DDoS scripts and IP stressers for most of its operations although it has its own. Before aligning with Russian state interests, it was a hacking-for-hire operation available for $1,350 per month, including a single botnet with a capacity of 500GB per second and 15 computers. This Editor noted previously that DDoS attacks may be a convenient cover or smokescreen for other cybercrime activity. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks may be taking place. [TTA 22 Dec 22].

This updates an earlier Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory (CSA) jointly issued by the US, UK, Australia, and New Zealand (the Five Eyes group), that broadly assessed multiple threats from Russian state organizations such as the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR), as well as cybercrime groups like KillNet which have aligned themselves for the duration with Russia. KillNet has grown over the past year and now has subgroups organized under Cyber Special Forces of the Russian Federation and LEGION 2.0. SOC Radar

The best defense is a good offense. HC3’s advice on preparation to mitigate a DDoS threat includes enabling web application firewalls to mitigate application-level DDoS attacks and implementing a multi-content delivery network (CDN) solution to minimize the threat of DDoS attacks by distributing and balancing web traffic across a network. The HC3 Analyst Note is heavily footnoted with other sources for additional incidents. SC Media, Cybernews

Wednesday news roundup: Oracle scrutinizing outside vendors, cloud change coming for Cerner EHRs, audio-only telehealth can continue after PHE–HHS, Proximie connected surgery raises $80M (UK)

Oracle moving quickly to change Cerner’s outside vendors to Oracle products and move their EHRs to Oracle cloud services. Will this fly with health systems and providers? An immediate change that will resonate with current Cerner EHR users is Oracle’s immediate moves to replace Cerner’s current third-party vendors with Oracle services and technology. So if your Cerner EHR has something you like but it comes from a third-party vendor, enjoy it while you can. Do expect that Oracle will be selling other products like Enterprise Resource Planning Cloud, administrative systems, and supply chain into providers and health systems–hard. From the earnings call, CEO Safra Katz: “We remain confident in our ability to grow Cerner’s top line and bottom line faster than they were able to do so on their own as these changes are implemented.”

The major and quickest move specified in yesterday’s Oracle earnings call (transcript) will be to move Cerner to OCI–Oracle Cloud Infrastructure. Further down into Mr. Katz’s remarks, Cerner is expected to account for 20 points of their cloud growth in Q1 2023 (starting 1 June 2022). When Cerner has added $15.8 billion of debt to the balance sheets, it’s to be expected.  HISTalk, Becker’s

What happens to audio-only telehealth at the end of the pandemic Public Health Emergency (PHE)? HHS has just issued guidance that will permit telehealth, including audio-only, services to continue. According to the HHS release, “HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule. ” There are specific requirements such as how the HIPAA Security Rule applies to electronic media and electronic protected health information (ePHI). The full guidance is here.

UK surgical connectivity platform Proximie raises $80 million. London-based Proximie, a system that connects surgeries with pre-operative patient information, collaborative tools, and post-operative content distribution, completed a Series C with participation from Emerson Collective – the impact investor founded by Laurene Powell Jobs, SoftBank Vision Fund 2, British Patient Capital, Mubadala Investment Company, and the Minderoo Foundation, plus previous investors. The raise is unusually large (in this Editor’s opinion) for the UK, particularly at this uncertain time. Proximie has supported over 13,000 surgeries in 100 countries, contracts with over 35 major medical device companies such as Stryker and Abbott, and has been used in 500 hospitals across 50 countries. The company is a partner with Teladoc and Vodafone Business.  Release.  

Weekend short takes: ATA, APA call for permanent in-person evaluation waiver, mental healthtech raised $5.5B in 2021, Allscripts sells hospital/large physician EHRs to Harris Group for $700M, Cognizant-Microsoft extends telehealth-RPM

72 groups asking for permanent telehealth in-person evaluation waiver prior to prescribing controlled substances. The American Telemedicine Association (ATA), ATA Action, and the American Psychiatric Association (APA) plus 69 other healthcare groups have written the Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) to make the temporary waiver of in-person patient evaluation prior to prescribing controlled substances permanent, and to remove restrictions on patient location. The rationale is to increase access to care, specifically for mental health and substance use disorder treatment. Currently, under the soon-to-be ending COVID-19 public health emergency (PHE), mental health providers can prescribe controlled substances remotely through a telemedicine consult. The letter points out that studies confirm efficacy, clinician and dispensing would remain under current restrictions, and that DEA and HHS can work together to prevent drug diversion. Other signatories include Babylon Health, Teladoc, Zipnosis, One Medical, and Northwell Health. ATA release, ATA/APA letter.

Mental healthtech’s banner 2021 totaled $5.5 billion across 324 international deals. Industry researcher CB Insights found that:

  • Investment was up 139% versus 2020
  • Exits were also up 87% (43 versus 23). Of the 43, there were 35 M&As, five SPACs and three IPOs.
  • US companies dominated in mental health, raising $4.5 billion; EU $651 million, and Asia $289 million
  • Mega-rounds ($100 million+) totaled 15, all US and in Q4, versus four in 2020.

State of Mental Health Tech 2021 Report free download available on the CB Insights page. Mobihealthnews

Allscripts is unloading its declining hospital and large physician practice EHRs to Ottawa-based Harris Group for $700 million in a cash plus contingent deal. The Allscripts EHRs in the transaction are Sunrise, Paragon, Allscripts TouchWorks, Allscripts Opal, and dbMotion. Although the unit generated gross revenue of $928 million in 2021, its revenue was expected to decline 3-4% and EBITDA to shrink 10-15% in 2022. Allscripts is retaining Veradigm, which is growing 6-7% annually, and stated that expected after-tax proceeds of $600 million will be used for share repurchase and potential M&A related to Veradigm. Harris Group acquires and manages computer systems companies in North America, Europe, Asia, and Australia covering four sectors: public, private, healthcare, and utilities. It is owned by Toronto-based Constellation Software. HISTalk reports on the Allscripts investor call, Constellation release

Cognizant announced a collaboration with Microsoft Cloud for Healthcare to extend telehealth and remote patient monitoring (RPM) capabilities for their offerings combining remote patient monitoring and virtual health, utilizing connected devices such as smartwatches, blood pressure monitors, and glucose meters to collect and communicate patient health data to providers. Cognizant release

CMS clarifies telehealth policy expansion for Medicare in COVID-19 health emergency, including non-HIPAA compliant platforms (US)

Today (17 March), the Center for Medicare and Medicaid Services (CMS) issued a Fact Sheet and FAQs explaining how the expanded telehealth provisions under the Coronavirus Preparedness and Response Supplemental Appropriations Act and the temporary 1135 waiver will work. The main change is to (again) temporarily expand real-time audio/video telehealth consults in all areas of the country and in all settings. The intent is to maintain routine care of beneficiaries (patients), curb community spread of the virus through travel and in offices, limit spread to healthcare providers, and to keep vulnerable beneficiaries, or those with mild symptoms, at home. Usage is not limited to those who suspect or already are ill with COVID-19.

Previously, only practices in designated rural health areas were eligible for telehealth services, in addition to designated medical facilities (physician office, skilled nursing facility, hospital) where a patient would be furnished with a virtual visit. 

The key features of the 1135 telehealth waiver are (starting 6 March):

  • Interactive, real-time audio/video consults between the provider’s location (termed a ‘distant site’) anywhere in the US and the beneficiary (patient) at home will now be reimbursed. The patient will not be required to go to a designated medical facility.
  • Providers include physicians and certain non-physician practitioners such as nurse practitioners, physician assistants and certified nurse-midwives. Other providers such as licensed clinical social workers (LCSW) and nutritionists may furnish services within their scope of practice and consistent with Medicare benefit rules.
  • Surprisingly, there is ‘enforcement discretion’ on the requirement existing in the waiver that there be a prior relationship with the provider. CMS will not audit for claims during the emergency. (FAQ #7)
  • Even more surprisingly, the requirement that the audio/visual platform be HIPAA-compliant, as enforced by the HHS Office of Civil Rights (OCR), is also being waived for the duration (enforcement discretion again), which enables providers to use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype–but not public-facing platforms such as Facebook Live, Twitch, or TikTok. Telephones may be used as explicitly stated in the waiver in Section 1135(b) of the Social Security Act. (FAQ #8) More information on HHS’ emergency preparedness page and OCR’s Notification of Enforcement Discretion.
  • On reimbursement, “Medicare coinsurance and deductible would generally apply to these services. However, the HHS Office of Inspector General (OIG) is providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs.”

Concerns for primary care practices of course are readiness for real-time audio/video consults, largely addressed by permitting telephones to be used, as well as Skype and FaceTime, and what services (routine care and COVID-19 diagnosis) will be offered to patients.

This significant expansion will remain in place until the end of the emergency (PHE) as determined by the Secretary of HHS.

In 2019, CMS also expanded telehealth in certain areas, such as Virtual Check-Ins, which are short (5-10 minute) patient-initiated communications with a healthcare practitioner which can be by phone or video/image exchange by the patient. This could be ideal for wound care where this Editor has observed, in one of her former companies, how old phones are utilized to send wound images to practices for an accurate ongoing evaluation via special software. E-Visits use online patient portals for asynchronous, non-face-to-face communications, initiated by the patient. These both require an established physician-patient relationship. Further details on both of these are in the Fact Sheet, the FAQs, and the HHS Emergency Preparedness page with links.

The American Medical Association issued a statement today approving of the policy changes, and encouraged private payers to also cover telehealth. The American Telemedicine Association didn’t expand upon its 5 March statement praising the passage of the Act but advocated for increased cross-state permission for telehealth consults.

Additional information at HISTalk today and Becker’s Hospital Review.

Google’s ‘Project Nightingale’–a de facto breach of 10 million health records, off a bridge too far?

Breaking News. Has this finally blown the lid off Google’s quest for data on everyone? This week’s uncovering, whistleblowing, and general backlash on Google’s agreement with Ascension Health, the largest non-profit health system in the US and the largest Catholic health system on the Planet Earth, revealed by the Wall Street Journal (paywalled) has put a bright light exactly where Google (and Apple, Facebook, and Amazon), do not want it.

Why do these giants want your health data? It’s all about where it can be used and sold. For instance, it can be used in research studies. It can be sold for use in EHR integration. But their services and predictive data is ‘where it’s at’. With enough accumulated data on both your health records and personal life (e.g. not enough exercise, food consumption), their AI and machine learning modeling can predict your health progression (or deterioration), along with probable diagnosis, outcomes, treatment options, and your cost curve. Advertising clicks and merchandising products (baby monitors, PERS, exercise equipment) are only the beginning–health systems and insurers are the main chance. In a worst-case and misuse scenario, the data modeling can make you look like a liability to an employer or an insurer, making you both unemployable and expensively/uninsurable in a private insurance system.

In Google’s latest, their Project Nightingale business associate agreement (BAA) with Ascension Health, permissible under HIPAA, allowed them apparently to access in the initial phase at least 10 million identified health records which were transmitted to Google without patient or physician consent or knowledge, including patient name, lab results, diagnoses, hospital records, patient names and dates of birth. This transfer and the Google agreement were announced by Ascension on 11 November. Ultimately, 50 million records are planned to be transferred from Ascension in 21 states. According to a whistleblower on the project quoted in The Guardian, there are real concerns about individuals handling identified data, the depth of the records, how it’s being handled, and how Google will be using the data. Ascension doesn’t seem to share that concern, stating that their goal is to “optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care” which is a bit of word salad that leads right to Google’s Cloud and G Suite capabilities.

This was enough to kick off an inquiry by Health and Human Services (HHS). A spokesperson confirmed to Healthcare Dive that “HHS’ Office of Civil Rights is opening an investigation into “Project Nightingale.” The agency “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA,” OCR Director Roger Severino said in an emailed statement.”

Project Nightingale cannot help but aggravate existing antitrust concerns by Congress and state attorneys general on these companies and their safeguards on privacy. An example is the pushback around Google’s $2.1 bn acquisition of Fitbit, which one observer dubbed ‘extraordinary’ given Fitbit’s recent business challenges, and data analytics company Looker. DOJ’s antitrust division has been looking into how Google’s personalized advertising transactions work and increasingly there are calls from both ends of the US political spectrum to ‘break them up.’ Yahoo News

Google and Ascension Health may very well be the ‘bridge too far’ that curbs the relentless and largely hidden appetite for personal information by Google, Amazon, Apple, and Facebook that is making their very consumers very, very nervous. Transparency, which seems to be a theme in many of these articles, isn’t a solution. Scrutiny, oversight with teeth, and restrictions are.

Also STAT News , The Verge on Google’s real ambitions in healthcare, and a tart take on Google’s recent lack of success with acquisitions in ZDNet, ‘Why everything Google touches turns to garbage’. Healthcare IT News tries to be reassuring, but the devil may be in Google’s tools not being compliant with HIPAA standards.  Further down in the article, Readers will see that HIPAA states that the agreement covers access to the PHI of the covered entity (Ascension) only to have it carry out its healthcare functions, not for the business associate’s (Google’s) independent use or purposes.