Information Technology

URAC's proposed upgrade to its IT standards includes a second new standard, one devoted exclusively to Business Continuity.  The new standard would read:

The organization implements a business continuity plan for program operations, including information system(s) (electronic and paper) that: (--)
(a) Identifies which systems and processes must be maintained and the effect an outage would have on the organization’s program. (2)
(b) Identifies how business continuity is maintained given various lengths of time information systems are not functioning or accessible; (Wt = 3)
(c) Is tested at least every two years; and (Wt = 3)
(d) Addresses identified areas for improvement. (Wt = 3)

The substantive changes modernize the terminology, with "business continuity"  replacing "disaster recovery."  The new standard would provide greater detail about what the applicant should do to anticipate interruptions in service.  The proposed revision also emphasizes that it applies to both electronic and paper systems, and therefore necessarily will involve people outside of the typical company IT department.

The scoring change is significant, in that there are no mandatory elements in this standard.  While 11 points (the total value of the four elements' weights) is significant, it pales in comparison to the mandatory nature of the current standard. 

As a part of its reworking of the information management standard, now known as "Core 13", URAC proposes a new standard on Information Confidentiality and Security.  It would read:

The organization provides for data confidentiality and security of its information system(s) (electronic and paper) by implementing policies and procedures that address: (--)
(a) Assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of information systems; (3)
(b) Prevention of confidentiality and security breaches; (M)
(c) Detection, containment and correction of confidentiality and security violations. (M)

This is a significantly more detailed standard than the current Core 13 (b): "The organization implements information system(s) (electronic or paper) to collect, maintain, and analyze information necessary for organizational management that. . . provides for data confidentiality and security."  We'll have a much better sense of the practical impact of the changes once the standards are adopted and the new accreditation guide is published, but we can hazard a few guesses even before then.  In the documentation submitted on accreditnet, applicants will need to provide explicit documentation in the form of P&Ps on all three of the elements of this standard (assessment, prevention, and detection-containment-correction).  Additionally, they are likely to be required to submit, either in the application stage or during the onsite review, reports demonstrating that they have engaged in a formal risk assessment process.  Finally, it would not be surprising if any reports addressing security breaches that have happened would be required, most likely during the onsite review.

The scoring changes merely boost the significance of this category of standards, by doubling the number of mandatory standards associated with IT privacy and confidentiality. 

Big changes are afoot regarding Core 13, the Information Management Standard.  In the proposed revision, URAC adds some much-needed heft to the standards and separates it into three distinct standards.  So, components that are now in Core 13 (confidentiality, security, and disaster recovery) will be split off from Core 13 into two new standards.  What will be left is the following:

The organization implements information system(s) (electronic and paper) to collect, maintain, and analyze information necessary for organizational management that: (No wt stem)
(a) Provides for data integrity; (Wt = M)
(b) Includes a plan for storage, maintenance and destruction. (Wt = 2)
(c) Includes a plan for interoperability: (Wt = L)
  (i) Between internal information systems; (--)
  (ii) With external entity information systems. (--)

There's much to talk about here.  First, URAC proposes to make clearer what has long been true but widely misunderstood (see my blog from 12/5/07), that this standard applies to electronic and paper information systems.  By moving this explanation from the interpretive information to the standard itself, URAC is signaling that it really wants to get the attention of applicants:  paper counts, too!   And, it counts not only for storage, maintenance and destruction, but also for data integrity.

What do you mean by data integrity?  Another old issue for URAC applicants, as you can see in my blog from 8/6/06.  Currently, URAC defines this term in the interpretive information accompanying Core 13, but in the revision, URAC proposes to make it a defined term:

The quality or condition of being accurate, complete and valid, and not altered or destroyed in an unauthorized manner.

URAC then takes the relatively unusual step of citing its source: www.ecommercepki.com/cps/glossary.htm. 

This is a modest change from URAC's current view of "accuracy and traceability."

The other big change here is the addition of a new section on interoperability.  URAC would define the term as meaning:

Ability of two or more systems or components to exchange information and to use the information that has been exchanged.

This is the first of the proposed revisions to carry the new scoring designation of "L".  An "L" standard is a "Leading Indicator," a "non-weighted, optional element highlighting effective practices not yet widely adopted in health care."  You lose no points for missing such a standard, but, under certain circumstances, you may be able to use your compliance with the standard to distinguish yourself from other URAC-accredited companies.  Click here to see the full URAC explanation of this at my blog on the topic. 

At the 2008 Summit, URAC staff members explained that the applicant will get credit for this standard with merely an approved plan, regardless of the stage of implementation of that plan.

This element is driven by the "Four Cornerstones" for health care improvement of the US Department of Health and Human Services.

CDH, CDH, CDH.

How often in the last month have you come across yet another article proclaiming the rise of Consumer Driven Healthcare (CDH)? For me, it's been a bunch:

URAC Awards BlueCross Consumer Education Accreditation

Grades to Transform U.S. Healthcare, Secretary Says

Report: IT Necessary for Consumer-Driven Health Plans

And so on.

Unless one is careful about reading these reports, one might conclude that CDH is either already the new dominant mode of healthcare financing, or that it will be soon. Every once in a while, though, a countervailing view pokes through:

Consumer-Driven Health Care is a False Promise

Hmm, talk about a bucket of cold water.

So, what is happening out there in CDH-Land? A lot, as it turns out, but in the context of a lot of uncertainty. Health plans, payers, providers, and regulators and moving frantically toward IT systems that can gather and analyze health data on an increasingly fine-grained level with growing sophistication. Medical management companies are able to drill down and dissect claims, prescription, and other data with increasing speed and subtlety.

But it's not just about IT -- it's also about consumer education. URAC's new Consumer Education and Support (CES) accreditation program is starting to catch on, establishing national standards that will guide managed care companies on how to talk to consumers in the new CDH environment. Government entities, both as regulators and as purchasers, are wading in to the CDH arena, too.

All this is happening, though, in the face of the very real possibility that, at the end of the day, most people won't want to direct their healthcare treatment and financing decisions. Some early reports suggest that, given the choice, most folks still don't want to sift through the data to make informed decisions about their payers and providers.

About 6 months ago, I sat down to lunch with a long-time friend of mine, who now is the regional CEO for one of the largest health plans in the nation. I've always admired him for the clarity of his vision, and, after we caught up on family news, I started to pick his brain about trends in healthcare, including CDH. His company, like many of its competitors, is taking a two-track approach, pursuing CDH on one track while sticking with more traditional managed care offerings on the other. After explaining why it makes sense, both in terms of market forces and IT strategy, he explained, "Tom, I give this 2-3 years to shake out. By then we'll know whether consumers really want to get involved in these kinds of choices. I don't know how it will play out, but we'll be ready to move either way, once we can figure this out."

He also explained that the IT investment seems to have other dividends, so even if CDH doesn't pan out, much of the IT investment will turn out to be worth it. This is primarily true because medical management gets better with more sophisticated IT systems, and the industry is just starting to see some serious cost savings and health benefits in upgrading medical management.

So, where does that leave us?

Most of our clients who can are taking the approach my friend's company is: act as though CDH is likely to be a part of the future of U.S. healthcare, and leverage the system improvements so that their benefits last even if CDH goes the way of other fads, like 8-track tapes. Hedging bets is a pretty good strategy, it appears, especially if the cost of doing so is pretty small.

One of the most frequently misunderstood URAC standards centers around this question: "what is data integrity?"

URAC's Core 13 (a) (in version 5.0) reads:

The organization implements information system(s) (electronic or paper) to collect, maintain, and analyze information necessary for organizational management that: (a) Provides for data integrity. . . .

This is a primary element of a mandatory (5 point) standard, so URAC applicants best not miss it. Yet, many do, at least on the first pass.

So, what does URAC mean by "data integrity"?

NOT SECURITY!

NOT PRIVACY!

Then what?

In a nutshell, "data integrity" means accuracy and trace-ability.

The Program Guide offers this oft-overlooked clarification:

"In this context, “data integrity” means data accuracy and trace-ability.
For example, when an organization pulls up a consumer’s records, what steps has it taken to ensure that it has pulled the correct record, and how accurate is the information in the record? Examples of “providing for data integrity” include (but are not limited to):
Monitoring data entry personnel for accuracy;
Cross-checking databases for consistency;
Using unique identifiers for consumer data; and
Prevention of and checking for duplicate entries."

So, what eveidence will URAC reviewers be looking for?

Again, the Program Guide helps: "Samples (2-3) of data integrity audit results, or records of database checks, or documents indicating unique identifiers for consumer data."

I wish I had deep wisdom to offer about how to comply with this standard, but I don't. The simple truth about this subsection is that URAC applicants miss it because they think they know what URAC means by "Data Integrity" without reading the Program Guide.

To repeat: in a nutshell, "data integrity" means accuracy and trace-ability. Security and privacy are dealt with elsewhere in the standard.