One of academia’s greenest groves produced the think-tank phrase, “accountable care organization.” Deliberating in his Dartmouth College office in 2006, Dr. Elliott Fisher spied the future and coined this term, abbreviating it ACO. Fisher heads up a policy institute that studies healthcare’s future—which includes a modern, digital database of patient information. Dan Nash, head of Zurich in North America’s forward-looking National Healthcare Practice, draws a long and logical line between Fisher’s ACO concept and the risk management challenge of patient privacy in an ever-more-cyber society.
“To get to new levels of productivity and efficiency, the healthcare system is abandoning its volume-based approach for a value-based approach,” Nash explains. “There will be a new process for how treatment gets paid for and organized, and that process will start with the entity that’s cutting the check and an ACO.”
In most cases, the payer is an insurance company or a government entity, while the ACO is a hospital or large medical group. The payer informs the ACO of an allowable dollar amount to distribute through the chain of care, which would include the doctor, the nurse, the lab, and so on. “Accurate, accessible patient data—shared along that same chain of care that is sharing the distributed money—will be more necessary than ever,” says Nash. “That raises considerable risk issues.”
The most current guidance and knowledge about reputational risk are available to Nash as a member of the Zurich Commercial Markets unit. That’s fortunate, since the sector he works in can be susceptible to a double dose of reputational exposure. “In some ways, a patient’s medical data is more sensitive than bank account numbers,” says Nash. “There are plenty of cases where divulging that information would cause major harm to a patient’s personal reputation—where it doubles up is in damage to the reputation of whichever hospital allowed the data breach.” And it does happen. During 2011, one well-regarded hospital suffered a breach of the records of 20,000 emergency room patients. The information made its way onto a rogue website, where—names, dates, diagnosis codes and charges were all made public.
In his work with customers during this transitional era, Nash makes continual reference to PHI, or protected health information, a legal phrase of recent vintage. You can’t get very far into a discussion of PHI without bumping into HIPAA, the 1996 law that both strengthened privacy protection and, at the same time, began the process of making patient records electronic and therefore easier to share. As might be expected, there is a regular flow of new regulations and updates for the protection of electronic data. “We are currently working closely with our policy holders on mitigation of HIPAA issues, given the very recent omnibus rule changes,” Nash says. One of those updates has to do with a new maximum penalty amount, which according to the U.S. Dept. of Health and Human Services has raised to $1.5 million—triple the old maximum of $500,000.
Part of the risk management assistance Nash’s team provides lies in specific protocols to be followed by medical practices of all types. “Some of it is a matter of simple discipline, strictly observed,” says Nash, “even down to practices like computer log-off on tight time intervals.” The group conducts a risk evaluation with the customer known as “breach coaching,” which adds a necessary layer to an organization’s standard IT procedures.
Along with its push to inform clients about cybersecurity, Nash’s group points out that medical records are only transitioning to digital at a moderate pace, and that there are still good old fashioned risks in addition to the new ones. “About 35 percent of losses still happen when patients’ records are transported from the office or hospital to home,” Nash points out. “We are approaching data security with vigilance in every which way—whether it’s a problem with cloud computing or because some folders got left in the backseat of a taxi.”