PIP IM/IT Changes Demystified
In November 2005, the Honorable Mr Tony Abbott, Minister for Health and Ageing announced changes to the Information Management/Information Technology (IM/IT) component of the Practice Incentive Program (PIP).
Despite the number of incentive tiers dropping from three to two, the ministerial press release warned that the changes would require lead time for GPs to organise their practices to meet the new Tier requirements.
When general practices received the details of the changes from Medicare Australia in August, the reason for the warning became apparent. While the overarching tier structure had been simplified, the specific requirements of each new tier were significantly more substantial than their predecessors.
Practices have identified several issues with the new requirements and the way in which they have been imposed on general practice:
Many GPs have cited ambiguous and contradictory passages in the supplied documentation as a cause of confusion and frustration. As many people have publicly reported, conflicting answers from Medicare Australia to relatively straightforward enquiries have compounded these problems.
Despite being announced in November 2005, there is still the perception that the PIP changes have been imposed with unrealistic timeframes. Many point to the short time between the information packs reaching practices and the compliance deadline as being unreasonable, especially given the significant additional effort practices will need to expend to comply with the new requirements.
Practice Software And Enforcement
Most popular software products cant easily or accurately extract information that compliance relies upon. Though this may change with future software updates, most practices will not be able to easily extract the number of active patients i.e. the number of patients that have attended a the practice three or more times in the past two years. Further, at least one popular clinical package stores allergy information in a manner that makes it difficult to check compliance of the Tier 1 allergy requirement.
Despite these issues, the new requirements are based on technically sound principals and shouldnt be dismissed as needless bureaucratic interference. Actively engaging these requirements can yield many tangible benefits including:
Being a financially driven incentive program, the prospect of maintaining or increasing their existing IM/IT payments will be the primary motivating factor for all practices. As demonstrated in this article, compliance doesnt have to be costly or time consuming. With a potential combined payment of $7 per SWPE per annum, the financial incentives available are reasonable for most practices and should outweigh any compliance costs. It could be acknowledged, however, that smaller practices with minimal levels of computerisation may not find the incentive enough to justify the substantial time investment required to comply.
Improved Risk Management
Most malpractice stories report problems relating to poor clinical records management. By complying with the new PIP and accreditation requirements and making better use of their existing computer systems, practices should be in a much better position to minimise medico-legal risk as well as improve patient care.
The core of the previous IM/IT requirements date back to 1999, however the next IM/IT revision wont take 7 years to materialise. Compliance with the new requirements will improve a practices preparedness for future computer related challenges.
Tier 1 - Basic
To be eligible for Tier 1, practices must:
- Use electronic patient records to record allergies/sensitivities.
- Implement various IM/IT security measures as outlined in the Security Self Assessment tool (SSA).
The recording of allergies, including a positive statement that there are no known allergies if appropriate, is now a requirement for both new accreditation standards and the IM/IT PIP changes. The recording of allergies provides a means (with most software packages) to automatically identify potential risks to patients when prescribing.
IM/IT Security Measures
Compliance with this component of Tier 1 is far more interesting.The SSA lists 27 sub-requirements which Medicare Australia claims may be used to assess compliance at audit. These requirements are heavily based on the comprehensive GPCG Security Guidelines (GPCGSG) created prior to the groups defunding.
Among other things, adhering to the SSA essentially requires a Computer Security Policies and Procedures Manual (CSPPM) to be created. Fortunately the GPCG have a skeleton template that should facilitate this documentation process.
Both the GPCGSG and CSPPM template are available from the GPCG website or directly from the following links:
It is recommended that both of these documents be available while considering the SSA. Please note that the section numbering in the CSPPM doesnt directly match that of the SSA provided by Medicare Australia. Further, the CSPPM contains additional sections that practices are not required to complete to comply with the new requirements.
The following section of this article provides specific guidance to assist practices to comply with the requirements outlined in the SSA.
1. Practice Computer Security Coordinator
1.1 Practice IT security coordinator nominated.
For most practices, this requirement will simply formalise the position of a person already acting in this role.
In addition to an IT coordinator within the practice, increasingly practices will have to engage qualified IT personnel or consultants on a part time, or even full time basis for larger sites. Having a practitioner with an interest in IT may simply not be enough and issues such as continuity of service need to be considered.
1.2 Practice IT security coordinators role description written.
A few generalised dot points should be all that is required to encapsulate the role of the IT security coordinator.
1.3 IT security training for coordinator provided.
While the concepts of IT security are easily understood, it is unrealistic to expect a staff member without formal IT education or professional work experience to make informed IT security decisions. To that end, training is likely to be ineffective and qualified IT assistance should be engaged for matters relating to networks and the secure transmission of clinical data.
1.4 Security coordinators role regularly reviewed.
This task could be performed every three months and after any major staff changes.
2. Practice IT security policies and procedures
2.1 Person appointed to document security policies and procedures.
The practice or nominated IT security coordinator will need to appoint someone for this task.
2.2 IT security policies and procedures documented.
As indicated earlier, the CSPPM template available from the GPCG website is a good starting point for this document. Once completed, this document should form part of the wider practice systems manual.
2.3 IT security polices and procedures documentation regularly reviewed.
This task could be performed every three months and after any significant IT system change.
2.4 Staff trained in IT security policies and procedures.
As with requirement 1.3, training should be aimed at the conceptual level with the specifics left to IT professionals.
3. Access Control
3.1 Staff policy developed on levels of electronic access to data and systems.
All modern practice software allows different permission levels to be assigned to different users. Before attempting this in your software, simply document the access level assigned to each user.
3.2 Staff have created personal passwords to access appropriate level.
After assigning and documenting these access levels, configure these in your practice software. Consult your software vendor if you need clarification on this procedure.
3.3 Passwords are kept secure.
In other words, passwords should be non-trivial, only known by their owner and committed to memory. Ideally staff will be required to change their passwords at regular intervals. An overarching administrator password for the practice principle should also be established.
4. Disaster Recovery Plan
4.1 Disaster recovery plan developed.
Practice staff are used to dealing with imperfect IT systems and many already have contigencies plans in place to deal with downtime. Common scenarios to consideration include:
- Front desk computers down
- Clinicians computer down
- Server down
- Internet unavailable
- Data corruption
The most important piece of information in any disaster recover plan is the contact details of qualified help if the disaster deviates from or exceeds the recovery plan.
4.2 Disaster recovery plan tested.
Testing the above scenarios in a controlled environment is essential if the recover plan is to be relied on. In most cases it should be easy to simulate the disaster for testing purposes.
4.3 Recovery plan regularly updated.
Recovery plans need to be reviewed with the installation of new hardware, software, backup systems or Internet connections.
5. Consulting Room And Front Desk Security.
5.1 Practice aware of need to maintain appropriate confidentiality of information on computer screens.
Staff should simply be reminded that their computer terminals are the gateways to large amounts of sensitive information. Screen savers are now an accreditation requirement and their presence shouldnt be unfamiliar to practice staff.
5.2 Screensavers or other automated privacy protection device enabled.
In addition to having screensavers configured to engage after short periods of inactivity, a key combination or hot corner to manually activate the screen saver should also be configured.
Wearable hardware devices that activate and disable screensavers based on the users proximity can also be deployed and can make compliance less invasive to a practice staff members workflow.
6.1 Back-ups of data performed at a frequency consistent with the disaster recovery plan.
The concept of backing up data should be well understood and procedures should already in be in place in all computerised practices.
6.2 Back-ups of data stored offsite.
A current copy of the important practice data should be taken offsite at the end of each day. The security of this data needs to be ensured. Ideally this will be achieved using both physical and technical methods (i.e. encryption).
6.3 Back-up procedure regularly tested.
Simulating data corruption or loss is the best way to test a backup procedure. Test restorations and verification should be performed at least each month. Other simple checks such as inspecting the size of the backed-up data file should be performed daily.
6.4 Back-up procedure has been included in a documented disaster recovery plan.The back-up procedure needs to be documented thoroughly enough to ensure that any practice staff member can safely complete the procedure.
7.1 Anti-viral software installed on all computers.
Practices are advised to consult with their IT support organisation and practice software vendor to assist in selecting and installing an anti-virus software.
Despite a lack of credible virus threats, Mac and Linux users are not exempt from this requirement. Fortunately free solutions exist for both platforms.
7.2 Automatic updating of virus definitions enabled.
Due to the vast number and frequency of malicious programs released, virus software needs to be frequently updated to ensure it can detect and remove new viruses.
While this process can be performed manually, all modern virus scanning software has an automatic update feature to download new definitions. There is little downside to enabling this feature and a non-technical user should be able to configure this.
7.3 Staff trained in anti-virus measures as documented in policies and procedures manual.
Staff need to know how to respond to virus warnings and be able to check logs to see if testing is ongoing and working.
Practices should note that virus software has the ability to delete data from a system, so caution needs to be exercised when handling any detected viruses.
8.1 Hardware and/or software firewalls installed.
Most modern broadband modems and routers have a basic firewall built-in. These devices are often factory configured with security settings appropriate for immediate use in a typical practice. Despite this, the importance of having your hardware firewall correctly configured cannot be understated and professional IT assistance should be obtained if there are any doubts.
All modern operating systems have built-in software firewalls that can be established to compliment the over-arching hardware firewall. Practices should note however that incorrectly configuring a software firewall can have negative effects on your practice software.
8.2 Hardware and/or software firewalls tested.
As with their safe establishment, comprehensive firewall testing is not a trivial exercise. As such, it is unrealistic to expect a typical practice member to be able to meet this requirement and qualified IT assistance should be engaged.
9. System/Network Maintenace
9.1 Computer hardware and software maintained in optimal condition.
All popular operating systems allow security patches and other software updates to be downloaded easily. Unless your IT support organisation advises differently, configure your software to regularly check for and download updates.
The physical security of your computer hardware (especially your server) should be considered. In the very least, a specialised computer security cable should be attached to your server to minimise the chance of theft.
10. Secure Electronic Communication
10.1 Encryption used for the electronic transfer of patient information and/or clinical data.
This requirement is designed to highlight the dangers of using unencrypted (typical) email for the transport of patient information. While we expect fax and the postal system will come under scrutiny in future PIP IM/IT reviews, this requirement doesnt seek to prevent your practice from using these traditional communication methods.
Tier 2 - Enhanced
To be eligible for Tier 2, practices must comply with the requirements of Tier 1 and ensure that two key types of clinical information are recorded electronically for the majority of active patients:
- Major diagnoses
- Current medications
Medicare Australia leaves the clinician to decide on the definition of both of these terms.
Compliance with Tier 2 is worth an additional $3 per SWPE per annum.
For practices that currently use their clinical software for prescribing only, compliance with Tier 2 is likely to take a concerted effort over many months. According to staff on the Medicare Australia PIP enquiry line, these practices will need to identify their active patients, and then retrospectively enter major diagnoses (and current medications if this isnt already stored) into their clinical software.
Dr Paul Mara, managing director of GPA said that practices should develop a formal plan to ensure records are updated as patients present.
Particular attention to the patient health summary including documentation of allergies, major risk factors, past history and current problems. As the Medicare Australia documentation indicates, it is important to record no known allergies and not to have this as an assumption in the absence of recorded data.
Increasingly we are noticing that medication lists are out of date. These should be reviewed as part of the normal consultation process.
Practices that have been more proactive with their electronic records keeping are likely to be compliant already and need do little more than tick the yes box on the provided application form.
Compared to the antiquated and modest requirements they replace, the revised IT/IM PIP are likely to have a tangible and immediate impact on the use of computers in general practice.
For large, well computerised practices, the incentives may be adequate and in some cases quite generous. For smaller practices with modest levels of computerisation, the $7 total per SWPE will not go close to meeting the compliance and establishment costs.
The revised IM/IT requirements are appropriate to ensure patient confidentiality and the security electronic health records. They should allow practices to take full advantage of clinical datasets and improve patient care.
The changes are likely to stimulate the secure messaging market, a positive consequence that should result in safer and more efficient communication of clinical information and ultimately facilitate the interoperability of disparate systems.
On the back of the confusion and criticism surrounding the changes, its difficult to imagine the IM/IT PIP goal posts being shifted in the near future. Despite this, gradual and more frequent revisions to this incentive would be in the best interest of general practice.
PIP IM/IT 2008 anyone?
Posted in Australian eHealth