CommonSpirit Health has launched a national value-based services platform, Population Health Services Organization (PHSO), focused on expanding access to equitable care, improving quality and outcomes and lowering the cost of care.

The PHSO will provide services such as advanced population health analytics, network management, care coordination, data management and analytics, technology infrastructure and reporting, with the focus of helping providers and networks succeed in value-based care.

CommonSpirit Health serves urban and rural communities across 24 states, and is one of the nation's largest providers of Medicare and Medicaid services.

Because of that, the company claims PHSO will serve a more diverse payer portfolio than other management services organizations. Its goal is to improve equitable health outcomes via affordable and coordinated high-quality care.

WHAT'S THE IMPACT

Value-based care prioritizes value over the volume of care provided, rewarding holistic and coordinated care across the continuum to improve health status, quality and equity. It's often driven by value-based contractual agreements that are designed to incentivize providers to achieve better outcomes, quality and patient experience while lowering the total cost of care.

The demand for value-based agreements by payers and providers is increasing. For example, CMS has said that the vast majority of Medicaid and all Medicare beneficiaries will be in a value-based care relationship by 2030.

The PHSO is designed to foster collaboration between independent and employed providers by supporting networks that are inclusive of both – something CommonSpirit expects will result in elevated care.

Today, half of the providers engaged in CommonSpirit value-based agreements are not employed by CommonSpirit – a part of the network the PHSO only anticipates will grow more in the future.

The PHSO will build off the expertise from CommonSpirit's existing value-based programs, which include full Risk-Bearing Organizations (RBOs) and 10 Accountable Care Organizations. CommonSpirit said that over the past five years of participation in the Medicare Shared Savings Program, it has saved Medicare more than $474 million by prioritizing proactive outreach and addressing not only medical, but also behavioral and social needs.

THE LARGER TREND

Americans are largely on board with the concept of value-based care, but there's one thing they don't seem to like that much: the term itself, which they either don't resonate with or don't understand. That's according to research published by United States of Care in August, which found that 64% of the 1,000 people surveyed preferred value-based care to fee-for-service models.

More than half of the respondents (59%) felt positively about the term "value-based care," but even those with a favorable opinion of the term preferred other labels, such as "patient-first care" and "quality-focused care." Many people associated "value-based care" with low quality.

A 2022 report from the Medical Group Management Association found that value-based care only accounts for a small portion of medical revenue in most specialties. Data from the survey found that revenue from value-based contracts accounted for 6.74% of total medical revenue in primary care specialties, 5.54% in surgical specialties and 14.74% in nonsurgical specialties. Across all practices, the median revenue amount from value-based contracts was $30,922 per provider.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com

Dr. Eric Liederman, director of medical informatics for The Permanente Medical Group, says good communications with patients about cybersecurity protection is essential – even as risks to protected health information are on the rise, from external bad actors and insider threats.

Growing patient discomfort in sharing health information

Beyond health system disruptions such as ransomware that can compromise patient data, cybercriminals are increasingly going after individual patients. Some know they have a "target" on their backs and remain tight-lipped with their healthcare providers, said Liederman. 

Before what he referred to as the major ramp up in attacks against healthcare that began in 2015, there was "an appreciable minority of patients who were uncomfortable providing all their information to their doctors," he told attendees at the HIMSS Healthcare Cybersecurity Forum in Boston earlier this month.

According to one 2014 survey, 10% of patients distrusted health technology, Liederman said, but another recent survey found 87% of patients are unwilling to divulge all their medical information.

It's not only "a sense of psychic harm" they seek to control in holding back health information, a sense of distrust that their health system can protect them has them seeking care elsewhere. 

"How do we impress upon our patients and our workforce that we're protecting them?"

Implementing mechanisms to ensure the safety of data – from the inside of organizations out – and communicating about cyber protection efforts has resulted in better outcomes, Liederman said. 

Joint governance leads to better patient protection

Liederman credited joint governance for helping to facilitate a higher sense of trust among patients and the workforce.

With joint governance, there's increased dialogue that says, "We're all together on this – all the way to the top of the organization," he said. 

At Kaiser Permanente, members from all parts of the organization play a role in data security, and there's joint decision-making that results in "reduced friction," he said. 

"We have better outcomes because the controls that get implemented to mitigate risk are controls that are jointly agreed to or collaboratively agreed to," said Liederman. "And so they mitigate risk without impairing our operations, or especially patient care, and improve our crisis response because everybody understands what's at stake. 

"We have faster implementation for controls because people don't push back," he added. "And there's reduced career risk, especially for the CISO, right?

"You're one bad day away from having to look for a new job. It shouldn't be that way." 

Liederman stressed how critical it is to impress upon both patients and the workforce what health systems are doing to protect them and advised having the communications team as an HIT partner, he said. 

"You're all here, you all are presumably either directly involved with protecting your organizations or supporting organizations in protecting their data. Do people know what you're doing?"

Protecting against insider threats

While cybersecurity is designed to protect against external threats, insider threats are a significant cause for concern, especially in healthcare. 

"Is there sufficient attention paid there?" Liederman asked. 

For the insider threats, "There's two kinds of insider threat actors," he said. While one is very similar to the external attacker, such as a disgruntled employee, "those folks are really a small minority."

Liederman noted that, while cyber professionals try to focus on finding and mitigating these insider risks and blocking their actions, there are also the "human beings who sometimes, occasionally get tempted to use their credentials to look up information they shouldn't look at" to consider.

It's somebody they know, somebody they know of or somebody prominent in the community who is hospitalized. "What's going on? I want to know, right?" 

That insider threat – snooping – is substantially different from typical cybersecurity efforts, said Liederman. 

Healthcare provider employees are tempted to occasionally look at the health records of people they know – friends, family and coworkers. But then there are the people they've heard of. 

"I say famous and infamous. It isn't just famous people. It isn't just the mayor or celebrities. It might be a mass murderer who's been arrested and shot and is now in your emergency department," Liederman said.

"These are just human beings who get tempted. And so we want to help them deter themselves from ruining their careers and breaching the privacy of others." 

Liederman noted that earlier in his career – pre-HIPAA – he worked at an academic medical facility where access to lab results and radiology reports was wide open. 

"Within a few weeks of being there, I had a colleague approach me, telling me that a coworker had congratulated her on her pregnancy before she even knew of the pregnancy test result herself. 

"And then the next week, somebody told me that they learned of their cancer diagnosis from a coworker giving them tools. That's how they learn they had cancer, right? 

"This was a toxic culture," he said. 

Despite being 100 miles from another health system, two-thirds of employees sought care elsewhere, he said.

Over the next few years, Liederman said that he shut off access to certain departmental systems, implemented an electronic health record with audit trails and began an audit-monitoring program for snooping.

Addressing insider snooping

Access restrictions are a disaster that puts patients at risk, Liederman said. At most risk are the patients who are very sickest and are considered high-risk-for-breach "VIPs." 

To safely address insider snooping you have to record all the views and actions, which HIPAA requires anyway.

But, with "smart surveillance" – using the audit trail and focusing on where people are tempted to look – cybersecurity teams can suss out offenders, he said,

The point of implementing an auditing program and letting people know about it is not to fire half of the workforce – "these are skilled, talented, experienced people. You want them to keep working there, you want them to keep their licenses."

The goal is culture change, he said. 

"It's a different mindset from protecting against the outside attackers," he said.

"The goal here is not to find everybody. The goal here is to have a program where you find enough people so that everybody knows there's a program and they deter themselves."

He outlined the basic steps for launching an auditing program:

• Tell everybody that you have an auditing program. 
• Tell them you're auditing before you start the program, so that you tamp down on the temptation-based snooping before you even start looking. 
• Overcommunicate about your auditing program. 

"It works really well and works really fast," he said, noting that within weeks the number of snooping events drops by more than 90% – "and stays that way."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

CommonSpirit Health has launched a national value-based services platform, Population Health Services Organization (PHSO), focused on expanding access to equitable care, improving quality and outcomes and lowering the cost of care.

The PHSO will provide services such as advanced population health analytics, network management, care coordination, data management and analytics, technology infrastructure and reporting, with the focus of helping providers and networks succeed in value-based care.

CommonSpirit Health serves urban and rural communities across 24 states, and is one of the nation's largest providers of Medicare and Medicaid services.

Because of that, the company claims PHSO will serve a more diverse payer portfolio than other management services organizations. Its goal is to improve equitable health outcomes via affordable and coordinated high-quality care.

WHAT'S THE IMPACT

Value-based care prioritizes value over the volume of care provided, rewarding holistic and coordinated care across the continuum to improve health status, quality and equity. It's often driven by value-based contractual agreements that are designed to incentivize providers to achieve better outcomes, quality and patient experience while lowering the total cost of care.

The demand for value-based agreements by payers and providers is increasing. For example, CMS has said that the vast majority of Medicaid and all Medicare beneficiaries will be in a value-based care relationship by 2030.

The PHSO is designed to foster collaboration between independent and employed providers by supporting networks that are inclusive of both – something CommonSpirit expects will result in elevated care.

Today, half of the providers engaged in CommonSpirit value-based agreements are not employed by CommonSpirit – a part of the network the PHSO only anticipates will grow more in the future.

The PHSO will build off the expertise from CommonSpirit's existing value-based programs, which include full Risk-Bearing Organizations (RBOs) and 10 Accountable Care Organizations. CommonSpirit said that over the past five years of participation in the Medicare Shared Savings Program, it has saved Medicare more than $474 million by prioritizing proactive outreach and addressing not only medical, but also behavioral and social needs.

THE LARGER TREND

Americans are largely on board with the concept of value-based care, but there's one thing they don't seem to like that much: the term itself, which they either don't resonate with or don't understand. That's according to research published by United States of Care in August, which found that 64% of the 1,000 people surveyed preferred value-based care to fee-for-service models.

More than half of the respondents (59%) felt positively about the term "value-based care," but even those with a favorable opinion of the term preferred other labels, such as "patient-first care" and "quality-focused care." Many people associated "value-based care" with low quality.

A 2022 report from the Medical Group Management Association found that value-based care only accounts for a small portion of medical revenue in most specialties. Data from the survey found that revenue from value-based contracts accounted for 6.74% of total medical revenue in primary care specialties, 5.54% in surgical specialties and 14.74% in nonsurgical specialties. Across all practices, the median revenue amount from value-based contracts was $30,922 per provider.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com

Dr. Eric Liederman, director of medical informatics for The Permanente Medical Group, says good communications with patients about cybersecurity protection is essential – even as risks to protected health information are on the rise, from external bad actors and insider threats.

Growing patient discomfort in sharing health information

Beyond health system disruptions such as ransomware that can compromise patient data, cybercriminals are increasingly going after individual patients. Some know they have a "target" on their backs and remain tight-lipped with their healthcare providers, said Liederman. 

Before what he referred to as the major ramp up in attacks against healthcare that began in 2015, there was "an appreciable minority of patients who were uncomfortable providing all their information to their doctors," he told attendees at the HIMSS Healthcare Cybersecurity Forum in Boston earlier this month.

According to one 2014 survey, 10% of patients distrusted health technology, Liederman said, but another recent survey found 87% of patients are unwilling to divulge all their medical information.

It's not only "a sense of psychic harm" they seek to control in holding back health information, a sense of distrust that their health system can protect them has them seeking care elsewhere. 

"How do we impress upon our patients and our workforce that we're protecting them?"

Implementing mechanisms to ensure the safety of data – from the inside of organizations out – and communicating about cyber protection efforts has resulted in better outcomes, Liederman said. 

Joint governance leads to better patient protection

Liederman credited joint governance for helping to facilitate a higher sense of trust among patients and the workforce.

With joint governance, there's increased dialogue that says, "We're all together on this – all the way to the top of the organization," he said. 

At Kaiser Permanente, members from all parts of the organization play a role in data security, and there's joint decision-making that results in "reduced friction," he said. 

"We have better outcomes because the controls that get implemented to mitigate risk are controls that are jointly agreed to or collaboratively agreed to," said Liederman. "And so they mitigate risk without impairing our operations, or especially patient care, and improve our crisis response because everybody understands what's at stake. 

"We have faster implementation for controls because people don't push back," he added. "And there's reduced career risk, especially for the CISO, right?

"You're one bad day away from having to look for a new job. It shouldn't be that way." 

Liederman stressed how critical it is to impress upon both patients and the workforce what health systems are doing to protect them and advised having the communications team as an HIT partner, he said. 

"You're all here, you all are presumably either directly involved with protecting your organizations or supporting organizations in protecting their data. Do people know what you're doing?"

Protecting against insider threats

While cybersecurity is designed to protect against external threats, insider threats are a significant cause for concern, especially in healthcare. 

"Is there sufficient attention paid there?" Liederman asked. 

For the insider threats, "There's two kinds of insider threat actors," he said. While one is very similar to the external attacker, such as a disgruntled employee, "those folks are really a small minority."

Liederman noted that, while cyber professionals try to focus on finding and mitigating these insider risks and blocking their actions, there are also the "human beings who sometimes, occasionally get tempted to use their credentials to look up information they shouldn't look at" to consider.

It's somebody they know, somebody they know of or somebody prominent in the community who is hospitalized. "What's going on? I want to know, right?" 

That insider threat – snooping – is substantially different from typical cybersecurity efforts, said Liederman. 

Healthcare provider employees are tempted to occasionally look at the health records of people they know – friends, family and coworkers. But then there are the people they've heard of. 

"I say famous and infamous. It isn't just famous people. It isn't just the mayor or celebrities. It might be a mass murderer who's been arrested and shot and is now in your emergency department," Liederman said.

"These are just human beings who get tempted. And so we want to help them deter themselves from ruining their careers and breaching the privacy of others." 

Liederman noted that earlier in his career – pre-HIPAA – he worked at an academic medical facility where access to lab results and radiology reports was wide open. 

"Within a few weeks of being there, I had a colleague approach me, telling me that a coworker had congratulated her on her pregnancy before she even knew of the pregnancy test result herself. 

"And then the next week, somebody told me that they learned of their cancer diagnosis from a coworker giving them tools. That's how they learn they had cancer, right? 

"This was a toxic culture," he said. 

Despite being 100 miles from another health system, two-thirds of employees sought care elsewhere, he said.

Over the next few years, Liederman said that he shut off access to certain departmental systems, implemented an electronic health record with audit trails and began an audit-monitoring program for snooping.

Addressing insider snooping

Access restrictions are a disaster that puts patients at risk, Liederman said. At most risk are the patients who are very sickest and are considered high-risk-for-breach "VIPs." 

To safely address insider snooping you have to record all the views and actions, which HIPAA requires anyway.

But, with "smart surveillance" – using the audit trail and focusing on where people are tempted to look – cybersecurity teams can suss out offenders, he said,

The point of implementing an auditing program and letting people know about it is not to fire half of the workforce – "these are skilled, talented, experienced people. You want them to keep working there, you want them to keep their licenses."

The goal is culture change, he said. 

"It's a different mindset from protecting against the outside attackers," he said.

"The goal here is not to find everybody. The goal here is to have a program where you find enough people so that everybody knows there's a program and they deter themselves."

He outlined the basic steps for launching an auditing program:

• Tell everybody that you have an auditing program. 
• Tell them you're auditing before you start the program, so that you tamp down on the temptation-based snooping before you even start looking. 
• Overcommunicate about your auditing program. 

"It works really well and works really fast," he said, noting that within weeks the number of snooping events drops by more than 90% – "and stays that way."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.