HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

New York-Presbyterian And Columbia Hospitals To Pay Record HIPAA Settlement - Food, Drugs, Healthcare, Life Sciences - United States

New York-Presbyterian And Columbia Hospitals To Pay Record HIPAA Settlement - Food, Drugs, Healthcare, Life Sciences - United States | HIPAA Compliance for Medical Practices | Scoop.it

On May 7, 2014, the US Department of Health and Human Services Office of Civil Rights (OCR) announced settlements with two New York-based hospitals totaling $4.8 million for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlements related to the hospitals' failure to secure the electronic protected health information (ePHI) of thousands of patients held on their networks and are the latest example of OCR's increased enforcement action.

The two hospitals, New York-Presbyterian Hospital (Presbyterian) and Columbia University (Columbia), which participate in a joint arrangement allowing Columbia faculty members to serve as attending physicians at Presbyterian, were the subject of investigation following their submission of a joint breach report to OCR in September, 2010. As part of their joint arrangement, the hospitals operate a shared data network, administered by employees of both entities, which links to Presbyterian patient information systems containing ePHI.  The breach occurred when a physician employed by Columbia attempted to deactivate a personal computer server that was on the shared network and contained Presbyterian patient ePHI. The improper deactivation of the server resulted in ePHI being accessible through Internet search engines. Presbyterian and Columbia reported the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

As part of their investigation, OCR also determined that neither hospital had conducted a thorough risk analysis to determine all systems accessing the shared data network and that neither hospital had an adequate risk management plan to address the potential threats to ePHI. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, noted that entities participating in joint compliance arrangements "share the burden of addressing the risks to protected health information," and that the cases against the hospitals should "remind health care organizations of the need to make data security central to how they manage their information systems."

Presbyterian has paid OCR a settlement of $3.3 million, while Columbia has paid $1.5 million. In addition to the monetary penalties, both hospitals agreed to substantive corrective action plans, which include requirements for the hospitals to undertake a risk analysis, develop a risk management plan, revise policies and procedures, and complete staff training.

OCR's settlements with Presbyterian and Columbia come one week after the agency announced settlements with two health care entities totaling close to $2 million for violations of the Privacy and Security Rules. The two companies, Concentra Health Services and QCA Health Plan, Inc., were the subject of separate OCR investigations initiated following reports of breaches of ePHI by the entities to OCR. Both breaches were the result of the thefts of unencrypted laptops containing ePHI. Concentra agreed to pay OCR $1.725 million and to adopt a corrective action plan to ensure that sufficient protections are put into place to safeguard ePHI. QCA agreed to a fine of $250,000 and to provide OCR with a risk management plan including additional risk-limiting security measures to secure QCA's ePHI.

OCR has substantially increased its HIPAA enforcement efforts in recent years. The Health Information Technology for Economic and Clinical Health Act (HITECH), as implemented by the Omnibus HIPAA Rule issued on January 25, 2013 (available at 78 Fed. Reg. 5566), increased the potential civil monetary penalties that OCR could impose on Covered Entities — health care providers, health plans, and health care clearinghouses — and their Business Associates — entities that create, receive, maintain or transmit Protected Health Information for or on behalf of Covered Entities — for violating HIPAA. The Director of the OCR, Leon Rodriguez, has been quoted as saying the Omnibus Rule strengthened OCR's ability to "vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates."

In order to mitigate the risk of a potential breach, it is critical that Covered Entities and their Business Associates conduct a thorough risk analysis and develop risk management plans to address the potential threats and hazards to the security of ePHI. The risk analysis should frequently be reviewed and updated to account for changes in technology and/or new risks and risk management plans should be modified accordingly. Covered Entities and their Business Associates should also implement policies and procedures addressing workforce member access to databases and network security and should ensure that all employees and workforce members with access to ePHI are properly trained on the policies and procedures. As OCR's latest settlement indicates, failure to take these steps can result in severe financial penalties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.



more...
No comment yet.
Scoop.it!

Is your client’s wellness plan fully HIPAA compliant?

Is your client’s wellness plan fully HIPAA compliant? | HIPAA Compliance for Medical Practices | Scoop.it
By Melissa A. Winn
May 9, 2014

Employers that offer an outcome-based wellness program are required by federal law to also offer a reasonable alternative standard (RAS), such as an educational class or health program, but advisers and employers need to know the RAS must continue to be offered annually even to employees who continuously fail to meet the desired health outcome.

Like what you see? Click here to sign up for Employee Benefit Adviser's weekly newsletter to get exclusive articles and polls that are designed to help build business.

Under the Health Insurance Portability and Accountability Act of 1996 all outcome-based wellness programs, those that offer a reward under a group health plan for individuals who attain or maintain a specific health outcome such as not smoking, must also offer an RAS to obtain the reward. This can include allowing employees to complete a smoking cessation program to earn the reward or avoid a surcharge to their premium. But, HIPAA rules also require employers to offer the RAS annually and allow employees to qualify for the reward through the RAS regardless of whether they fail to meet the health outcome, such as quitting smoking.

“Even if a participant continues to fail to meet the desired health outcome … [like] smoking cessation, healthy cholesterol level, healthy BMI … year after year, the participant must be able to continue obtaining the reward, avoiding any surcharge, by completing an appropriate RAS,” say attorneys Amy Ciepluch and Sarah Fowles of the Milwaukee, Wisc.-based Quarles and Brady law firm.

Completion of the program results in receiving the reward or avoiding the premium surcharge, regardless of whether the employee has stopped smoking or achieved a healthier BMI or cholesterol level. And the next year, the employer must offer the employee the same opportunity to complete the program (and possibly fail) to avoid the surcharge, the lawyers say in a blog posted this week on the subject.

Compliance for the RAS does not end there, however, Ciepulch and Fowles add, the RAS must also meet the following HIPAA requirements:

  • If the RAS is completion of an educational program, the employer must make the educational program available to the individual or assist the individual in finding such a program. The program must be free for the individual.
  • The time commitment must be reasonable.
  • If the RAS is a diet program, the employer must pay any membership or participation fee but is not required to pay for the cost of food.
  • If an individual’s personal physician states that a plan standard is not medically appropriate for the individual, the plan must provide a RAS that accommodates the physician’s recommendations.
  • If the RAS is another outcome-based wellness program, it must comply with the outcome-based wellness program rules.
  • The RAS cannot be a requirement to meet a different level of the same standard without providing an individual with additional time to comply with the RAS.

Notice of the availability of an RAS must be provided in all plan materials describing the terms of an outcome-based wellness program and any disclosure that an individual did not satisfy an initial outcome-based standard.

Increasingly, Ciepulch and Fowles say they are seeing wellness program designs that offer participants a “menu” of options to obtain a specific health plan reward or avoid a surcharge. While some of the methods in these designs are outcome-based and some methods are participatory and/or activity-based, offering employees more choice and flexibility, they caution employers to have the plans reviewed for HIPAA compliance.

Additionally, they say, some wellness programs provide rewards in cash, gift cards, or other tangible goods, and do not connect the rewards with a group health plan, thus avoiding regulation as an outcome-based wellness program.

But, these programs should also be reviewed for compliance with other applicable laws, they add.



more...
No comment yet.
Scoop.it!

Columbia University, NY hospital to pay 4.8 million HIPAA fine

Columbia University, NY hospital to pay 4.8 million HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Columbia University and an affiliated health care entity, New York-Presbyterian Hospital (NYP), have reached the largest HIPAA settlement to date, bringing resolution to a breach investigation.

The organizations will pay the Department of Health and Human Services' Office for Civil Rights $4.8 million to avoid being found in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

According to an HHS announcement released last week, the organizations have also agreed to implement a corrective action plan, which will include risk analysis, development of a risk management plan, staff training, and updating organizational policies and procedures.

HHS began investigating Columbia and NYP after the entities notified the agency of a breach in September 2010 by filing a joint report. The investigation centered around the electronic protected health information (ePHI) of 6,800 people being exposed, which included data about patient status, vital signs, medications and laboratory results, the HHS release said.

The organizations are affiliated in that Columbia University faculty members serve as attending physicians at one of NYP's facilities, New York-Presbyterian Hospital/Columbia University Medical Center.

The breach occurred when a Columbia University physician tried to deactive a computer server, which left the data of NYP patients accessible through a simple online search, HHS revealed.

“The investigation revealed that the breach was caused when a physician employed by CU, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI,” the release said. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.”

Under the settlement terms, New York-Presbyterian will pay the bulk of the HIPAA fine, $3.3 million (PDF), while Columbia agreed to shell out the remaining $1.5 million (PDF). The deal comes just after Humana subsidiary Concentra agreed to pay $1.7 million to settle with the HHS over potential HIPAA violations.



more...
No comment yet.
Scoop.it!

Your EHR Vendor Isn’t Certified – How Should You Approach MU Stage 2? | EMR and HIPAA

Your EHR Vendor Isn’t Certified – How Should You Approach MU Stage 2? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A recent study conducted by Wells Fargo Securities stated “Over 700 EHR vendors had solutions certified for Stage 1, but at this point about 40 have been certified for Stage 2. While there is still time, we believe 300-500 vendors will ultimately disappear from the government program.”

We talked about the possibility of many EHR vendors not being 2014 certified in our interview with John Squire. This is a real possibility for many EHR vendors. It will be interesting to see which ones choose not to tell their customers that they won’t be ready until it’s too late to switch EHR. I think that will say something about the company.

Allscripts has put out a whitepaper that looks at some of the meaningful use stage 2 challenges and what you should do to make sure you’re ready.

  • Where to begin with Meaningful Use Stage 2
  • The new requirements for Stage 2 attestation
  • Technology upgrade and replacement considerations
  • Meaningful Use reporting
  • Transitioning to population health management

I find the idea of using MU stage 2 as a way to get ready for population health pretty interesting. I know this is a challenge when an organization is overwhelmed by the day to day life of someone in healthcare.

Considering the abysmal meaningful use stage 2 numbers that were released, it seems that many organizations could benefit from some meaningful use stage 2 help this whitepaper provides. I’d be interested to hear if people think that MU stage 2 does help their organization move towards population health management. Is that a reasonable goal you can work on as you work on MU stage 2? Reminds me of those who are doing CDI (clinical documentation improvement) projects alongside their ICD-10 work.



more...
No comment yet.
Scoop.it!

Columbia Medical Center, Hospital To Pay $4.8M Fine for Data Breach - iHealthBeat

Columbia Medical Center, Hospital To Pay $4.8M Fine for Data Breach - iHealthBeat | HIPAA Compliance for Medical Practices | Scoop.it

New York-Presbyterian Hospital and Columbia University Medical Center have agreed to pay the HHS Office for Civil Rights a $4.8 million joint settlement over a 2010 data breach, Healthcare IT News reports (McCann, Healthcare IT News, 5/8).

Background on Data Breach

Employees at both organizations manage a shared data network and network firewall, according to an OCR statement. CUMC faculty members serve as attending physicians at New York-Presbyterian (Goedert, Health Data Management, 5/8).

On Sept. 27, 2010, the two entities submitted a joint data breach report after they received a complaint from an individual who found a deceased partner's patient records on the Internet (Conn, Modern Healthcare, 5/7).

Following an investigation, HHS determined that the medical records of about 6,800 of New York-Presbyterian's patients were accessible through online search engines. HHS noted that the hospital was not aware of the breach prior to the complaint (AP/Sacramento Bee, 5/7).

The breach occurred after a physician from CUMC deactivated a server on Presbyterian Hospital's internal data network.

The compromised patient records included:

  • Lab reports;
  • Medications;
  • Patient status; and
  • Vital signs (Health Data Management, 5/8).
Details of Settlement

New York-Presbyterian Hospital has agreed to pay $3.3 million and CUMC has agreed to pay $1.5 million. The joint settlement is the largest HIPAA monetary fine to date, Healthcare IT News reports (Healthcare IT News, 5/7).

According to an HHS statement, each entity also has agreed to develop a "substantive corrective action plan" that includes:

  • Creating a risk management plan;
  • Providing progress reports;
  • Revising policies and procedures;
  • Implementing staff training; and
  • Undertaking a risk analysis (Modern Healthcare, 5/7).

However, the entities did not admit liability in the breach and are not liable for related civil money fines under the settlement, Health Data Management reports. In addition, OCR said the settlements were not a concession by the agency that the entities were found to be in violation of HIPAA (Health Data Management, 5/8).

Reaction

Rachel Seeger, OCR's senior health information privacy outreach specialist, said, "The message here is to get your house in order" (Healthcare IT News, 5/8).

Meanwhile, Presbyterian Hospital spokesperson Doug Levy on Wednesday said that there was no proof at the time of the data breach or in the time following that any of the medical records were accessed or used inappropriately.

Levy noted that the hospital is committed to handling patient privacy and medical records with the "greatest respect and integrity" and is taking additional corrective measures as required under its agreement (AP/Sacramento Bee, 5/7).

.
Technical Dr. Inc.'s insight:

inquiry@technicaldr.com or 877-910-0004

- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Woman accuses Kmart of HIPAA violation

Woman accuses Kmart of HIPAA violation | HIPAA Compliance for Medical Practices | Scoop.it

BECKLEY — A Raleigh County woman is suing over claims Kmart pharmacy employees violated HIPAA by discussing her medical information in the store.

Leslie J. Pettry filed a lawsuit April 14 in Raleigh Circuit Court against Kmart Promotions LLC, citing negligence.

According to the complaint, Pettry was a customer of Kmart’s pharmacy department in their Beckley store on Aug. 5, 2012, when an employee of Kmart openly discussed her medical information in the crowded store. The defendant is accused of violating the Health Insurance Portability and Accountability Act by allowing Pettry’s confidential medical information to be disseminated to the public.

Pettry is seeking damages in an amount to be determined by the court.

She is being represented in the case by attorney Anthony M. Salvatore of Hewitt & Salvatore PLLC. The case has been assigned to Circuit Judge H. L. Kirkpatrick.

Raleigh Circuit Court Case No. 14-C-377-K



more...
No comment yet.
Scoop.it!

New HIPAA settlements show OCR’s focus on encryption | Lexology

New HIPAA settlements show OCR’s focus on encryption | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) reached settlements with two separate entities for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Specifically, Concentra Health Services (“Concentra”) agreed to pay $1,725,220 following the theft of an unencrypted laptop and the discovery of generally insufficient security management.  Additionally, QCA Health Plan, Inc. (“QCA”) agreed to pay $250,000 following the theft of an unencrypted laptop and the discovery of general non-compliance with HIPAA.  Both Concentra and QCA also entered into Corrective Action Plans with OCR.

Concentra is a Texas based company with medical facilities in 38 states.  The company submitted a security breach report to OCR in December 2011 upon discovering the theft of an unencrypted laptop from a physical therapy center in Springfield, Missouri.  OCR then investigated Concentra and learned that, although Concentra had identified lack of encryption as a “critical risk” as part of its risk analysis, it had not taken adequate corrective action measures to address that risk.  OCR also found that Concentra had insufficient security management processes in place to safeguard Protected Health Information (“PHI”).

QCA is a health insurance company based in Little Rock, Arkansas.  In February 2012, QCA submitted a security breach report to OCR upon discovering the theft of an unencrypted laptop from an employee’s car.  Following the breach, QCA encrypted devices within the company containing PHI.  However, upon investigation, OCR found that QCA was not fully HIPAA compliant.

Encryption is not required by HIPAA, but if a Covered Entity or Business Associate opts not to encrypt PHI either at rest or in transmission, the entity must document its rationale and adopt alternative safeguards that achieve a similar level of protection.  Additionally, only the improper use or disclosure of unencrypted PHI constitutes a security breach for purposes of HIPAA.  These settlements illustrate potential consequences of not encrypting PHI, particularly on portable devices.  Susan McAndrew of OCR stated with regard to these settlements: “Our message to these organizations is simple: encryption is your best defense to these incidents.”



more...
No comment yet.
Scoop.it!

Satisfaction Survey Postcard Reminder Violated HIPAA Privacy Rule

Satisfaction Survey Postcard Reminder Violated HIPAA Privacy Rule | HIPAA Compliance for Medical Practices | Scoop.it

BALTIMORE, May 2 -- The Maryland Department of Health and Mental Hygiene issued the following news release:

The Developmental Disabilities Administration (DDA) contracts with a vendor, Inclusion Research Institute, whose subcontractor is M. Davis and Company, to conduct Quality of Life surveys for individuals receiving services. These satisfaction surveys are sent out on an annual basis to individuals.

In February 2014, the subcontractor mailed postcards to approximately 2200 individuals reminding them to fill out the survey and return the results. The postcards were addressed to individuals and indicated that they were receiving the notification because they receive services from DDA. As the postcard was not enclosed in an envelope, the fact that the individual was receiving DDA services, which is protected health information, was publicly viewable. This is a breach of the 1996 Health Insurance Portability and Accountability Act (HIPAA).

DDA was notified on March 3, 2014 of this concern and promptly contacted the vendor. The vendor is in the process of notifying the affected individuals and will correct this deficiency for future mailings.



more...
No comment yet.
Scoop.it!

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

One of the most controversial parts of meaningful use is the requirement that a certain percentage of patients engage with the office. The argument goes that the doctor shouldn’t be rewarded or punished based on the actions of someone (the patients) they don’t control. Regardless of the controversy, the requirement remains that doctors have to engage with a certain number of patients if they want to get the meaningful use money.

I’m personally a fan of patient engagement and think there’s a lot of value that will come from more engagement with patients. This reminds me of Dr. CT Lin’s presentation and research on patient engagement. We need to find more ways to make patient engagement an easy reality in healthcare.

The problem I keep running into with the meaningful use patient engagement requirement is that meaningful use requires a certified EHR to meet that requirement. There are a whole suite of patient engagement apps that provide a useful and logical engagement between doctor and patient. However, none of them can be used to meet the meaningful use patient engagement criteria. Yes, I know the patient engagement app could become modularly certified, but that’s really overkill for many of these apps. It really doesn’t make any sense for them to be certified. The software doesn’t get better (and an argument can be made that the software becomes worse) if they become modularly certified as an EHR.

Because of this issue, the requirement basically relegates EHR vendors to implement some sort of after thought (usually) patient portal. Then, the doctors have to try and force patients to use a patient portal just to meet a requirement. Plus, many are “gaming” this patient engagement number in the way a patient signs up and engages in the portal.

Wouldn’t it be so much better to allow the patient engagement to happen on a non-certified EHR? Why does this need to happen on a certified EHR? EHR vendors aren’t focused on patient engagement, and so it shouldn’t be a surprise that they’re not creating amazing patient engagement tools. Think about how much more effective the patient engagement would be if it happened on a software that was working and thinking every day about how they can make that engagement work for the patient and the provider.

I’d love to see ONC make an exception on this requirement that would allow patient engagement to occur on something other than the certified EHR. I imagine if they did this, they could even raise the bar when it comes to what percentage of patients they should engage with electronically. If they don’t, we’ll have a bunch of lame duck patient portals that are really only used to meet the MU requirement. What a terrible missed opportunity that would be.



more...
No comment yet.
Scoop.it!

What Is The Cost Of Fraud Prevention In Healthcare? | EMR and HIPAA

What Is The Cost Of Fraud Prevention In Healthcare? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Among other things, credit card companies prevent enormous volumes of fraud. In exchange for their services, credit card companies typically charge about 2.5% of merchant revenue. The cost of fraud prevention for most merchants is no more than 2.5% of revenues.

But healthcare is rarely paid for by credit card. The vast majority of payments are directly transferred from payers to providers.

So what is the cost of fraud prevention in healthcare?

If providers were angels and never frauded payers, then the entire claims system would have no reason to exist. In this utopian world, providers would simply bill payers accurately and payers would gladly pay knowing that the claims were honest.

But that’s unrealistic. Payers are extremely skeptical of providers. There is an enormous amount of friction between payers and providers to ensure that providers aren’t overpaid: the technology vendors at every layer of the stack (provider, clearing house, payer), the billers, coders, claims departments, prior authorization departments, insurance agents, AR departments, etc. All of these people, processes, and technologies exist to ensure that providers aren’t overpaid.

Although I cannot find any explicit numbers, it’s not unreasonable that the sheer administrative costs of the claim system is greater than 10% of all healthcare costs.

In addition to compliance costs, actual Medicare Fraud is estimated at about $50B, which is about 9% of all Medicare payments.

The takeaway of the story is that providers can’t seem to stop frauding Medicare. The irony is that physicians – who are generally respected by the public – are those whom the system works most diligently to ensure aren’t overpaid.



more...
No comment yet.
Scoop.it!

Population Health Management (PHM) – The New Health IT Buzzword | EMR and HIPAA

Population Health Management (PHM) – The New Health IT Buzzword | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

For some reason in healthcare IT we like to go through a series of buzzwords. They rotate through the years, but usually have a very similar meaning. The best example is EMR and EHR. You could nuance a difference between the two terms, but in practice they both are used interchangeably and we all know what it means.

With this in mind, I was intrigued by an excerpt from Cora Sharma’s post on Financial Analytics Bleeding into Population Health Management:

It appears that “population health management” (PHM) just has a better ring to it than “accountable care” or “HMO 2.0”. Increasingly, PHM is becoming an umbrella term for all of the operational and analytical HIT tools needed for the transition to value-based reimbursement (VBR), including EHR, HIE, Analytics, Care Management, revenue cycle management (RCM), Supply Chain, Cost Accounting, … .

On the other hand, HIT vendors continue to define PHM according to their core competencies: claims-based analytics vendors see PHM in terms of risk management; care management vendors are assuming that PHM is their next re-branded marketing term; clinical enterprise data warehouse (EDW) and business intelligence (BI) vendors argue that a single source of truth is needed for PHM; HIE and EHR vendors talk about PHM in the same breath as care coordination, leakage alerts and clinical quality measures (CQM); and so on.

Cora is right. Population Health Management does seem to be the latest buzzword and for some reason feels better to people than accountable care. I guess it makes sense. People don’t want to be held accountable for anything. However, they love to help a population be healthy.

Coming out of 30+ meetings with vendors at HIMSS this year I was asking myself a similar question. What’s the difference between an HIE, healthcare analytics, business intelligence, data warehouses (EDW) and even many of the financial RCM products? I see them all coming together into one platform. I guess it will be called population health management.

To Cora’s broader point in the post, there is a real coming together that’s happening between clinical and financial data in healthcare. All I can think is that it’s about time. The division of the data never really made sense to me. The data should be one and available to whatever system needs the data. ACOs are going to drive this to become a reality.



more...
No comment yet.
Scoop.it!

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I first started working with the New York eHealth Collaborative (NYeC) many years ago when they first organized the Digital Health Conference many years ago. Hopefully they’ll have me back again this year since I’ve really enjoyed our ongoing partnership. Plus, it’s a great way for me to get a deeper look into the New York Health IT landscape.

While NYeC organizes this conference, has an accelerator, and is (is this a was yet?) even a REC, the core of everything they do is around their HIE called the SHIN-NY. Unlike some states who don’t have any HIE or RHIO, New York has 10 regional health information exchanges (formerly and for some people still called RHIOs). The SHIN-NY is the platform which connects all of the state’s RHIOs into one connected health network. Plus, I know they’re working on some other more general initiatives that share and get data from organizations outside of New York as well.

While the SHIN-NY has been worked on and sending data for a number of years, the news just came out that Governor Cuomo included $55 million in state funding for the SHIN-NY HIE. This is a unique funding model and it makes me wonder how many other states will follow their lead. Plus, you have to juxtapose this funding with my own state of Nevada’s decision to stop funding the state HIE that was supported with a lot of federal government funds as well.

In my HIE experience, I’ve found that every state is unique in how they fund and grow their HIE. Much of it often has to do with the cultural norms of the state. For example, New York is use to high state taxes that support a number of government programs. Nevada on the other hand is use to no state tax and government funding largely coming from the hospital and gaming sectors. Plus, this doesn’t even take into account the local healthcare bureaucracies and idiosyncrasies that exist.

What do you think of this type of HIE funding model? Do you wish your state would do something similar? Will we see other states follow New York’s example?

I’m excited to see how NY, NYeC and the SHIN-NY do with this HIE funding. Knowing many of the leaders in that organization, I think they’re going to be a great success and have a real impact for good on healthcare in NY.



more...
No comment yet.
Scoop.it!

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively,document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.

  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.

  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.



more...
No comment yet.
Scoop.it!

Upcoming Webinar: Hear from Health & Human Services, Avoid the Biggest HIPAA Mistakes | Business Wire

Upcoming Webinar: Hear from Health & Human Services, Avoid the Biggest HIPAA Mistakes | Business Wire | HIPAA Compliance for Medical Practices | Scoop.it
May 14, 2014 09:08 AM Eastern Daylight Time
CLEARWATER, Fla.--(BUSINESS WIRE)--
 

WHAT:

FairWarning, Inc., the inventor and KLAS Category Leader in Patient Privacy

Monitoring1 will host an industry-wide webinar titled “Straight from the Source:

HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes” featuring

Laura Rosas, Senior Advisor, Office of the Chief Privacy Officer, Health & Human Services. In 2014, covered entities can expect to receive an inquiry letter covering the mostfrequent problem areas in the HIPAA pilot audits. The Security Risk Assessment isrequired by both the HIPAA Security Rule and the CMS EHR Incentive Program, also known asMeaningful Use. Health & Human Services released a downloadable Security Risk Assessment Toolthis past March to help covered entities evaluate their security position and identifyareas needing improvement. The time is now to identify the weakest areas, and takeaction to improve prior to an audit. 

During this webinar, Ms. Rosas will walk through this tool to help attendees avoid

some of the biggest HIPAA mistakes, including tips and recommendations for

getting the most from the self-assessment. 

WHEN & WHERE:

Tuesday, May 20, 2014

2:00 Eastern / 11:00 Pacific

Broadcast via Webex, register at:

https://fairwarningevents.webex.com/ec0701l/eventcenter/enroll/register.do?formId=0&formType=0&loadFlag=1&siteurl=fairwarningevents&confId=1749154321

About FairWarning, Inc.

FairWarning®’s mission is to lead the industry expansion of trust in Electronic Health Records empowering care providers to grow their reputation for protecting confidentiality, scale their digital health initiatives and comply with complex Federal and state privacy laws such as HIPAA. By partnering with FairWarning, care providers are able to direct their focus on delivering the best patient outcomes possible while receiving expert, sustainable and affordable privacy and compliance solutions. Customers consider FairWarning® privacy auditing solutions essential for compliance with healthcare privacy regulations such as ARRA HITECH privacy and meaningful use criteria, HIPAA, UK and EU Data Protection, California SB 541 and AB 211, Texas HB 300, and Canadian provincial healthcare privacy law. For more information on FairWarning® visit http://www.FairWarning.com or email Soultions@FairWarning.com.

1 2013 Best in KLAS: Software & Services report, January, 2014. © 2014 KLAS Enterprises, LLC. All rights reserved. www.KLASresearch.com

Contacts

FairWarning, Inc.
Sadie Peterson, 727-576-6700 Ext. 119
Sadie@FairWarning.com

more...
No comment yet.
Scoop.it!

Largestever HIPAA settlement rings in at 5 million, should be a lesson to providers sharing computer networks, feds announce

Largestever HIPAA settlement rings in at 5 million, should be a lesson to providers sharing computer networks, feds announce | HIPAA Compliance for Medical Practices | Scoop.it

New York Presbyterian Hospital and Columbia University have entered into the largest-ever government settlement over an electronic data breach, totaling $4.8 million, the Department of Health and Human Services announced Wednesday. 

The breach occurred when a Columbia University physician and computer application developer attempted to deactivate a server he personally owned, which was on a data network shared with New York Presbyterian, according to HHS. The two organizations operate jointly as New York Presbyterian Hospital/Columbia University Medical Center.

Because “technical safeguards” were lacking, deactivating the server allowed personal health information of about 6,800 patients to be accessed through public Internet search engines, HHS explained. The providers reported the breach in 2010, after someone found the personal information of a deceased loved one on the Web.

The settlement should be cautionary for joint healthcare providers that both are covered by Health Insurance Portability and Accountability Act provisions, said Christina Heide, acting deputy director for health information privacy at the HHS Office of Civil Rights.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” She said. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”

New York Presbyterian's share of the settlement totaled about $3.3 million, and Columbia's came to $1.4 million. Both have agreed to a “substantive corrective action plan,” including risk analysis and management, HHS noted.

more...
No comment yet.
Scoop.it!

HIPAA Enforcement: Leadership Changes

HIPAA Enforcement: Leadership Changes | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights ramps up its enforcement of HIPAA with costly settlements and a new round of compliance audits, the agency is in a state of leadership transition. Susan McAndrew, a long-time OCR leader in HIPAA enforcement, has retired, and OCR Director Leon Rodriguez may be departing soon.

McAndrew, whose official title was OCR deputy director for health information privacy, but who some insiders at OCR called "the mother of HIPAA," retired from federal service on May 2. "Sue was instrumental in spearheading the development and implementation of health information privacy policy and enforcement at HHS," an OCR spokeswoman tells Information Security Media Group.

Meanwhile, Rodriguez, who was nominated by President Obama last December to become director of U.S. Citizenship and Immigration Services, an agency of the Department of Homeland Security, is awaiting a full Senate vote to confirm his nomination to that post.

The Senate judiciary committee in March held a hearing on Rodriguez's nomination. On April 3 the outcome of the hearing was reported as "favorable" by committee chair Sen. Patrick Leahy, D-Vt., to the Senate, and the nomination was placed on the Senate Executive Calendar for 2014. But no date on Rodriguez' nomination has been listed yet on the Senate calendar for a vote.

The OCR spokeswoman tells ISMG that there is "no update to share at this time on director Rodriguez' confirmation."

Privacy Leadership

Commenting on the recent retirement of McAndrew, the spokeswoman says: "Her vision and leadership have been essential in moving OCR's work forward to keep pace with the advances of health information technology.

"McAndrew worked each day to move the department in a direction where consumers' right to the privacy of their health information dovetails with common sense standards for the health care industry to follow. She leaves a deep and lasting legacy, and her presence will be greatly missed."

McAndrew could not be reached for comment.

The attorney played a critical role in crafting HIPAA policies and enforcement activities, including the agency's first round of compliance audits that were conducted under the 2012 pilot program.

"Sue has been the guiding force behind the development and implementation of the HIPAA privacy, security and breach notification rules as well as the audit program," says David Holtzman, a former OCR senior adviser who left the agency in December to join security consulting firm CynergisTek. "The [OCR] deputy director plays a significant role in the development of regulatory policy and enforcement strategy."

Filling Positions

Christina Heide, OCR's senior adviser for health information privacy policy, is serving as acting deputy director for OCR's Health Information Privacy Division, the OCR spokeswoman says. Heide will be responsible for leading decision-making on enforcement, policy, and strategy.

Heide, an attorney, has worked with the HIPAA program at HHS since August 1999 and serves as the senior adviser for policy matters.

If Rodriguez is confirmed as director of U.S. Citizenship and Immigration Services, the HHS secretary will appoint a new director of OCR. That means the appointment could be made by Sylvia Mathews Burwell, who has been nominated by Obama to replace Kathleen Sebelius, who resigned last month as HHS secretary. Burwell is slated to face a second round of Senate finance committee confirmation hearings this week.

In the meantime, OCR is also adding to its enforcement staff. Last week, OCR posted notices that it's recruiting for several positions in its regional offices, including Kansas City, Missouri; Boston and Denver.

For example, the Kansas City job's primary duties include, "investigating complaints, conducting compliance reviews, and providing technical assistance and outreach to health and human services institutions, agencies or organizations which are covered entities to ensure compliance with civil rights laws and regulations and with the privacy of protected health information under HIPAA."


more...
No comment yet.
Scoop.it!

IE flaw ushers risky new era for XP use | Healthcare IT News

IE flaw ushers risky new era for XP use | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

When even the Department of Homeland Security is warning against using Internet Explorer, it's a safe bet its security flaws are serious. But for many healthcare providers -- notably those still running on Windows XP -- IE's recently-exposed vulnerabilities won't be fixed by Microsoft.

Microsoft confirmed this week that versions 6 through 11 of Internet Explorer "are susceptible to a newly discovered vulnerability, and that cyberattackers have already exploited the flaw."


It pledged to release a fix for the so-called "zero day" threat. But not for computers still running on Windows XP. On April 8, after years of warning, Microsoft stopped delivering technical assistance or software updates for the nearly 13-year-old operating system.

"These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information," wrote officials at the Redmond, Wash. giant.

Windows XP was first released way back in 2001, but security experts guess that 15 to 25 percent of the world's PCs still run on the system. It's a safe bet that includes an untold number of machines at physician practices and small hospitals nationwide.


This serious security gap for Internet Explorer is just the first of many vulnerabilities that will be left unfixed from here on in for any provider using XP. One tech writer called it the "the first sign of the XPocalypse."

Sergio Galindo, general manager of the infrastructure business unit at computer security firm GFI Software, says his company has been working with many small- and medium-sized clients to help them prepare for the end of XP support.


"With 20 percent of our customers still running Windows XP, it still holds a good portion of our attention," he said.

Healthcare organizations are particularly vulnerable.


"For those healthcare providers that fall under HIPAA, having a Windows XP machine as part of your business practice may put your compliance at risk," said Galindo.


Computers running XP will continue to work, of course, "but with greater and greater risk," he said. Still, despite the fact that this wide-open vulnerability "has been widely communicated," there still exists an "'it won't happen to me' syndrome" on the part of many XP users," said Galindo. But now more than ever, he said, "it is highly likely that an unprotected system will be impacted by a virus, worm or malware."

In the short term, there are steps that can be taken to put up at least an adequate defense against the risks posed Internet Explorer.


David Harley, senior research fellow at IT security company ESET, suggested setting IE's Active Scripting and ActiveX to "prompt." It's "mildly irritating," he admitted, "but seems to reduce the attack surface if you actually disallow it on prompt unless you know you need it."

But "the simplest route is just to set IE security levels to 'high,' or use Enhanced Protected Mode in IE versions that support it," he added. "If you're using XP, you should probably be setting IE security level to 'high' already, as a way of generally decreasing the attack surface on an unsupported OS."


Longer term, however, the fact remains that Windows XP machines are at extremely high risk for hacking and data breaches; whatever the cost of upgrading to a newer operating system could be far eclipsed by the price of a HIPAA settlement.


For those practices still running on XP, Galindo suggests incremental steps. First, "make sure that information is archived properly," he said.

Next? Even though Microsoft's current OS is Windows 8.1, Galindo suggests a smaller leap to Windows 7.


"The problem is that Microsoft has moved on to Windows 8, which involves a different interface," he said. "Where possible, 7 is solid and is most like XP. Moving to 8 involves more training and adapting to a new interface -- this will involve some time for users to get used to it. I'm not sure that time is well spent at this point."

Technical Dr. Inc.'s insight:

inquiry@technicaldr.com or 877-910-0004

- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Transcriptionist Breach Affects 15,000

Transcriptionist Breach Affects 15,000 | HIPAA Compliance for Medical Practices | Scoop.it

A breach involving the posting of information about 15,000 Boston Medical Center patients on a transcription firm's unsecured website serves as a reminder of the importance of monitoring the security practices of all business associates.

Boston Medical Center was notified on March 4 by another healthcare provider that MDF Transcription Services and its subcontractors "had incorrectly posted BMC physician office visit notes to the MDF website without password protection," a Boston Medical Center spokeswoman tells Information Security Media Group. "We immediately informed MDF and its subcontractors of this error and the website was removed from the Internet on the same day. We take our responsibility to maintain our patients' privacy very seriously and have notified all individuals who were affected by this vendor error."

As a result of the incident, physician notes "could have potentially been accessed by non-authorized individuals," she says. The information potentially exposed on the site includes names, addresses, medical information and medications. "We have no reason to believe that this led to the misuse or inappropriate accessing of any patient information," she says. "At this time, we have no evidence that any patient information was accessed by anyone other than medical personnel and administrative staff."

A number of Boston Medical Center physicians had used the transcription services company for several years, the spokeswoman says. Physicians routinely record audio notes about patient visits and then have these audio notes transcribed so they can be added to electronic medical records, she explains.

"Several physicians at BMC utilized MDF to transcribe their notes. Once transcribed, these notes were made accessible to physicians by MDF through an online site administered by subcontractors of MDF," she says. "Unfortunately in this instance the information was not password protected by MDF and its subcontractors."

The hospital is working with MDF and its subcontractors to determine the duration of the information exposure," the spokeswoman says.

As a result of the incident, Boston Medical Center has terminated its relationship with MDF. "BMC has rigorous contracting standards in place to protect patient privacy and any organization that works with BMC must be in full compliance with those standards," the spokeswoman says. "Failure to meet those standards in any way will result in immediate termination of the contract. "

MDF could not be reached for comment. Boston Medical Center declined to identify the subcontractors involved in the incident.

Business Associate Challenges

Security expert Brian Evans, principal consultant at Tom Walsh Consulting, says that many transcription services firms are aware of HIPAA's requirements but not always effective in carrying them out.

"In working with business associates that include transcription services, I'm finding that they are fully aware of their compliance obligations but lack the funding, staffing and security experience to adequately address them," he says.

"Unfortunately, business associates have not had as much time as covered entities to prepare for and meet their new compliance obligations. As a result, business associates, especially the smaller ones, are woefully behind in meeting their compliance requirements of the HIPAA security and privacy rules which include breach prevention tasks and technologies," he says.

Evans recalls a similar breach involving another transcription service. "I was involved with a data breach incident several years ago where the local transcription services company outsourced work to another company in Tennessee who then outsourced to an individual in India who posted actual patient data on his website," he says.

When covered entities work with transcription services firms, Evans says, they should ask the companies "specifically how they are protecting the confidentiality, integrity and availability of your patient data. I would also ask them to demonstrate their compliance with the HIPAA Security Rule."

Juggling BAs

Many large healthcare organizations, such as Boston Medical Center - a 496-bed academic medical center - might have hundreds of business associates, so managing these vendors can be difficult, Evans acknowledges.


"Despite greater investments in compliance efforts overall, the Boston Medical Center incident suggests that healthcare organizations have made limited progress in identifying or reducing business associate risk," Evans says. "The primary reason behind this is the sheer volume and diversity of business associates for any one organization."

Every business associate poses some form or level of risk, he says. "As a result, business associate risk is higher than most realize because a majority of this risk is not identified or reported. Consequently, potentially serious and costly compliance issues fly under the radar of senior management."

Under the HIPAA Omnibus Rule which went into effect last year, business associates are directly liable for HIPAA compliance. Like covered entities, business associates are subject to OCR enforcement actions, including penalties ranging up to $1.5 million per HIPAA violation.

Tips for Managing BAs

While managing dozens, if not hundreds, of business associates - including transcription services firms - can be a challenge, Evans says covered entities should take several steps to ensure compliance of their vendors.

"Consider taking a tiered approach to assessing and managing business associate risk to allocate your limited resources to the highest exposure areas," he says. "By employing a tiered risk management model, you can direct the most intensive compliance resources to areas of greatest exposure, allowing for broader coverage without increasing the overall resource investment in risk management.

"When business associates handle sensitive or regulated data, it is imperative that some form of written agreement specifies what is expected. But contracts and agreements alone are weak controls unless compliance can be verified."

The most effective way to reduce the rate of compliance failures at business associates is the combined use of risk assessments; contracts/agreements; due diligence; audit tools and other technologies; and careful oversight monitoring, he says. "Direct compliance with all of the safeguards and documentation requirements of the HIPAA Security Rule is your mandate, and your customers, patients and auditors are going to begin asking you to show them, not just tell them, that you are in good standing," he says.

Additionally, Evans suggests covered entities designate a specific individual or team to coordinate the oversight activities for significant business associate relationships, and, as necessary, involve other operational areas, such as audit and information technology, in the monitoring process. "The extent of oversight of a particular business associate will depend on the potential risks and the scope and magnitude of the relationship," he says. Results of oversight activities should be periodically reported to senior management or a designated committee, he advises. "Identified non-compliance issues or weaknesses should be documented and promptly addressed," he adds.

The revelation of the breach at Boston Medical Center comes on the heels of a distributed-denial-of-service attacks against (see DDoS Assault on Boston Children's Hospital)

more...
No comment yet.
Scoop.it!

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

One of the most controversial parts of meaningful use is the requirement that a certain percentage of patients engage with the office. The argument goes that the doctor shouldn’t be rewarded or punished based on the actions of someone (the patients) they don’t control. Regardless of the controversy, the requirement remains that doctors have to engage with a certain number of patients if they want to get the meaningful use money.

 

I’m personally a fan of patient engagement and think there’s a lot of value that will come from more engagement with patients. This reminds me of Dr. CT Lin’s presentation and research on patient engagement. We need to find more ways to make patient engagement an easy reality in healthcare.

 

The problem I keep running into with the meaningful use patient engagement requirement is that meaningful use requires a certified EHR to meet that requirement. There are a whole suite of patient engagement apps that provide a useful and logical engagement between doctor and patient. However, none of them can be used to meet the meaningful use patient engagement criteria. Yes, I know the patient engagement app could become modularly certified, but that’s really overkill for many of these apps. It really doesn’t make any sense for them to be certified. The software doesn’t get better (and an argument can be made that the software becomes worse) if they become modularly certified as an EHR.

 

Because of this issue, the requirement basically relegates EHR vendors to implement some sort of afterthought (usually) patient portal. Then, the doctors have to try and force patients to use a patient portal just to meet a requirement. Plus, many are “gaming” this patient engagement number in the way a patient signs up and engages in the portal.

 

Wouldn’t it be so much better to allow the patient engagement to happen on a non-certified EHR? Why does this need to happen on a certified EHR? EHR vendors aren’t focused on patient engagement, and so it shouldn’t be a surprise that they’re not creating amazing patient engagement tools. Think about how much more effective the patient engagement would be if it happened on a software that was working and thinking every day about how they can make that engagement work for the patient and the provider.

 

I’d love to see ONC make an exception on this requirement that would allow patient engagement to occur on something other than the certified EHR. I imagine if they did this, they could even raise the bar when it comes to what percentage of patients they should engage with electronically. If they don’t, we’ll have a bunch of lame duck patient portals that are really only used to meet the MU requirement. What a terrible missed opportunity that would be.

Technical Dr. Inc.'s insight:

Do you have a website that engages  your patients?  If not, contact Technical Doctor at inquiry@technicaldr.com today to learn how we can help!


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Can Google Glass Get Any HIPAA?

Can Google Glass Get Any HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it
Google Glass is a hip new accessory gaining acceptance in clinical settings, but before widespread adoption can take place, organizations must ensure that the wearable device is HIPAA-compliant.

Imagine being able to find and view a patient's electronic health record with a simple nod of the head, or being able to maintain eye contact with patients while reviewing their records, or being able to check in on a patient from a remote location as if you were both in the same room.

This technology is already in use by healthcare providers and may be more widespread than you think. If it hasn't already made a debut in an emergency department near you, it will soon. Boston's Beth Israel Deaconess Medical Center and Brigham and Women's Hospital, Rhode Island Hospital, UC Irvine Medical Center, and Indiana State University Hospital are just a few of the organizations that are using Google Glass at least an experimental basis.

"From the patient perspective, there's nothing worse than watching a doctor sit down and type at a computer screen. Glass enables you to meet a patient at eye level," says Paul Porter, MD, a physician at Rhode Island Hospital's department of emergency medicine. "This is a starting point toward a complete telemedicine program," he continued.



more...
No comment yet.
Scoop.it!

Cloud HIPAA BAA considerations for healthcare providers | HealthITSecurity.com

Most healthcare cloud security discussions these days usually involve a cloud provider’s willingness (or perhaps lack thereof) to sign a HIPAA business associate agreement (BAA). What was once considered an agreement that vendors didn’t have much reason to sign, the HIPAA Omnibus Rule put teeth into regulatory responsibility among BAs, helping the BAA evolve into a bare minimum to do business with many healthcare organizations.

Google and Microsoft have been at the forefront of this movement, as Microsoft has been offering HIPAA BAAs for about a year now and Google finally gave in to healthcare organizations on the BAA front last September when it included Google Apps. However, because not all BAAs may be created equal based on size, need and circumstances, there are instances where an organization and cloud vendor may not be able to come to terms on a BAA. For instance, the Wall Street Journal recently reported on why the pace of cloud adoption has slowed and referenced how some healthcare organizations are still wary of storing data outside of the organization.

Specifically, even after looking into using Microsoft’s Office 365 in 2013 with a HIPAA BAA available, Molina Healthcare Inc. of Calif. chose to just stick with its on-premises storage product. Molina Healthcare CIO Rick Hopfer told the Journal that his organization could not come to an agreement with Microsoft on the specifics of the BAA. While Hopfer didn’t explain exactly what the issue was within the BAA that prevented Molina from using Microsoft 365, the decision illustrates an important point: While cloud vendors offering BAAs is an important step to cloud adoption in healthcare, some organizations may have precise needs that they don’t believe are covered in a BAA. Hopfer made it clear that this didn’t mean that Molina had no interest in a Microsoft, or even Google, BAA down the line, but keeping its on-premises made sense for now. “I do believe this will evolve in a positive way for health-care companies in the next couple of years,” he said.



more...
No comment yet.
Scoop.it!

Secure Text Messaging is Univerally Needed in Healthcare | EMR and HIPAA

Secure Text Messaging is Univerally Needed in Healthcare | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I’ve written regularly about the need for secure text messaging in healthcare. I can’t believe that it was two years ago that I wrote that Texting is Not HIPAA Secure. Traditional SMS texting on your cell phone is not HIPAA secure, but there are a whole lot of alternatives. In fact, in January I made the case for why even without HIPAA Secure Text Messaging was a much better alternative to SMS.

Those that know me (or read my byline at the end of each article) know that I’m totally bias on this front since I’m an adviser to secure text message company, docBeat. With that disclaimer, I encourage all of you to take a frank and objective look at the potential for HIPAA violations and the potential benefits of secure text over SMS and decide for yourself if there is value in these secure messaging services. This amazing potential is why I chose to support docBeat in the first place.

While I’ve found the secure messaging space really interesting, what I didn’t realize when I started helping docBeat was how many parts of the healthcare system could benefit from something as simple as a secure text message. When we first started talking about the secure text, we were completely focused on providers texting in ambulatory practices and hospitals. We quickly realized the value of secure texting with other members of the clinic or hospital organization like nurses, front desk staff, HIM, etc.

What’s been interesting in the evolution of docBeat was how many other parts of the healthcare system could benefit from a simple secure text message solution. Some of these areas include things like: long term care facilities, skilled nursing facilities, Quick Care, EDs, Radiology, Labs, rehabilitation centers, surgery centers, and more. This shouldn’t have been a surprise since the need to communicate healthcare information that includes PHI is universal and a simple text message is often the best way to do it.

The natural next extension for secure messaging is to connect it to patients. The beautiful part of secure text messaging apps like docBeat is that patients aren’t intimidated by a the messages they receive from docBeat. The same can’t be said for most patient portals which require all sorts of registration, logins, forms, etc. Every patient I know is happy to read a secure text message. I don’t know many that want to login to a portal.

Over the past couple years the secure text messaging tide has absolutely shifted and there’s now a land grab for organizations looking to implement some form of secure text messaging. In some ways it reminds me of the way organizations were adopting EHR software a few years back. However, we won’t need $36 billion to incentivize the adoption of secure text message. Instead, market pressures will make it happen naturally. Plus, with ICD-10 delayed another year, hopefully organizations will have time to focus on small but valuable projects like secure text messaging.



more...
No comment yet.
Scoop.it!

The Feds Are Supporting Telemedicine | EMR and HIPAA

The Feds Are Supporting Telemedicine | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Federation of State Medical Boards (FSMB) recently passed a model telehealth policy that promotes virtual visits for first-time encounter. This is notable for 2 reasons: first, many state medical boards liberally borrow from the federal boards, and second, this marks a shift from the old model in which patients were encouraged to see providers in person before engaging in telemedicine consults.

It’s encouraging to see the old, arbitrarily restrictive model fade, in favor of one where patients can begin building a relationship with their physician without travel. Indeed, people meet on the internet all the time; why can’t patients meet their care providers the same way?

The old model was arbitrarily limiting access to care, and thus driving up costs and driving down quality. Under the new model, patients should finally be able to login to a web service and be connected directly to a qualified physician that payers will cover. For telemedicine companies like American Well, Doctor on Demand, and others, this is a major coup.

This combination of technology and new guidelines will reduce ER visits, improve access, and ultimately reduce costs. Once it’s easy to get access to preventative medicine, patients will actually partake in preventative care. As a simple example to illustrate this, let’s examine my wellness check up habits.

I’m a healthy young male. I haven’t been to the doctor for a check up in close to a decade and have no intention of going. The process of booking an appointment, leaving my job that I love, and sitting in a waiting room are enough to deter me from ever going to the doctor. But if I could step into a private space and consult with a physician via a video consult for 15 minutes, I might actually get an annual check up. If the physician discovered something concerning and asked me to come, I would actually come in. But I would never come in for an in person visit without an explicit reason to. It’s not worth the pain and headache of going into the doctor’s office unless I have a reason to; the only way to achieve preventive medicine at scale is to make it easy for patients and providers alike.

Ambulances, ERs, and urgent care centers should expect a similar change in their operations. In these environments, specialists can now be reimbursed for first time consults with patients across a range of devices – iPhones, iPads, Androids, Macs, PCs, and even Google Glass. Neurologists can beam into ambulances for strokes, cardiologists for cardiac resuscitations, and trauma specialists for trauma cases. The opportunities are really endless, and my company, Pristine, is proud to lead the way in these new hyper-mobile telemedicine environments.

On the other hand, the new guidelines set forth by the FSMB aren’t all positive. Perhaps most perplexing, the FSMB did  not classify messaging and audio-only phone calls as telemedicine. They didn’t strictly forbid either activity, but they made it clear to payers and providers that live, synchronous video is necessary for reimbursement. In light of the shift to ACOs and value based models, this is perplexing. It’s been suggested that Kaiser Permanente and Group Health physicians reportedly spend up to 2 hours per day interacting with patients through asynchronous messaging.

Despite some setbacks in the new standards set forth by the FSMB, I’m incredibly excited about the future of telehealth across the continuum of care. The new model put forth by the FSMB is just the first of many steps toward a healthcare delivery system in which telemedicine powers the majority of care delivery across the country.



more...
No comment yet.
Scoop.it!

CMS issues 2015 proposed IPPS rule

CMS issues 2015 proposed IPPS rule | HIPAA Compliance for Medical Practices | Scoop.it

The Centers for Medicare & Medicaid Services late Wednesday issued a proposed rule for 2015 that reduces payment for readmissions and hospital-acquired conditions, but provides no changes to the controversial two-midnight rule.

UPDATE: Industry leader disappointed IPPS proposed rule doesn't address two-midnight rule

The agency proposes to increase the payment rate for inpatient stays at general acute care hospitals by 1.3 percent in fiscal year 2015, but only 0.8 percent for long-term care hospitals.


CMS Administrator Marilyn Tavenner said in an announcement that the aim of the proposed rule is to improve hospital performance while "creating an environment for improved Medicare beneficiary care and satisfaction."

The proposed rule includes the following changes:

Readmission reductions: CMS proposes to increase the maximum reduction in payments under the Hospital Readmissions Reduction Program from 2 percent to 3 percent in fiscal year 2015. The agency also plans to assess hospital penalties using five readmissions measures endorsed by the National Quality forum.

Value-based purchasing: The agency will increase incentive payments to 1.5 percent of the base operating diagnosis-related group payment amounts to all participating hospitals. The total amount available for value-based incentives will be $1.4 billion, CMS estimated in the annoucnement.

Hospital-acquired conditions: The proposed rule calls for a 1 percent reduction in Medicare inpatient payments for hospitals that score in the top quartile for the rate of these preventable conditions. CMS projects that so far the HAC program has saved $25 million by reducing Medicare payments for these conditions.

Look for additional updates about the proposed rule at FierceHealthcare.

To learn more:
- read the announcement
- here's the rule (.pdf)


Read more: CMS issues 2015 proposed IPPS rule - FierceHealthcare http://www.fiercehealthcare.com/story/breaking-news-cms-issues-2015-proposed-ipps-rule/2014-05-01#ixzz30ZuodGAA
Subscribe at FierceHealthcare

The Centers for Medicare & Medicaid Services late Wednesday issued a proposed rule for 2015 that reduces payment for readmissions and hospital-acquired conditions, but provides no changes to the controversial two-midnight rule.

more...
No comment yet.
Scoop.it!

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

more...
No comment yet.