Patient Engagement and Meaningful Use

I am very excited this week to present with my colleague Dave Schoolcraft at MGMA in Las Vegas.  We have two presentations on Tuesday, the first at 10:15 entitled the Legal Aspects of Meeting Patient Engagement, the second at 2:45 entitled Double Dipping for EHR Funding.

Vegas is all about the money, and Double Dipping for EHR Funding will focus on how physician practices can still obtain money for Electronic Health Record systems.  The presentation will focus on Stark/Anti-Kickback Donation Arrangements and Meaningful Use dollars.  If you are looking to upgrade to 2014 CEHRT this is a presentation you don’t want to miss. Prior to joining our presentation, I suggest reading two articles we published earlier in the year: Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements and Key Lessons Related to Stark Compliant EHR Donation Arrangements.

As for Legal Aspects of Meeting Patient Engagement – this presentation focuses both on HIPAA Compliance and Meaningful Use. Stage 2 Meaningful Use includes five patient engagement related objectives, and this time CMS means business.  Two of these five objectives include measures requiring that at least 5% of patients take an action.  These five measures makes the implementation and use of patient portals essential, as portals are a key means of communication with patients and is an appropriate mechanism for each of these Meaningful Use objectives.

The relevant patient engagement Meaningful Use objectives I am referring to here include:

I have added links to the CMS Eligible Professional Specification Sheets for Stage 2 above because I find them very helpful in deciphering what each of these measures require.  Meeting these requirements is not a walk in the park, and my clients have expressed difficulty getting patients to send secure messages or login to  a portal.  Often the CEHRT itself makes these tasks quite difficult.  Patient engagement is core to growing a practice, especially as patients begin to pay for their healthcare and start to demand physician interaction via e-mail and other technologies.

If you are interested in learning more about these patient engagement requirements in Meaningful Use stop on by our presentation, or contact me directly.

 

Meaningful Use Hardship Exception Deadline Extended to November 30, 2014

Still not able to meet meaningful use this year? CMS recently announced that it has reopened submission and extended the deadline for eligible professionals and eligible hospitals to submit a hardship exception application for not demonstrating “Meaningful Use” of Certified Electronic Health Record Technology (CEHRT). The CMS hardship application can be found here.

Under the HITECH Act, eligible hospitals, critical access hospitals, and eligible professionals had to demonstrate “meaningful use” of a CEHRT, or face reductions in their Medicare payment. Under certain circumstances, the Secretary of Health and Human Services has discretion to consider hardship exceptions on a case-by-case basis to avoid payment penalties, including issues related to difficulties with vendors obtaining certification.

The original hardship exception application deadlines of April 1, 2014 (for eligible hospitals) and July 1, 2014 (for eligible professionals) were extended to November 30, 2014.

According to CMS, the reopened hardship exception application submission period applies to eligible professionals and eligible hospitals that:

  • Have been unable to fully implement 2014 Edition CEHRT due to delays in 2014 Edition CEHRT availability; AND
  • Eligible professionals who were unable to attest by October 1, 2014, and eligible hospitals that were unable to attest by July 1, 2014, using the flexibility options provided in the CMS 2014 CEHRT Flexibility Rule.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.

 

Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.

BAAs and Beyond: Meeting the 9-22 HIPAA Deadline

Reprinted blog post from DocuSign. Interview between Jennifer Royer of DocuSign and Dave Schoolcraft.

In under two weeks, Covered Entities and Business Associates are required to complete renewed Business Associate Agreements (BAA) to comply with more stringent HIPAA regulations for BAAs that were in place prior to January 2013. We sat down with Dave Schoolcraft, who leads the healthcare law practice at Ogden Murphy Wallace, to help our healthcare and technology partners navigate HIPAA legislation and complete these BAA renewals on time. As Dave explains, digital workflow solutions transform the task at hand from a daunting ordeal to a manageable process, all while reducing time, money and fear associated with 11th hour deadline blues.

What is the significance of the September 22nd BAA deadline?

Simply put, the BAA invokes business operations where Protected Health Information (PHI) is handed over to an outside vendor. For example, say I am the managing physician in a small medical clinic and I decide to hire a consultant and help us figure out how we can efficiently manage billing and reimbursement. I provide this consultant with a spreadsheet of PHI (protected health information). This act requires a BAA, which protects the PHI and the medical clinic against any liabilities. Without the updated BAA, the medical clinic and the consultant directly violate HIPAA. Even if I have longstanding relationship, I still need to sign an updated agreement.

The process – an additional 6 or 7 different paragraphs — is admittedly an administrative burden as most BAAs span multiple pages. If the agreement only covers what HIPAA requires, the process is fairly straightforward. However, BAAs are heavily negotiated and include indemnification provisions. Therefore, manually executing all updated agreements slows down the process as each existing vendor contract must be signed and completed.

What is the most common inquiry you receive from clients regarding the updated BAA requirements?

With the deadline a blink away, I consistently hear, “Do we really have to update all our BAA contracts?”

The answer is a resounding “yes,” because our digital habits and business environment led to an updated and strengthened HIPAA (let’s call this HIPAA 2.0) back in 2009. With the release of the new HIPAA rules in January 2013, healthcare providers have had ample time to coordinate new BAAs with outside vendors whose services involve PHI.

As we inch closer towards September 22nd, it is important to remember that even if a healthcare provider has a longstanding relationship with a vendor, the new BAA, as part of HIPAA 2.0, offers enhanced language that strengthens risk management against ‘cyber-spillage.’ Specifically, the new HIPAA language requires that the Business Associate comply with the HIPAA Security Rule and provide notice of a breach of unsecured PHI. In short, this is smart business.

Risk management sounds like a great idea. Would you explain what you mean by “smart business?”

Sure, let’s use a common situation as our example. When a healthcare provider engages with an outside vendor – perhaps a SaaS company – that analyzes or works with PHI, there is risk of mishandling or ‘spillage.’ If you handed over 10,000 records of patient data to a digital marketing vendor, you need to both protect the data and yourself from the probability that the marketing vendor will send the PHI to sub-contractors for portions of the scope of work.

The new BAA is a bulwark against unforeseen security breaches: you add armor to the trust you place in vendors and their teams. While you may deem renewing all BAAs a hassle, consider this an opportunity to audit all your vendors and evaluate the risks and value from that relationship.

If you do not follow this approach, then you honestly proceed at your own peril.

What happens if healthcare providers don’t comply with the new BAA requirements and fail to update their BAA contracts on time?

That is actually the second most frequently asked question that we field. Technically a healthcare practice faces statutory penalties for any improperly used or leaked PHI. For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI. And with the data breaches in the news recently, you really don’t want to take that risk.

Let’s look closer at a data breach scenario. Say a vendor lost a thumb drive containing a high volume of PHI. Per HIPAA 2.0, it is now the vendor’s responsibility to notify the healthcare provider. A vendor needs to self-confess the data breach, regardless of who is at fault, per the new BAA standards. When the government officials arrive to investigate, they will ask if an updated BAA was in place. Healthcare providers shouldn’t rely on trust with vendors. Mistakes happen. And if a bad one occurs, like the theft of an unencrypted laptop containing thousands of patient records, the healthcare provider and the vendor will be held responsible by the government for both the data breach and the failure to comply with the BAA requirements.

Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the Cloud – an increasing trend for providers and payers. The previous HIPAA requirements for a BAA didn’t place direct liability and responsibility on the vendor for failure to sufficiently secure and protect the patient data. With the proliferation of Cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur. Renewal of these BAAs also give healthcare providers the opportunity to ensure that there are sufficient indemnification and insurance provisions in place so that if a breach does occur the healthcare provider can expect reimbursement and defense from the responsible party.

How Can DocuSign assist in the process of updating all BAAs?

There is an administrative burden to getting these documents signed. When we talk about redoing all existing BAAs, that’s the classic e-mail/print/sign/scan/fax headache. Multiply one process by the number of vendors. That’s an unreasonable burden, and an expensive one if you think about the time and money that one might spend overnighting documents.

For all businesses handling such an exceptional volume of paperwork, a Digital Transaction Management platform, like DocuSign’s, simplifies the process by automating the retrieval of signatures and storing all documents in a single, secure Cloud-based portal. Furthermore, it is crucial to be able to access compliance documents, like BAAs and provider agreements, within a click of a mouse, should there be an audit. The alternative is hiring lawyers to spend a month in your document basement – we have been there with clients, and that is an expensive, tedious, and stressful process for all parties involved.

Any final words or digital best practices for providers and payers?

It’s important to remember that HIPAA dates all the way back to the mid ‘90s – think about the evolution and revolution that has occurred in terms of digital platforms! There has been a great acceleration – on the clinical data side – in moving from paper to digital. The rules that led to the updated BAAs were passed in conjunction with approximately $20billion in stimulus funds directed towards health information technology. Those funds are being used to incentivize healthcare providers’ digital adoption, as part of the “Meaningful Use” regulations. A large portion of these funds have also been earmarked to enforce the new and more stringent HIPAA regulations that were put in place when the government recognized additional risks posed by digital adoption.

In essence, the government decided to add more teeth to HIPAA enforcement. They have hired additional enforcement agents, and as such, more healthcare providers have inquiries and audits – a striking evolution from the old days of HIPAA 1.0. Offenders now face more serious penalties: now, more than ever, it is crucial to comply with the renewed HIPAA regulations. What was once a slap on the wrist is now quite serious – around the $1 million mark depending on the egregiousness of the incident.

Essentially, you don’t want to be out of HIPAA compliance should there be an incident or a proactive audit – and one of the first questions HIPAA enforcement agents ask is whether you have an updated BAA with your vendors.

If you face an administrative burden or are losing sleep over getting your BAAs completed on time, consider Digital Transaction Management to simplify the process now and moving forward.

Thank you, Dave for explaining the implications of the updated HIPAA legislation and offering tips for beating the BAA deadline.

For more information about the September 22 deadline and Digital Transaction Management contact Elana Zana or Dave Schoolcraft or:

Large Data Breach Highlights Risks from Foreign Hackers

Community Health Systems (CHS) has announced that the personal information of approximately 4.5 million patients has been breached.  According to CHS, the information includes patient names, addresses, social security numbers, telephone numbers, and birthdates.

Although the breached records do not contain the details of the patients’ treatment at CHS’ hospitals, the identifying information in the records still meets the HIPAA definition of “protected health information.”  Therefore, CHS will have to follow the HIPAA breach notification requirements.

According to CHS’ filing with the Securities and Exchange Commission, CHS has hired the data security firm, Mandiant, to investigate the breach.  Mandiant has pointed blame at a group originating from China who apparently orchestrated the breach through the use of sophisticated malware.

This large breach should be another reminder for health care providers to safeguard their electronic systems and educate staff members on security policies and procedures.  The type of malware that contributed to the CHS breach can often be installed by a staff member who clicks on a link in an e-mail, or responds to an e-mail from hackers who pose as security personnel.  In addition, health care providers should consider the use of encryption technology that meets the HIPAA breach safe harbor standards.

When in doubt about a suspicious e-mail, phone call, or other communication, staff members should always check with the provider’s information technology personnel and the HIPAA Privacy Officer before taking any action.

If you have any questions about the HIPAA breach notification requirements, please contact Casey Moriarty.

Violation of Privacy Rule Leads to $800,000 HIPAA Settlement

Indiana-based Parkview Health System (“Parkview”) has agreed to settle potential violations of the HIPAA Privacy Rule with the HHS Office for Civil Rights (“OCR”) by paying $800,000 and adopting a corrective action plan to address deficiencies in its HIPAA compliance program. The resolution agreement can be found here.

According to the HHS press release, the OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. It is unclear whether any of these medical records were actually viewed by anyone else.

In addition to the $800,000 payment, Parkview entered into a corrective action plan that requires them to:

  • Develop, maintain and revise, as necessary, written policies and procedures addressing requirements of the Privacy Rule and the corrective action plan (“Policies and Procedures”).  Specifically these Policies and Procedures must at a “minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.”
  • Provide Policies and Procedures to HHS within 30 days of Resolution Agreement’s Effective Date for HHS’s review and approval.
  • Distribute Policies and Procedures to all Parkview workforce members.
  • Periodically review the Policies and Procedures and update them to reflect changes in operations at Parkview, federal law, HHS guidance and/or any material compliance issues discovered by Parkview.
  • Notify HHS in writing within 30 days if Parkview determines that a workforce member has violated the Policies and Procedures (“Reportable Events”).
  • Provide general safeguards training to all workforce members who have access to PHI, as required by the Privacy Rule.
  • Provide training on its approved Policies and Procedures to all workforce members.
  • Submit to HHS a final report demonstrating Parkview’s compliance with the corrective action plan.

Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records. The OCR has provided helpful FAQs about HIPAA and the disposal of protected health information. For more information about complying with the HIPAA Privacy Rule, please contact Jefferson Lin or Elana Zana.

 

 

Meaningful Use EP Hardship Exception Deadline – July 1, 2014

Not able to meet meaningful use this year?  You may qualify for a hardship exception.  Eligible professionals that qualify for certain hardship exceptions can avoid the meaningful use payment adjustments in 2015 by submitting to CMS the 2015 Hardship Exception Application.  CMS has permitted the EPs to apply for a hardship exception based on the following reasons:

  • Infrastructure: Eligible professionals must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
  • New Eligible Professionals: Newly practicing eligible professionals who would not have had time to become meaningful users can apply for a 2-year limited exception to payment adjustments. Thus eligible professionals who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating meaningful use in calendar year 2016 to avoid payment adjustments in 2017.
  • Unforeseen Circumstances: Examples may include a natural disaster or other unforeseeable barrier.
  • Patient Interaction: Lack of face-to-face or telemedicine interaction with patient or lack of follow-up need with patients.
  • Practice at Multiple Locations: Lack of control over availability of CEHRT for more than 50% of patient encounters.
  • 2014 EHR Vendor Issues: The eligible professional’s EHR vendor was unable to obtain 2014 certification or the eligible professional was unable to implement meaningful use due to 2014 EHR certification delays. (Note that CMS has published a proposed rule regarding lack of availability of 2014 CEHRT proposing to permit EPs in certain situations to attest to Stage 1, click here for further information).

Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals.  This tip sheet further describes the payment adjustments and includes frequently asked questions.

The following categories of EPs do not have to apply for a hardship exception but will automatically be granted one based on their status with CMS:

  • New providers in their first year (both eligible professionals and eligible hospitals).
  • Eligible professionals who are hospital-based: a provider is considered hospital-based if he or she provides more than 90% of their covered professional services in either an inpatient (Place of Service 21) or emergency department (Place of Service 23) of a hospital.
  • Eligible professionals with certain PECOS specialties (Anesthesiology-05, Pathology-22, Diagnostic Radiology-30, Nuclear Medicine-36, Interventional Radiology-94).

Eligible professionals that have not participated in the EHR Incentive Program in the past have the option of avoiding the 2015 payment adjustment if they successfully attest to meaningful use by October 1, 2014.  Those eligible professionals that qualify for any of the above hardship exceptions and will not be able to attest to meaningful use by October 1, 2014 may still apply for a hardship exception, but must do so by July 1, 2014.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

 

 

CMS Proposed Revisions to Meaningful Use – A Welcome Delay

CMS has issued proposed revisions to meaningful use Stages 2 and 3 in response to numerous industry complaints that hospitals and provider groups will not be able to implement the 2014 certified EHR technology with enough time to meet meaningful use in 2014.  CMS, recognizing that EPs and hospitals are either using 2011 CEHRT, 2014 CEHRT, or a mixture of both, issued proposed rules addressing what each category must attest to in 2014.  In a substantial change from the Final Rules issued in September 2012, CMS has agreed to extend Stage 1 in 2014 for those EPs and hospitals that cannot successfully obtain or deploy 2014 CEHRT.  Further, CMS has proposed to delay Stage 3 meaningful use by one year. 

Medicaid Modification

The proposed rule modifies the AIU (adopt, implement and upgrade) exception for those EPs and hospitals attesting for the first time in 2014.  Hospitals and EPs attesting to AIU in 2014 must adopt, implement or upgrade to 2014 Edition CEHRT only, attesting to the 2011 Edition or a combination Edition will not satisfy the definition in 2014.

Meaningful Use Timeline

Originally, all Medicare EPs and hospitals were required to meet meaningful use using the 2014 Edition CEHRT for Stage 1 or Stage 2 in 2014.  This proposed rule delays this process as follows:

Table 2:  Proposed CEHRT Systems Available for Use in 2014

If you were scheduled to demonstrate: You would be able to attest for Meaningful Use:

Using 2011 Edition

CEHRT to do:

Using 2011 & 2014

Edition CEHRT to do:

Using 2014 Edition

CEHRT to do:

Stage 1 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives and measures*

-OR-

2014 Stage 1 objectives and measures*

2014 Stage 1 objectives and measures

Stage 2 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives

and measures*

-OR-

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures*

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures

 *Only providers that could not fully implement 2014 Edition CEHRT for the reporting period in 2014 due to delays in 2014 Edition CEHRT availability.  Note: Table 2 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

To take advantage of the delays, EPs and hospitals must attest that they were not able to upgrade or fully implement to the 2014 Edition CEHRT because of issues related to availability.  Providers that were planning on meeting Stage 2 in 2014 and are now going to attest to Stage 1 in 2014 will be required to begin Stage 2 in 2015.

Stage 3 Delay

CMS also proposed a delay in Stage 3 for a year.  This is welcome news considering that CMS has not yet built-out Stage 3 and is waiting for the results from Stage 2 to “inform [its] development of the criteria for Stage 3 meaningful use.”  Stage 3 will begin on January 1, 2017 for EPs and October 1, 2016 for hospitals and CAHs.  The proposed revised schedule is as follows:

TABLE 3–PROPOSED STAGE OF MEANINGFUL USE CRITERIA BY FIRST PAYMENT YEAR

 

First Payment Year

Stage of Meaningful Use

2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 1 or 2* 2 2 3 3 TBD TBD TBD
2012 1 1 1or 2* 2 2 3 3 TBD TBD TBD
2013 1 1* 2 2 3 3 TBD TBD TBD
2014 1* 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3

*3-month quarter EHR reporting period for Medicare and continuous 90-day EHR reporting period (or 3 months at State option) for Medicaid EPs.  All providers in their first year in 2014 use any continuous 90-day EHR reporting period.  Note: Table 3 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

Clinical Quality Measures

CMS has also relaxed the requirements related to reporting on clinical quality measure in 2014.  Specifically, the method of CQM submission to CMS will depend on the edition of CEHRT deployed by the provider (States will still have discretion for submission requirements).

 

2011 Edition CEHRT

2011 & 2014

Edition CEHRT

2013 Stage 1 objectives

Method of Reporting Attestation Attestation
EP Reporting Requirements 3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT
Hospital/CAH Reporting Requirements 15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT

For those providers using a combination of 2011 and 2014 Edition CEHRT to report on either the 2014 Stage 1 measures or Stage 2 measures or the 2014 Edition CEHRT they should report CQMs as originally indicated in the Stage 2 final rule (i.e submitting electronically) and subsequent rule making.

ONC Modifications

In order to support the CMS revisions, ONC has made modifications to its CEHRT definition to reflect the proposed new required start dates.  ONC’s proposed revisions would move the required start dates for the 2014 Edition of CEHRT to October 1, 2014 for hospitals and CAHs and January 1, 2015 for EPs.

For more information on the EHR Incentive Program and meeting meaningful use please contact Elana Zana.

$4.8 Million HIPAA Settlement – Patient Data on the Web

On May 7, 2014, HHS announced that New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date. The organizations settled charges that they potentially violated the HIPAA Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”).

NYP and CU operate a shared data network that links patient information systems containing ePHI. On September 27, 2010, the two entities submitted a joint breach report following the discovery that the ePHI of 6,800 individuals had been impermissibly disclosed due to a deactivated server, resulting in ePHI being accessible on internet search engines. The ePHI included patient statuses, vital signs, medications, and laboratory results.

HHS Office for Civil Rights’ (“OCR”) subsequent investigation determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan to address potential threats and hazards to ePHI security. Further, OCR found that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with internal policies on information access management.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In addition, both entities agreed to Corrective Action Plans that require each entity to:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise policies and procedures on information access management and device and media controls;
  • Develop an enhanced privacy and security awareness training program; and
  • Provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of ePHI it maintains.

This settlement again highlights the necessity for healthcare organizations and business associates to create and implement Security policies and procedures, and to engage in a security management process that ensures the security of patient data.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana or Jefferson Lin.