Privacy & Security/HIPAA/HITECH

School children raising their hands ready to answer the question.When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.
Continue Reading Adding some class to Information Governance (Part 1)

Laptop with medical diagnostic software and stethoscopeRecent remarks made by the Centers for Medicare & Medicaid Services (“CMS”) Acting Administrator Andy Slavitt at a healthcare conference indicated that CMS will be ending the “meaningful use” electronic health record (“EHR”) Incentive Program in 2016, five years ahead of its original final end date of 2021. Acting Administrator Slavitt did not elaborate on the specifics of what will replace meaningful use, but stated it would likely be tied to the implementation of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) and would include various streamlined quality reporting programs. MACRA emphasizes a new Merit-Based Incident Payment System and alternative payment models, and according to Acting Administrator Slavitt, this new law warrants a new streamlined regulatory approach to EHR as well.
Continue Reading CMS to rewrite the rules of EHR meaningful use

Image copyright Catherine Lane 2015My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016.
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

spotlightiStock_000001543068_LargeThe Office of the Inspector General (OIG) for the U.S. Department of Health & Human Services recently published its Fiscal Year 2016 Work Plan, which summarizes OIG’s priorities over the coming year. Notably, the 2016 Work Plan demonstrates the OIG’s expanded focus on delivery system reform and the effectiveness of alternate payment models, coordinated care programs, and value-based purchasing.

There were also noteworthy areas of new focus for several provider types, including skilled nursing facilities, hospice organizations, ambulatory surgical centers, and physician practices.  Below we have highlighted a few key areas from the FY 2016 Work Plan that will likely impact these providers. Please note this is not intended to be a comprehensive summary of the 2016 Work Plan and is focused only on the new OIG focal areas for these certain providers.
Continue Reading OIG issues FY 2016 Work Plan with more than 40 new focal areas

risk level conceptual meterCancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.
Continue Reading $750K HIPAA settlement highlights importance of risk analysis, device control policy

WaveCrashingThe Anthem breach sent alarm waves through the health care industry and the employer health plan community. With 78.8 million affected individuals for Anthem and 11 million for the companion breach of Premera Blue Cross, the combined size ranks among the largest data breaches in history.

The Anthem and Premera breaches signal a sea change in the threat environment for health plans, a new reality that requires a fresh look at data security. Prudent employers with group health plans should take that fresh look now, by strengthening the data security provisions in their business associate agreements (BAAs) with third-party plan administrators, and also by updating their HIPAA-required security risk assessments.
Continue Reading Data Security for Employer Health Plans Post-Anthem

spinningPlatesiStock_000011904878_LargeIt’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. The healthcare industry is a prime target, especially given the premium value of health information on the black market. And healthcare entities face not only PHI breach exposures, but also security risks for other forms of protected information, such as PII and, for many, cardholder data.

Healthcare organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.
Continue Reading The 10 Key Activities for Effective Data Breach Response – Are You Prepared?

Having no need to brandish bandanas to obscure identity or firearms to force entry, it was reported Wednesday that cyber bandits, in a sophisticated and well-orchestrated robbery, recently waltzed into the IT vaults of Anthem, the second-largest U.S. health insurer, and walked off with personally identifiable information on about 80 million current and former members, a population that comprises Anthem customers, employees and its CEO, Joseph R. Swedish. The haul is reported to have included names, birthdates, social security numbers, medical identification numbers, street and email addresses and employee income data. Fortunately, there’s no indication at this point that credit-card numbers, claims information, test results or diagnostic codes were compromised as part of the crime. That said, to minimize the potential harm, Anthem has called in the FBI and is notifying affected individuals and offering free credit and identity-theft monitoring.
Continue Reading Another notch in the hacking holster: Cyber outlaws hit Anthem hard

Seemingly picking up where we left off in our recent white paper and Advisory Board article, the Obama administration released a 166-page draft plan January 30th intended to drive providers and patients toward a common set of electronic clinical information and a commitment to more fully connected EHR systems by the end of 2017.
Continue Reading Interoperability 2017 – Will the latest government plan be the golden spike that connects the EHR rails?