Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

OCR Fines Are the Least of Your Worries in a HIPAA Related Breach

Written by:

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Ask any medical professional about their biggest concern for protecting patient information and they will probably tell you about the threat of a random audit conducted by the Office of Civil Rights (OCR). OCR is tasked with enforcing HIPAA regulations and has the ability to hand out fines up to $1.5 million per violation for a HIPAA breach and failing to comply with HIPAA regulations.

With recent fines of $4.8 million handed out to New York and Presbyterian Hospital and $1.7 million fine to Concentra Health Services, physicians have good reason to worry.  These massive fines were levied not as the result of a random audit, but for the mandatory reporting of patient data breaches to the Department of Health and Human Services (HHS), and the investigation that followed.  So physicians need to reconsider where their real concerns should lie.

Ponemon Study

The 2013 Cost of a Data Breach Study by the Ponemon Institute calculated lost or stolen patient records at $233 per record. Let’s take a look at how quickly the cost of a HIPAA breach can add up:

# of Records Breached Cost
1 $233
10 $2,330
100 $23,300
1,000 $233,000
10,000

100,000

$2,330,000

$23,330,000

The cost of the recent Community Health Systems 4.5 million patient records breach could cost more than $1 billion!

Whether a medical provider loses 1,000 or 10,000 patient records the financial impact could easily set back the organization or even put it out of business.  But the “hidden cost” of a HIPAA breach that shouldn’t be overlooked is the damage to the provider’s reputation, lost trust from patients and the resulting sharp decline in revenues.

Lost patient records sparks negative publicity.  Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.

Other Cost Factors

Beyond revenue loss and a damaged reputation are the direct overhead costs associated with a breach. The cost of discovering and stopping a breach may involve IT services, forensic investigative services to determine which systems and patients were affected, and legal counsel if patients file a lawsuit. There are also hard costs associated with notifying patients affected by the breach, including time spent to pull together their contact information, mailing out notifications and providing toll-free inbound phone numbers to handle complaints. Most organizations also provide identity and credit monitoring services for affected patients. All of these expenses add up, not to mention the cost of lost productivity due to the diverted attention of employees tasked with managing these processes.

Today it’s not uncommon for laptops, tablets and USB drives with patient records to disappear.  Or, for crime rings to hack into EHR systems to steal patient information and commit tax fraud, and for meth dealers to steal patient identities to obtain prescriptions.  If a large hospital system can lose 4.5 million patient records think how easy it is for a hacker to grab thousands of patient records from smaller medical practices and turn them into cash. The threat of a HIPAA breach has never been greater and all organizations should take heed.

Risk Assessment as a First Step

Healthcare organizations, particularly smaller medical practices, should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. It examines the risks of a breach and recommends steps to lower them. Without performing a risk assessment an organization may be lulled into a false sense of security, mistakenly believing they won’t suffer the consequences of a HIPAA breach.  At $233 per lost or stolen record that could be a costly miscalculation.

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

August 27, 2014 I Written By

Can We Start Being Human?

Written by:

Excuse a moment of somewhat personal commentary, but this story in the New York Times has been making the rounds. Basically, the boards full of smiling babies in a doctor’s office are considered a privacy violation. Here’s an excerpt from the article:

Under the law, the Health Insurance Portability and Accountability Act, baby photos are a type of protected health information, no less than a medical chart, birth date or Social Security number, according to the Department of Health and Human Services. Even if a parent sends in the photo, it is considered private unless the parent also sends written authorization for its posting, which almost no one does.

When I read stories like this, I ask myself “Have we lost all common sense? Can’t we be human?” I get how privacy is important. I’ve written this blog for 9 years and so I know the consequences of HIPAA breaches. Although, I think Dr. Moritz covers my view really well:

“I think we have to have some common sense with this HIPAA business,” Dr. Moritz continued. “To leave medical records open to the public, to throw lab results in the garbage without shredding them, that makes sense” to prohibit. “But if somebody wants to post a picture of something that’s been going on for a millennium and is a tradition, it seems strange to me not to do that,” he said.

I know there are ways to comply with the law and preserve the baby board. Have the parents sign a release form when they drop off the picture. I think you could also add this note in your HIPAA notice that the patient signs before their first visit. However, I think this is missing the point. Isn’t it common sense that someone who sends a picture of their baby to the office isn’t afraid of having that picture shared?

Certainly this change is not life or death stuff. Although, I think the baby boards did provide some humanity to an otherwise sterile office. However, I hate the trend of where this leads. In far too many things we can’t be human anymore. Common sense is missing in so many areas of life and instead of giving people the benefit of the doubt we’re too easy to condemn people who had no ill intent.

I realize there are bad people out there that do bad things. However, they’re the minority and its sad when the minority is able to have such an impact on the majority.

August 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Chinese Hackers Reportedly Access 4.5 Million Medical Records

Written by:

The headline of a tech startup blog I read pretty regularly caught my attention today, “Another day, another Chinese hack: 4.5M medical records reportedly accessed at national hospital operator“. The title seems to say it all. It’s almost like the journalist sees the breach as the standard affair these days. Just to be clear, I don’t think he thinks breaches are standard in healthcare, I think he thinks breaches are standard in all IT. As he says at the end of the article:

Community Health Systems joins a long list of large companies suffering from major cybersecurity breaches. Among them, Target, Sony, Global Payment Systems, eBay, Visa, Adobe, Yahoo, AOL, Zappos, Marriott/Hilton, 7-Eleven, NASDAQ, and others.

Yes, healthcare is not alone in their attempt to battle the powers of evil (and some not so evil, but possibly dangerous) forces that are hacking into systems large and small. We can certainly expect this trend to continue and likely get worse as more and more data is stored electronically.

For those interested in the specific story, Community Health Systems, a national hospital provider based in Nashville reported the HIPAA breach in their latest SEC filings. Pando Daily reported that “Chinese Hackers” used a “highly sophisticated malware” to breach Community Health Systems between April and June. What doesn’t make sense to me is this part of the Pando Daily article:

The outside investigators described the breach as dealing with “non-medical patient identification data,” adding that no financial data was stolen. The data, which includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, was, however, protected under the Health Insurance Portability and Accountability Act (HIPPA).

I’m not sure what they define as financial data, but social security numbers feel like financial data to me. Maybe they meant hospital financial data, but that’s an odd comment since a stack of social security numbers is likely a lot more valuable than some hospital financial data. The patient data they describe could be an issue for HIPAA though.

As is usually the case in major breaches like this, I can’t imagine a chinese hacker is that interested in “patient data.” In fact, from the list, I’d define the data listed as financial data. I’ve read lots of stories that pin the value of a medical record on the black market as $50 per record. A credit card is worth much less. However, I bet if I were to dig into the black market of data (which I haven’t since that’s not my thing), I bet I’d find a lot of buyers for credit card data tied to other personal data like birth date and addresses. I bet it would be hard to find a buyer for medical data. As in many parts of life, something is only as valuable as what someone else is willing to pay for it. People are willing to pay for financial data. We know that.

We shouldn’t use this idea as a reason why we don’t have to worry about the security and privacy of healthcare data. We should take every precaution available to create a culture of security and privacy in our institutions and in our healthcare IT implementations. However, I’m just as concerned with the local breach of a much smaller handful of patient data as I am the 4.5 million medical record breach to someone in China. They both need to be prevented, but the former is not 4.5 million times worse. Well, unless you’re talking about potential HIPAA penalties.

August 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Some Friday HIPAA Humor

Written by:

It’s Friday after a long week for me and I imagine many of you. So, let’s keep today post short and simple and hopefully give you a little laugh. Nothing like humor to help make any day better.

HIPAA Cartoon

Thanks to Practice Manager Solutions for sharing it with me.

August 8, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Revisiting the ROI of an EHR Investment

Written by:

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Now that we’re well on the road to being meaningful users of an EHR, I thought it would be interesting to take a step back and look at the ROI of an EHR investment. Hopefully this will be a valuable resource for those still considering an EHR investment and those who’ve already adopted an EHR in their practice. Some of the items listed below are benefits you receive automatically just by using an EHR. Other benefits require some thought and effort on your part. Hopefully this list will remind you of EHR benefits you might have forgotten and ones you can still work to achieve.

Repurpose Space – One of the big advantages of EHR software is that you can store your entire chart room on a relatively small server. Plus, if you’re using a hosted EHR solution, you don’t even need space in your office for a server. Once your paper charts get scanned into your EHR, you can often repurpose your chart room into a revenue generating exam room. I’ve seen some cases where an extra exam room made it possible to bring on another doctor or mid-level provider. In other cases, the extra exam room was able to make existing doctors more efficient. Either way, I don’t know very many practices who say, “We have too much space.”

Eliminate or Repurpose Staff – Nobody likes the idea of eliminating staff as part of an EHR implementation. However, there are two ways I’ve seen organizations reduce staff after implementing an EHR. First, some organizations reduce their staff through natural employee attrition. When a member of your staff chooses to leave your organization, some organizations decide not to replace that staff member since many of their duties are no longer needed in an EHR world. Second, some organizations take their existing staff and repurpose them to perform other tasks. For example, I’ve seen HIM (medical records) staff who are also medical assistants switch to more of a clinical role in the organization after implementing an EHR.

Avoid Penalties – One of the best reasons to make an early investment in an EHR is to avoid the government penalties. I’ve written about the meaningful use and PQRS penalties before, but this is likely just the start of the penalties the government and private payers will implement on those who don’t use an EHR. The long term ROI of these penalties is very large for most practices.

Quality Measures and Value Based Reimbursement – Meaningful Use together with the Value Based Reimbursement Modifier (VM) are the start of a shift towards reporting and getting paid based on clinical quality measures and outcomes. EHR software is at the center of this shift and will be essential to easily document and report these measures and outcomes. While we can put a hard number on the EHR incentive payments that are tied to these measures and the VM, you can be certain that this number will only continue to grow as the government and payers require more data.

Improved Charge Capture – Eight years ago, improved charge capture was the main ROI mechanism that EMR vendors used to sell software. The idea being that the EMR could help you more fully document the patient visit and thus allow you to bill at a higher level than you were doing previously. As in most things involving money, some doctors took this too far and started using the EMR to over code visits. These EHR over code abusers aside, the majority of doctors I know are chronic under coders. Many of these doctors under code because they don’t want to spend time documenting the normal findings that would let them code at a higher level. A well implemented EHR can help doctors fully document even the normal findings in a visit and therefore allow them to bill at a higher level.

Cancel Transcription – Depending on how you use (or don’t use) transcription, this may or may not be a part of your EHR ROI calculation. While transcription can still be used with an EHR, the majority of EHR users stop transcribing as part of the EHR implementation process. Once you make the switch to documenting directly in the EHR or using voice recognition, it’s easy to forget how much money you were spending on transcription.

Improved Workflows – A well implemented EHR software can improve your clinic’s workflows. The lab result workflow is a great example of how an EHR can improve the workflow in your office. The amount of time saved ordering labs and retrieving lab results in an EHR world is significant. Sure, lab interfaces aren’t perfect, but they’re a lot better than the paper model. You can see similar workflow benefits from X-rays and even a well implemented patient portal. Of course, your workflow can be negatively impacted if you’re not careful and thoughtful in how you implement your EHR. However, EHR technology can do a lot to improve a clinic’s workflow when you replace time intensive paper processes.

Streamlined Internal Communication – Related to improved workflows is improved communication. When it comes to internal office communication, most EHR software comes with a secure internal messaging service or task system. This replaces all those sticky notes, stacks of charts, or notes in boxes that would occur previously. Now messages aren’t lost and can be more easily tracked in the internal EHR messaging. Plus, you can also often report on how fast tasks are being completed.

Streamlined External Communication – We’re still early in EHR’s ability to facilitate secure communication with external providers. While some EHR software offers a provider portal for this communication, I’m more interested in the progress of Direct Project which allows the secure transfer of patient records between doctors. As these technologies mature, the time saved at the fax machine and sorting data records will be tremendous.

Eliminate Paper – Once you implement an EHR, you quickly forget how much money you were spending on paper and paper charts. Don’t forget to think about this cost savings when looking at the value of EHR. While some paper just disappears post EHR implementation, you’ll likely find that there’s still plenty of paper lingering around your office. You’ll never eliminate all of the paper from your practice, but you should ask yourself if you really need the paper you’re using or if it’s just part of an old practice that’s no longer needed. Furthermore, many EHR enabled offices print off insane amounts of paper from their EHR for no reason. This extra cost can be avoided with a little planning and awareness.

Chart Search Time – This is another one of the EHR benefits that quickly gets taken for granted. In the EHR world, it is extremely simple to find the right chart. I don’t need to outline the challenges that existed in the paper world with finding the paper charts. Medical records staff were amazing at organizing and finding paper charts, but this all required a lot of time organizing and locating the right chart. This is all but eliminated in the EMR world.

Along with the financial and efficiency benefits mentioned above, there are lots of other benefits to using an EHR like: legible notes, drug to drug interaction checking, and ePrescribing to name a few. However, even more important than all of the benefits mentioned above is how important an EHR will be to future reimbursement and care. As was mentioned, Medicare’s started penalizing non-EHR users and we’ll likely see other payers in some form or fashion follow their lead. Along with current and future EHR related penalties, there’s a real risk that you won’t be able to practice the highest quality medicine without an EHR and the future technologies it facilitates. The medical standard of care will likely require an EHR.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

August 5, 2014 I Written By

Unfinished Business: More HIPAA Guidelines to Come

Written by:

The following is a guest blog post by Rita Bowen, Sr. Vice President of HIM and Privacy Officer at HealthPort.

After all of the hullabaloo since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) release of the HIPAA Omnibus, it’s humbling to realize that the work is not complete. While the Omnibus covered a lot of territory in providing new guidelines for the privacy and security of electronic health records, the Final Rule failed to address three key pieces of legislation that are of great relevance to healthcare providers.

The three areas include the “minimum necessary” standard; whistleblower compensation; and revised parameters for electronic health information (EHI) access logs. No specific timetable has been provided for the release of revised legislation.

Minimum Necessary

The minimum necessary standard requires providers to “take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

This requires that the intent of the request and the review of the health information be matched to assure that only the minimum information intended for the authorized release be provided. To date, HHS has conducted a variety of evaluations and is in the process of assessing that data.

Whistleblower Compensation

The second bit of unfinished legislation is a proposed rule being considered by HHS that would dramatically increase the payment to Medicare fraud whistleblowers. If adopted, the program, called the Medicare Incentive Reward Program (IRP), will raise payments from a current maximum of $1,000 to nearly $10 million.

I believe that the added incentive will create heightened sensitivity to fraud and that more individuals will be motivated to act. People are cognizant of fraudulent situations but they have lacked the incentive to report, unless they are deeply disgruntled.

Per the proposed plan, reports of fraud can be made by simply making a phone call to the correct reporting agency which should facilitate whistleblowing.

Access Logs

The third, and most contentious, area of concern is with EHI access logs. The proposed legislation calls for a single log to be created and provided to the patient, that would contain all instances of access to the patient’s EHI, no matter the system or situation.

From a patient perspective, the log would be unwieldy, cumbersome and extremely difficult to decipher for the patient’s needs. An even more worrisome aspect is that of the privacy of healthcare workers.

Employees sense that their own privacy would be invaded if regulations require that their information, including their names and other personal identifiers, are shared as part of the accessed record.  Many healthcare workers have raised concern regarding their own safety if this information is openly made available. This topic has received a tremendous amount of attention.

In discussion are alternate plans that would negotiate the content of access logs, tailoring them to contain appropriate data regarding the person in question by the patient while still satisfying patients and protecting the privacy of providers.

The Value of Data Governance

Most of my conversations circle back to the value of information (or data) governance. This situation of unfinished EHI design and management is no different. Once released the new legislation for the “minimum necessary” standard, whistleblower compensation and revised parameters for medical access logs must be woven into your existing information governance plan.

Information governance is authority and control—the planning, monitoring and enforcement—of your data assets, which could be compromised if all of the dots are not connected. Organizations should be using this time to build the appropriate foundation to their EHI.

About the Author:
Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

August 4, 2014 I Written By

10 Ways Many Dental Offices Are Breaching HIPAA

Written by:

The following is a guest blog post by Trevor James.

If you work in the health/dental/medical space, you already know that HIPAA violations are a serious matter. Fines today for not complying with HIPAA laws and regulations are a minimum of $100-$50,000 per violation or record and a maximum of $1.5 million per year for violations of the same provision. Some violations also carry criminal charges with them, resulting in jail time for the violators.

Many dental offices are breaching HIPAA laws without realizing it or have employees doing so without their knowledge.

If you’re a dentist, office manager, or someone who’s been tasked with ensuring HIPAA security within your group, here are the 10 most common ways dental offices are breaching HIPAA regulations so your practice doesn’t make the same mistakes as others.

1. Devices with patient information being stolen

This is a common HIPAA violation for dental offices. It’s important to ensure the devices your dental office uses, like USB flash drives, mobile devices and laptops, are carefully handled and securely stored to prevent them and the patient information on them from being stolen.

2. Losing a device with patient information

Along the same lines as above, it’s also easy (and common) for an employee to lose those kinds of devices. USB flash drives and mobile devices are smaller items, so it’s easy to misplace them. When that happens, it’s easy for sensitive patient information to end up in the wrong hands.

Train your employees on the importance of properly handling these devices and set up some sort of tracking device, like downloading the Find My iPhone app or Where’s My Droid, to help you locate a device if it ends up lost.

3. Improperly disposing of papers and devices with patient information

When it comes time to get rid of papers or devices containing dental records or billing information, be sure you properly dispose of them. Crumpling paper in a ball and throwing it in the trash isn’t the correct way to do things nor is shutting down a device and then tossing it in the garbage. Use a paper shredder and wipe your devices clean of all information before disposing of them.

4. Not restricting access to patient information

Unauthorized access to a patient’s dental information will get you in serious trouble with HIPAA. Patients trust your office with this personal information, so be smart when handling such information so other patients, employees and relatives who aren’t allowed access don’t come across it.

A dental practice breached HIPAA in a case relating to this when they put a red sticker reading “AIDS” on the outside cover of patient folders and those not needing to know said information were able to read it while employees handled the folders. Don’t make simple, costly mistakes like they did.

5. Hacking/IT incidences

Most patient dental information now is stored on computers, laptops, mobile devices, and in the cloud. Today’s technology allows dental practices to more easily communicate, and look up and share patient information or their status on these devices.

The downfall of this technology is the people who are just as smart or smarter than your technology and hack into your devices or systems to get their hands on patient information. Make sure every device has some type of passcode or authentication to get on, install encryptions and enable personal firewalls and security software.

6. Sending sensitive patient information over email

While it’s not a violation to send these kinds of emails, it is a violation if the email is intercepted and/or read by someone without authorized access. Use encryptions and double check that whomever you’re sending the email to is supposed to be receiving the email.

7. Leaving too much patient information over a phone message

A patient may give you the A-Okay to call them, but be sure you don’t leave a message disclosing too much of their information. A friend or family member could check your patient’s message and hear things they shouldn’t, making said patient upset, or equally as bad, you could call the wrong number and say more than you should, which would probably make your patient even more upset with you. Your safest bet when calling a patient and they don’t answer is to leave a message for them to call you back.

8. Not having a “Right to Revoke” clause

When your dental office creates its HIPAA forms, you have to give your patients the right to revoke the permissions they’ve given to disclose their private dental information to certain parties. Not providing this information means your HIPAA forms are invalid and releasing subsequent information to another party puts you in breach of HIPAA.

9. Employees sharing stories about patient cases

People talk. It’s a simple fact. Employees talk with one another and they also talk to patients every workday. Remind them, though, that discussing a patient’s information to an employee lacking authorized access or to other patients is unprofessional and puts your whole practice at risk of being fined by HIPAA.

10. Employees snooping through files

It might seem shocking — or maybe not to some — but employees have been caught snooping through patient and co-worker files before. They do this to find out information for themselves but also because relatives or friends ask them to find things out about a certain person. Snooping is wrong and unprofessional on all levels.

Make sure your employees are clear on this and that they understand how bad the consequences can be for them and your office for doing so.

HIPAA violations in dental offices are all too common. Now that you know the top 10 ways dental offices are breaching HIPAA, you can take every precaution necessary to prevent your practice from violating any HIPAA laws and regulations.

About The Author

Trevor James is the marketing manager for Dentrix Ascend, a cloud based dental practice management software and Viive, a dental practice software for Mac’s.

July 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Risk Assessment Infographic

Written by:

I’ll admit that I’m a sucker for infographics. I usually post the various EHR infographics I find on EMR Thoughts, but this one seemed more appropriate to post on EMR and HIPAA. You can find all of the various EHR and Health IT infographics I’ve posted on this Healthcare IT Infographic pinterest board as well.

Thanks to Coalfire for putting together this HIPAA Security Risk Analysis Myths infographic.

Update: David Harlow offered this interesting note that might be helpful to some “The infographic suggests that only covered entities need to undergo a security risk assessment. In the EHR context that makes sense, since them with EHRs are CEs, but of course Business Associates need to do this too.”

HIPAA Risk Assessment Infographic

July 25, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Meaningful Use Audits, RAC Audits, and HIPAA Audits

Written by:

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

Summary
No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

July 14, 2014 I Written By

NY Med Social Media Firing

Written by:

Update: Katie Duke stopped by and left the following comment that’s worth noting:

Thank you for this article and review. I did not violate any aspect of the social media policy or HIPPAA and was technically fired for what my manager calls “we just don’t want you working here anymore and you’re insensitive” (as referring to the post)

I have been in the spotlight for several years and thoroughly respect the rules and regulations of our profession and it’s presence on social media. My goal is to change the portrayal of nursing in the media. We all make mistakes and we must learn from them. Do I feel it was a terminable offense? No- I feel I should have been counseled or even given some constructive criticism. After all- I am a great nurse and was with NYP for 7 years and of their motto is to put patients first then they should advocate more for the retention and growth of the nurses they have. Nurses are NOT disposable. Thank you for this venue to get the dialogue going about this rather controversial and taboo topic.

I applaud Katie’s efforts since I’ve often commented how nurses are an afterthought during an EHR selection and implementation process and that’s a pity since they’re such an important part of the organization. I imagine this same thing applies to other hospital policies. Thanks for your added comments Katie.

Last night was the premiere of the second season of NY Med on ABC. I saw the previous season and enjoyed it and so I was interested to see the new season. I like all of the show except for Dr. Oz who is obviously there because he has a big name and not because he’s actually practicing medicine. I love the quote I read online “Dr. Oz is a fake even when he’s scrubbing in. His mask isn’t on while he’s fake scrubbing.” All of the Dr. Oz parts felt very contrived so they could get him involved in the show. When real cardiology was being practiced, he called in the leading expert, or at least someone who actually could help the patient.

Dr. Oz part aside, the 3 ER nurses are my favorite part of the show. I remembered 2 of the 3 from last season and so I was really glad to see that they were back. Those are some firecracker nurses that always face interesting situations in the ER.

While the show isn’t perfect since as soon as you turn a camera on, people change, it’s still an interesting look into the challenges that many doctors and nurses face on the front lines of healthcare. While Grey’s Anatomy is a well written, entertaining drama and sometimes taps trending topics for its story, it’s not a good depiction of reality.

With the above review, I was particularly intrigued last night when Katie Duke, one of the ER nurses, got Fired from the hospital for posting a picture on Instagram. It was pretty interesting to see both the other ER nurses and Katie’s first hand response to her being fired and escorted from the building.

Since this is EMR and HIPAA, let’s talk about the HIPAA implications of what Katie did. They didn’t show the picture she posted for very long, but there were no people in the picture. Just a room after they’d had a trauma case in the ER. Basically, at quick glance I can’t imagine there’s any HIPAA violation with the picture. She did tag the picture with a number of hashtags. The only one that seemed in question was the “#Man vs 6 train” one, but that’s not a HIPAA violation either or would be an enormous stretch to make the case that it is a violation.

I think it’s fair to say she didn’t violate HIPAA with her instagram post. However, that doesn’t mean she didn’t violate a hospital social media policy. I’d be interested to see New York Presbyterian’s (the hospital who fired her) social media policy. It’s hard to guess at what the policy might include. I’ve seen really strict social media policies, really open social media policies and organizations with no policy (that’s scary). Given their policy, it might very well have been appropriate to fire her. In fact, if it wasn’t, Katie Duke seems like someone who would fight back in court if it wasn’t appropriate.

While Katie Duke was fired from New York Presbyterian, she was hired at Roosevelt on the West Side. I wonder what they said to Katie about social media when they hired her. In the NY Med episode they show her doing well. Although, they noted that she was great with patients, but was having a challenge getting up to speed on their computer system. Makes me wonder what EHR they use in their ED. Although, I think it’s safe to say that this could be said about any ER nurse in any ER regardless of the computer system they use. It just takes some time to get up to speed on an EHR.

In case you’re wondering, Katie Duke has launched a website and on July 1st she’s launching a YouTube show, she has an endorsement deal with Dickies and Cherokee scrubs, has speaking engagements around the country, and a line of merchandise around the phrase “Deal With It.” I guess that’s how she’s chosen to deal with the firing. If you look at her Twitter account, you can see a lot of nurses who really look up to her and appreciate her.

The discussion of social media in the workplace is an important one and it’s really important that you understand your employer’s views on the subject if you’re going to take part in it. Although, I think we all have to appreciate the irony of a hospital firing someone for posting a picture to instagram while that same hospital has a bunch of cameras video recording in their hospital for a TV show on ABC. Feels pretty hypocritical, do as I say, not as I do.

What do you think? Did you see the show? Where will social media sharing take us in healthcare and what will be the good and bad consequences of it?

June 27, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.