Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Inspector General Says CMS Made $729 Million In Questionable EHR Incentive Payments

Posted on June 16, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

A new report from the HHS Office of Inspector General has concluded that over a three-year period, CMS made roughly $729.4 million in EHR incentive payments to providers who didn’t comply with program requirements.

To determine whether the incentive program was functioning appropriately, the OIG audited payments made between May 2011 to June 2014.

After sampling payment records for 100 eligible professionals, the agency found 14 EPs, who received payments totaling $291,022, who didn’t meet incentive criteria.  The auditors found that the 14 had either failed to meet bonus criteria or didn’t provide proof that they had.

Then, the OIG used the data to extrapolate how much CMS had spent on invalid payments, which is how it arrived at the $729 million estimate. In other words, given the margin of error across the sampled incentive payments, the OIG assumed that 12% of all incentive payments were in error. (The analysis also concluded that CMS mistakenly paid $2.3 million to EPs switching between Medicare and Medicaid programs.)

Not surprisingly, the OIG has recommended that CMS recover the $291,000 in payments made to the sampled providers. It also suggested that the agency review EP payments issued during the audit period to see what other errors were made. Of course, the ultimate goal is to get back the approximately $729.4 million the agency may have paid out in error.

In addition, the OIG  called on CMS to review a random sample of self-attested documentation from after the audit period, to determine whether additional inappropriate payments were made to EPs.

And to make sure the EPs don’t get payments under both Medicare and Medicaid incentive programs for the same program year, the report urged CMS to conduct edits of the National Level Depository system.

As part of this report, the OIG noted that allowing providers to self-report compliance data leaves the incentive payment program open to fraud, and recommended keeping a closer eye on these reports. CMS seems to have had at least some sympathy for this argument, as it apparently agreed partly or fully with all of the OIG’s suggested actions.

One side effect of the OIG report it brings back attention to the Meaningful Use program, which has been eclipsed by MACRA but still clings to life. Eligible providers can still report either Modified Stage 2 or Stage 3 in 2017, the main difference being you need a full year of data for Stage 2 but only 90 days for Stage 3.

But MACRA does change things, as its performance standards will test providers in new ways. This year, providers have a chance to get situated with either the MIPS or APM track, and those who jump in now are likely to benefit.

Meanwhile, the future of Meaningful Use remains fuzzy. To my knowledge, the agency has no immediate plans to restructure the current incentive program to audit provider reports in depth. In fact, given that providers are more concerned about MACRA these days, I doubt CMS will bother.

That being said, it’s fair to assume that incentive payouts will get a bit more attention going forward. So be prepared to defend your attestation if need be.

Seven Factors That Will Make 2018 A Challenging Year For EMR Vendors

Posted on May 24, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Unless they’re monumentally important, I generally don’t regurgitate the theories researchers develop about health IT. But this time I’m changing strategies. While their analysis may not fit in the “earth shattering” category, I thought their list of factors that will shape 2018’s EMR market was dead on, so here it is.

According to a report created by analyst firm Kalorama Research, a number of trends are brewing which could make next year a particularly, well, interesting one for EMR vendors. (By the by, the allegedly Chinese curse, “May you live in interesting times” probably wasn’t Chinese in origin — it seems to have been minted in the 19th century by a British politician named Joseph Chamberlain. But I digress.)

According to Kalorama publisher Bruce Carlton, many forces are converging, including:

  • Frustrated physicians: Physician rage over clunky EMRs may boil over next year. No one vendor seems positioned to scoop up their business, but of course many will try.
  • Hospital EMR switches: While hospitals have been switching out EMRs for quite some time, defections may climb to new levels. Their main objective: Improve workflows.
  • Emerging technologies: Trendy approaches like dashboarding, blockchain and advanced big data analytics will begin to be integrated with existing EMR technologies. Or as the report notes, “the Old EMR doesn’t cut it anymore.”
  • IT staff shortages: It takes a pretty seasoned IT pro to run an EMR, but they’re hard to find, especially if you want them to have a lot of relevant experience. But without their expertise, provider organizations may not get the most out of their systems. This may spell opportunity for vendors offering better service, the report says.
  • Breach of the day: With each cybersecurity breach, EMRs get negative coverage, and the effects of this bad PR are accreting. Tales of ransomware, a particularly lurid form of cybercrime, are only making things worse.
  • Many EMR vendors remain: Despite a barrage of M&A activity in the sector, there are still over 1,000 vendors in the EMR space, Kalorama notes. In other words, competition for EMR customers will still be brisk, particularly given that no one vendor – even giants like Cerner and Epic – owns more than one-fifth of the market (This assertion comes from firm’s own market estimates.)
  • New Administration, new goals: To date the White House hasn’t proposed specific changes to health IT policy, but one clue comes from the appointment of an HHS Secretary who dislikes the meaningful use program. Anything could happen here.

In addition to the factors cited by Kalorama, I’d suggest one other trend to consider. As I’ve noted above, Kalorama argues that customers will demand EMRs that incorporate sexy new technologies, perhaps more so than in the past. I’d go further with this projection. From what I’m hearing, a consensus is emerging that EMR architectures must be completely deconstructed and rethought for today’s data.

With important data flows emerging from wearables, apps, remote monitoring devices and the like, it may not makes sense to put a big database at the center of the EMR platform anymore. After all, what’s the point of setting up an enterprise EMR as the ultimate source of truth if so much important data is being generated by mobile devices at the network edge?

Anyway, that’s my two cents, along with Kalorama’s predictions. What do you think 2018 will look like for EMR vendors, and why?

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

The Real HIPAA Blog Series on Health IT Buzz

Posted on April 8, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If you’re not familiar with the Health IT Buzz blog, it’s the Health IT blog that’s done by ONC (Office of the National Coordinator). I always love to see the government organizations blogging. No doubt they’re careful about what they post on their blog, but it still provides some great insights into ONC’s perspective on health IT and where they might take future regulations and government rules.

A great example of this is the Real HIPAA series of blog posts that they posted back in February. Yes, I realize I’m behind, but I’ll blame it on HIMSS.

Here’s an overview of the series:

It’s a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. This blog series and accompanying fact sheets aim to correct this misunderstanding so that health information is available when and where it is needed.

The blog series dives into the weeds a bit and so it won’t likely be read by the average doctor or nurse. However, it’s a great resource for HIPAA privacy officers, CIOs, CSOs, and others interested in healthcare interoperability. I can already see these blog posts being past around management teams as they discuss what data they’re allowed to share, with whom, and when.

What’s clear in the series is that ONC wants to communicate that HIPAA is meant to enable health data sharing and not discourage it. We all know people who have used HIPAA to stop sharing. We’ll see if we start seeing more people use it as a reason to share it with the right people at the right time and the right place.

HHS Privacy and Security Rules Cheat Sheet Infographic

Posted on August 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Scrypt has put out the infographic below to help summarize the guide to Privacy and Security of Electronic Health Information that HHS put out. Of course, the full guide is 62 pages of detailed information, but this will give you a flavor for what’s in the guide.
HHS Privacy and Security Rule Infographic

Patients Demand the Best Care … for Their Data

Posted on June 22, 2015 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.

Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.

But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.

In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster.  Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.

Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.

Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.

And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.

It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:

  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly

Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

About Art Gross
Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started HIPAA Secure Now! to focus on the unique IT requirements of medical practices. Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

Phase 2 HIPAA Audits Kick Off With Random Surveys

Posted on June 9, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Ideally, the only reason you would know about the following is due to scribes such as myself — but for the record, the HHS Office for Civil Rights has sent out a bunch of pre-audit screening surveys to covered entities. Once it gets responses, it will do a Phase 2 audit not only of covered entities but also business associates, so things should get heated.

While these take the form of Meaningful Use audits, covering incentives paid from January 1, 2011 through June 30, 2014, it’s really more about checking how well you protect ePHI.

This effort is a drive to be sure that providers and BAs are complying with the HIPAA privacy, security and breach notification requirements. Apparently OCR found, during Phase 1 pilot audits in 2011 and 2012, that there was “pervasive non-compliance” with regs designed to safeguard protected health information, the National Law Review reports.

However, these audits aren’t targeting the “bad guys.” Selection for the audits is random, according to HHS Office of the Inspector General.

So if you get one of the dreaded pre-screening letters, how should you respond? According a thoughtful blog post by Maryanne Lambert for CureMD, auditors will be focused on the following areas:

  • Risk Assessment audits and reports
  • EHR security plan
  • Organizational chart
  • Network diagram
  • EHR web sites and patient portals
  • Policies and procedures
  • System inventory
  • Tools to perform vulnerability scans
  • Central log and event reports
  • EHR system users list
  • Contractors supporting the EHR and network perimeter devices.

According to Lambert, the feds will want to talk to the person primarily responsible for each of these areas, a process which could quickly devolve into a disaster if those people aren’t prepared. She recommends that if you’re selected for an audit, you run through a mock audit ahead of time to make sure these staff members can answer questions about how well policies and processed are followed.

Not that anyone would take the presence of HHS on their premises lightly, but it’s worth bearing in mind that a stumble in one corner of your operation could have widespread consequences. Lambert notes that in addition to defending your security precautions, you have to make sure that all parts of your organization are in line:

Be mindful while planning for this audit as deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

But as she points out, there is one possible benefit to being audited. If you prepare well, it might save you not only trouble with HHS but possibly lawsuits for breaches of information. Hey, everything has some kind of silver lining, right?

OCR Fines Are the Least of Your Worries in a HIPAA Related Breach

Posted on August 27, 2014 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Ask any medical professional about their biggest concern for protecting patient information and they will probably tell you about the threat of a random audit conducted by the Office of Civil Rights (OCR). OCR is tasked with enforcing HIPAA regulations and has the ability to hand out fines up to $1.5 million per violation for a HIPAA breach and failing to comply with HIPAA regulations.

With recent fines of $4.8 million handed out to New York and Presbyterian Hospital and $1.7 million fine to Concentra Health Services, physicians have good reason to worry.  These massive fines were levied not as the result of a random audit, but for the mandatory reporting of patient data breaches to the Department of Health and Human Services (HHS), and the investigation that followed.  So physicians need to reconsider where their real concerns should lie.

Ponemon Study

The 2013 Cost of a Data Breach Study by the Ponemon Institute calculated lost or stolen patient records at $233 per record. Let’s take a look at how quickly the cost of a HIPAA breach can add up:

# of Records Breached Cost
1 $233
10 $2,330
100 $23,300
1,000 $233,000
10,000

100,000

$2,330,000

$23,330,000

The cost of the recent Community Health Systems 4.5 million patient records breach could cost more than $1 billion!

Whether a medical provider loses 1,000 or 10,000 patient records the financial impact could easily set back the organization or even put it out of business.  But the “hidden cost” of a HIPAA breach that shouldn’t be overlooked is the damage to the provider’s reputation, lost trust from patients and the resulting sharp decline in revenues.

Lost patient records sparks negative publicity.  Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.

Other Cost Factors

Beyond revenue loss and a damaged reputation are the direct overhead costs associated with a breach. The cost of discovering and stopping a breach may involve IT services, forensic investigative services to determine which systems and patients were affected, and legal counsel if patients file a lawsuit. There are also hard costs associated with notifying patients affected by the breach, including time spent to pull together their contact information, mailing out notifications and providing toll-free inbound phone numbers to handle complaints. Most organizations also provide identity and credit monitoring services for affected patients. All of these expenses add up, not to mention the cost of lost productivity due to the diverted attention of employees tasked with managing these processes.

Today it’s not uncommon for laptops, tablets and USB drives with patient records to disappear.  Or, for crime rings to hack into EHR systems to steal patient information and commit tax fraud, and for meth dealers to steal patient identities to obtain prescriptions.  If a large hospital system can lose 4.5 million patient records think how easy it is for a hacker to grab thousands of patient records from smaller medical practices and turn them into cash. The threat of a HIPAA breach has never been greater and all organizations should take heed.

Risk Assessment as a First Step

Healthcare organizations, particularly smaller medical practices, should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. It examines the risks of a breach and recommends steps to lower them. Without performing a risk assessment an organization may be lulled into a false sense of security, mistakenly believing they won’t suffer the consequences of a HIPAA breach.  At $233 per lost or stolen record that could be a costly miscalculation.

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

What Would Make Us Not Delay ICD-10 in 2015?

Posted on July 3, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

While at the HFMA ANI conference in Las Vegas, I talked to a lot of people about the future of healthcare reimbursement. Talk of ICD-10 and the ICD-10 delay came up regularly with most of us rolling our eyes that ICD-10 was delayed again. Some argued that we still need to be prepared, but from what I’m seeing the majority of the market just pushed their plans out a year and will pick them up again later this year or early next year.

With that said, we all agreed that every organization will be much more hesitant preparing for ICD-10 next year since they’re afraid that ICD-10 will just be delayed again.

As I had these discussions, I started thinking about what will be different in 2015 when it comes to ICD-10? As I asked people this question, all of the same arguments that we made in 2014 are what we’re going to have in 2015. Some of them include: the rest of the world adopted this years ago, we’re falling behind on the data we’re capturing, we need more specificity in the way we code so we can improve healthcare, etc etc etc.

Considering these arguments, what will be different next year?

All of the above arguments for not delaying ICD-10 were valid in 2014 and we’ll be just as valid in 2015. Can you think of any reasons that we should not delay ICD-10 in 2015 that weren’t reasons in 2014? I can’t think of any. The closest I’ve come is that with the extra year, we’re better prepared for ICD-10. Although, given people’s propensity to delay, does anyone think we’ll be much better prepared for ICD-10 in 2015 than we were in 2014? In some ways I think we’ll be less prepared because many will likely think the delay will happen again.

Given that the environment will be mostly the same, why wouldn’t we think that ICD-10 will be delayed again in 2015?

Personally, I’ll be watching CMS and HHS closely and see what they say. I think this year they looked really bad when they very publicly proclaimed that ICD-10 was coming at HIMSS just to be hit from the side by the ICD-10 delay. I’d hope that this time CMS will work with Congress to know what they’re planning or thinking before they make such strong assertions. Of course, this would mean that they’d have to understand what Congress is thinking (not an easy task).

What’s unfortunate is that many of the things you need to do to prepare for ICD-10 can also benefit you under ICD-9. The smart organizations understand this and are focusing on clinical documentation improvement (CDI) as the best way to prepare for ICD-10, but still benefit from the program today.

Where Are the Big Business Associate HIPAA Breaches?

Posted on April 29, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.