Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Fines and Penalties in a HIPAA Omnibus World

Posted on July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

Telemedicine Panel at CES Hosted by HealthSpot

Posted on January 9, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the chance to attend a Telemedicine panel today at CES that was put together by HealthSpot (see my previous post about HealthSpot at CES). They put together a good panel that included:
Peter Tippett, MD, PHD – Vice President, Connected Healthcare Solutions, Verizon
John F. Jesser – Vice President, Health Care Management, WellPoint
William Wulf, M.D. — Central Ohio Primary Care
Leslie Kelly Hall — Healthwise

The panel was an interesting discussion, but I think the underlying discussion really centered around how screwed up many parts of healthcare are right now. This showed itself in two different ways. One was that telemedicine could possibly fix some of those screwed up parts of healthcare. Second, telemedicine is actually hard to execute because of some of the screwed up parts of healthcare. It’s kind of odd to look at it that way.

I tweeted a number of the comments that struck me and so I thought I’d share them here for those who weren’t following along on Twitter.


This was a fitting comment at a “consumer” electronics show.


I think there are still some wackos;-), but I think the message they send is clear.


This would be a monumental achievement if we can embrace HIPAA and make the technology happen. I think the key message is: HIPAA should not be used as an excuse.


Such a no brainer question with an easy answer. Why is it so hard to do?


Will telemedicine become the “standard of care” so that this becomes a big issue? I hope we don’t reach the point that this is the reason we implement telemedicine, but it might take something like it to get people off the proverbial couch.

Private Payers Need to Join Humana, CMS With EHR Subsidies

Posted on June 30, 2011 I Written By

Ever since the American Recovery and Reinvestment Act became law in February 2009, giving birth to the phrase “meaningful use,” I’ve wondered when private insurers would follow the federal government’s lead and start offering financial carrots and sticks for using and not using EHRs. After all, one of the purposes of the Medicare and Medicaid incentive program was to address the fact that payers tend to reap the greatest financial gains from hospitals and physicians adopting EHRs, even though most if not all of the cost of acquiring the technology falls on the provider.

Federal officials have made it clear all along that “meaningful use” is just that, the meaningful use of the technology. The government was not simply going to write checks so providers could go out and buy technology. As the country’s largest purchaser of  healthcare services, CMS wanted some value for its money (not exactly something you hear every day when it comes to government spending).

I’d been hearing for years that major commercial health insurers also were willing to share some of the savings from EHR adoption, but not until the largest payer of them all, Medicare, did so first. The private sector usually does follow Medicare’s lead when it comes to major policy shifts. Medicare now has done so, but private payers have been mostly silent. Mostly.

This month, as InformationWeek reports, Humana teamed up with Allscripts Healthcare Solutions to offer physician practices financial incentives for purchasing Allscripts EHR systems. The deal is similar to one Humana cut last year with Athenahealth. A few Blue Cross and Blue Shield plans, notably in Massachusetts and Rhode Island, have led similar programs at the state level, with eClinicalWorks the main partner.

But unless I’m forgetting something, Humana is the only big payer that has jumped into the game. Where are the UnitedHealthcares, Aetnas, Cignas and WellPoints of the world?

Payers, it’s time to make good on the lip service you gave years ago and start passing on some of the savings you will realize from Medicare, Medicaid and hundreds of thousands of providers spending billions of dollars on EHR technology and health information exchange efforts.