Stanford Hospital & Clinics has appointed Daniel Ginsburg as its new chief operating officer, effective Jan. 12, 2009. Ginsburg succeeds Michael Peterson, whose retirement as the hospital's COO was announced in June, 2008. Ginsburg is currently senior vice president for Cancer and Women's Programs at Massachusetts General Hospital, where he also serves as president and chief operating officer of the Massachusetts General Physicians Organization.
Because of information missing from a newspaper advertisement, the Loudoun County (VA) Planning Commission announced it will join the Board of Supervisors at a public hearing Nov. 20 on a proposed 164-bed hospital in Broadlands. This is the second time the commission has altered its schedule because of a mistake that county staff members made in providing notice of a public hearing on the proposed hospital. Healthcare network HCA Virginia wants to build on a 57.7-acre site. A hearing scheduled for Sept. 25 was moved to Oct. 15 after it was discovered that a sign at the Broadlands property listed the wrong location for the session.
Johnson Memorial Corp. laid off 55 staff members, reduced the hours of 49 others and will file for bankruptcy protection as it prepares to merge with Eastern Connecticut Health Network. The corporation, which runs the ailing Johnson Memorial Hospital, agreed to sell the hospital's assets to ECHN in a $65 million deal subject to approval by state officials. ECHN operates Manchester Memorial Hospital and Rockville General Hospital and would maintain the 96-bed Johnson Memorial as a separate entity.
After a decade of debate and one unsuccessful attempt to generate support for a new public hospital in Dallas County, a $747 million hospital bond issue has finally made it onto the Nov. 4 ballot. But supporters of the plan to build a new Parkland Memorial Hospital are worried now that voters won't find the bond measure on the back of the crowded ballot.
The Office of Inspector General issued a final report October 27 reviewing CMS' HIPAA security rule oversight, implementation, and enforcement.
The largely critical report ("Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064]") describes the OIG's findings and recommendations for CMS, but it also sends a message to covered entities.
"This is a formalized wakeup call for CMS; as an enforcement arm, it will be held accountable to fulfill its duties," says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. "But it also says to the healthcare industry that CMS is going to be coming after you."
The OIG findings and recommendation
CMS' limited actions in terms of security rule implementation have "not provided effective oversight or encouraged enforcement" of covered entities, according to the report. Because CMS only investigated noncompliant covered entities when it received a complaint, the OIG also determined that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected."
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed "numerous, significant vulnerabilities" in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
"If you just focus on a complaint, and resolving that complaint, that's not enough," says Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. "The OIG went in and found all these other problems that would never have come to light without a full compliance review."
There are generally fewer security rule complaints compared to privacy rule complaints; the Office for Civil Rights had received more than 16,000 privacy rule complaints as of October 31, 2005, whereas CMS received approximately 400 security rule complaints during the same time period. This is because security rule violations are largely hidden from the public eye, not because the problems don't exist, Borten says.
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but prior to the release of the OIG report.
The future of security rule audits
Security rule audits and reviews are not going away any time soon. In a response to the OIG's recommendation dated June 30, 2008, CMS acting administrator Kerry Weems agreed with the recommendation that CMS should implement policies and procedures for conducting compliance reviews of covered entities—both complaint-driven and not.
"We are definitely going to see more of these compliance reviews, not fewer," Borten says. "I think this year CMS is just testing the waters, getting their feet wet."
Weems also indicated that CMS and the OIG are considering possible future collaboration on security rule enforcement efforts, including compliance reviews, in fiscal year 2009. The OIG also has multiple audits of covered entities currently ongoing, according to the report.
"The OIG is now on record saying that this is a serious ongoing program that is going to be periodically watched," Parmigiani says. "In other words, listen up. This isn't a one-shot deal. You need to be audit-ready."
"The enforcement heat is on, and it could be turned up," he says.
A southwestern Pennsylvania hospital is planning a $3 million renovation that will include expanding its emergency room and creating a new specialized surgical care area. Southwest Regional Medical Center Chief Executive Officer Cindy Cowie says the hospital’s revitalization in recent years means it must expand in order to continue providing quality healthcare to people in the region.