The North Carolina Medical Board has decided to publish medical malpractice payouts doctors have made, but the information will not be as comprehensive as initially planned. Answering concerns from doctors, medical malpractice insurers, and defense lawyers, the Board voted to make public only settlements of more than $25,000. The board also decided that rather than immediately post settlements that spanned the previous seven years, the start date of the malpractice profiles will be October 2007, when the legislature made the rule effective.
Anthem Blue Cross and Blue Shield have agreed to pay a total of $13 million in fines and to offer new health coverage to more than 2,200 Californians the companies dropped after they became ill. Neither company admitted to any wrongdoing in agreeing to pay the fines, the latest in the efforts by state authorities to curb what they view as an abusive practice of investigating and canceling policies after policyholders run up big medical bills. The insurers also agreed to establish a process for former members to recover medical expenses they paid out of pocket after they were dropped, as well as other damages.
The Massachusetts House has approved a bill to rein in healthcare spending, but rejected a ban on the practice of doctors accepting gifts from representatives of pharmaceutical companies. The House bill requires uniform coding of medical claims to make the billing process consistent, rewards primary care physicians who focus on patients with chronic illnesses, and requires a statewide electronic health record system be up and running by 2015.
Fairview Health Services will soon no longer be part of the medical provider network for Blue Cross and Blue Shield of Minnesota unless they can resolve a standoff over prices. The current contract expires Aug. 23, and if a new one isn't signed Blue Cross members then would have to pay out-of-network charges at Fairview clinics. Blue Cross is Minnesota's biggest health insurer, with 2.9 million members, while Fairview is the third-biggest hospital and clinic group and owns the University of Minnesota Medical Center.
The Department of Health and Human Services (HHS) and Providence Health & Services have entered into a Resolution Agreement that includes a payment to HHS and corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17 HHS press release.
In addition to paying the $100,000 resolution amount to HSS, Providence has agreed to a “robust” corrective action plan to help ensure the future protection of its electronic PHI from theft or loss.
The Resolution Agreement comes after two entities within the Providence health system—Providence Home and Community Services and Providence Hospice and Home Care—were involved in several incidents in 2005 and 2006 dealing with the loss or theft of multiple items containing the unencrypted PHI of more than 386,000 patients. The items included laptop computers, optical disks, and electronic backup tapes, all of which HIPAA required Providence to safeguard because they contained patient information.
Take security seriously
“This really does show just how serious security enforcement is getting,” says William M. Miaoulis, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. “Although [Providence] agreed to pay a monetary sum, they’ve also agreed to implement a detailed corrective action plan. I think that’s the most important part,” he adds.
According to the press release, the corrective action plan requires the following:
Revised policies and procedures for physical and technical safeguards relating to storage and transport of devices or media containing PHI, subject to the approval of HHS
Work force training for staff members
Mandatory audits and facility site visits
Submission of compliance reports to HHS for three years
In addition to implementing a corrective action plan, Providence Health & Services is putting the protection of patient information at the top of its priority list, Eric Cowperthwaite, Providence’s chief information security officer, said in the press release. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures, and training,” he said.
Be ready for future enforcement
This incident marks the first-ever HHS Resolution Agreement, though it may not be the last, says Winston Wilkinson, director of the Office for Civil Rights (OCR).
“We are committed to effective enforcement of health information privacy and security protections for consumers,” Wilkinson said in the press release. “Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”
However, Providence will not face a civil money penalty because it cooperated with OCR and CMS during the investigation.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says HHS needs to provide clarification on why it is not calling the resolution payment a civil penalty. Although HIPAA allows the OCR and CMS to pursue criminal penalties, levy civil penalties, and work with the organization through an informal correction action agreement or work plan. “Informal is defined as technical support, education, and so forth,” says Apgar. ”Nowhere does it say that informal has a price tag. So this is a stretch in some respects. There’s nothing in the enforcement rule that says they can impose a fine or make you pay money unless it is a civil penalty.”
“They’re very careful to say that they were so cooperative that there’s no monetary penalty. But what do they call it then, if it isn’t a penalty? Why is HHS reluctant to call this a penalty?” asks Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. “It’s a civil penalty for failure of compliance,” she adds. “But in the end, forget about the $100,000 and the fact that HHS is breathing down your neck for three years, the message is that you have to [take information security seriously].”
The financial penalty is attached to make a point, says John R. Christiansen, JD, managing director of Christiansen IT Law in Seattle. “Even if you cooperate in good faith and didn’t mean to do it, there are consequences,” he says. “You have to be serious about information protection in your healthcare organization, even if it is difficult.”
Ensure your policies and procedures are reaching your staff
Being serious includes ensuring that your policies and procedures are effectively reaching your entire work force. “This should be a wake-up call for all of us,” says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. “Very few organizations have done a thorough risk analysis, and it’s easy to overlook functions like home health that may be separate from the hospital,” she adds.
Home health workers, in particular, are at high risk for HIPAA violations simply because these workers take PHI out of the organization every day to provide patient care, she adds. Brandt says hospitals should perform a proactive comprehensive risk analysis for ePHI so they don’t end up in Providence’s situation.
HHS’ investigation focused on Providence’s failure to enforce relevant policies and procedures. “The very fact that this happened underscores the difficulty of managing security in a big healthcare organization,” says Christiansen. “In a big healthcare organization, it is frequently the case where there is a lot of delegated authority . . . It is very hard to make sure you are getting accurate information out to all of the people who need it and to remind them of it.”
The intent of the Resolution Agreement may be to send a message to covered entities that they need to revisit the security rule requirements and implementation specifications, says John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. “Some of the things that were addressable need to be looked at again due to changing environments in terms of threats and your own capabilities, such as your use of remote access and removable media,” says Parmigiani.
In addition, healthcare providers should revisit the security rule guidance CMS released in December 2006. HHS has now laid the groundwork for enforcing the guidance even though it was not a part of the original security rule, according to Parmigiani.
Miaoulis notes that the Providence security incidents occurred in 2005 and 2006, and CMS issued the guidance on remote and mobile data by the end of 2006. “I’m not saying they are connected, but what I am saying is that people need to get their hands on that and read that,” he says.
Income from patient services at Louisville, KY-based Norton Healthcare fell more than 55% last year from 2006, but strong gains from investments offset much of that drop to leave operating profit just 7% lower. Norton's operating profit totaled $79.6 million, down from a record high in 2006. While Norton earned $22.5 million from patient services, it treated 13% more people on Medicaid and saw fewer customers with commercial insurance plans. Patient care at Norton is expected to be profitable this year, but Chief Executive Officer Steve Williams said the nonprofit's investment portfolio is expected to lose $10 million because of the economy and struggling stock market.