Johnson Memorial Corp. laid off 55 staff members, reduced the hours of 49 others and will file for bankruptcy protection as it prepares to merge with Eastern Connecticut Health Network. The corporation, which runs the ailing Johnson Memorial Hospital, agreed to sell the hospital's assets to ECHN in a $65 million deal subject to approval by state officials. ECHN operates Manchester Memorial Hospital and Rockville General Hospital and would maintain the 96-bed Johnson Memorial as a separate entity.
After a decade of debate and one unsuccessful attempt to generate support for a new public hospital in Dallas County, a $747 million hospital bond issue has finally made it onto the Nov. 4 ballot. But supporters of the plan to build a new Parkland Memorial Hospital are worried now that voters won't find the bond measure on the back of the crowded ballot.
The Office of Inspector General issued a final report October 27 reviewing CMS' HIPAA security rule oversight, implementation, and enforcement.
The largely critical report ("Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064]") describes the OIG's findings and recommendations for CMS, but it also sends a message to covered entities.
"This is a formalized wakeup call for CMS; as an enforcement arm, it will be held accountable to fulfill its duties," says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. "But it also says to the healthcare industry that CMS is going to be coming after you."
The OIG findings and recommendation
CMS' limited actions in terms of security rule implementation have "not provided effective oversight or encouraged enforcement" of covered entities, according to the report. Because CMS only investigated noncompliant covered entities when it received a complaint, the OIG also determined that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected."
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed "numerous, significant vulnerabilities" in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
"If you just focus on a complaint, and resolving that complaint, that's not enough," says Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. "The OIG went in and found all these other problems that would never have come to light without a full compliance review."
There are generally fewer security rule complaints compared to privacy rule complaints; the Office for Civil Rights had received more than 16,000 privacy rule complaints as of October 31, 2005, whereas CMS received approximately 400 security rule complaints during the same time period. This is because security rule violations are largely hidden from the public eye, not because the problems don't exist, Borten says.
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but prior to the release of the OIG report.
The future of security rule audits
Security rule audits and reviews are not going away any time soon. In a response to the OIG's recommendation dated June 30, 2008, CMS acting administrator Kerry Weems agreed with the recommendation that CMS should implement policies and procedures for conducting compliance reviews of covered entities—both complaint-driven and not.
"We are definitely going to see more of these compliance reviews, not fewer," Borten says. "I think this year CMS is just testing the waters, getting their feet wet."
Weems also indicated that CMS and the OIG are considering possible future collaboration on security rule enforcement efforts, including compliance reviews, in fiscal year 2009. The OIG also has multiple audits of covered entities currently ongoing, according to the report.
"The OIG is now on record saying that this is a serious ongoing program that is going to be periodically watched," Parmigiani says. "In other words, listen up. This isn't a one-shot deal. You need to be audit-ready."
"The enforcement heat is on, and it could be turned up," he says.
Understanding the link between insomnia and poor health, health insurance companies are providing cognitive behavior therapy programs to their members to help them get a good night's sleep. WellPoint, Aetna, Cigna, Kaiser Permanente, and several Blue Cross plans are offering their members online programs rather than relying on sleeping pills.
Some health plans offered by AARP mislead consumers into thinking they're protected from catastrophic health costs but leave them vulnerable to paying tens of thousands of dollars, Sen. Chuck Grassley, R-Iowa, says. Grassley, the top Republican on the Senate Finance Committee, is sending more than a dozen questions to AARP CEO William Novelli about AARP plans that cover about 1 million people. The actions are part of Grassley's broader health coverage and cost inquiry.
A southwestern Pennsylvania hospital is planning a $3 million renovation that will include expanding its emergency room and creating a new specialized surgical care area. Southwest Regional Medical Center Chief Executive Officer Cindy Cowie says the hospital’s revitalization in recent years means it must expand in order to continue providing quality healthcare to people in the region.