News that Medicare improperly paid about $33 million for healthcare services to thousands of incarcerated patients between 2009 and 2011 should motivate hospital leaders to strengthen or establish relationships with local law enforcement authorities, a healthcare billing and legal expert says.
The Office of Inspector General announced this month that the Centers for Medicare & Medicaid Services made Medicare payments totaling $33.6 million to healthcare providers for services to approximately 11,600 incarcerated beneficiaries during calendar years 2009 through 2011.
CMS did not have policies and procedures that would have enabled it to detect such improper payments after the payments were made, OIG reported; nor did it notify its payment processing contractors to recoup any such payments.
CMS in April plans to implement a process for detecting and recouping improper payments for previously paid Medicare claims, according to the OIG.
While CMS is revisiting its policies, healthcare leaders should, too. Even if a hospital is not part of this particular recoupment process, it's a good time to review policies and procedures regarding incarcerated patients and even consider contracting with local law enforcement authorities regarding such patients.
"The C-Suite needs to be in communication and have good relationships with local county authorities," says Kimberly Anderwood Hoy, JD, CPC, director of Medicare and compliance for HCPro, Inc. in Danvers, MA. "Obviously, if a hospital is near a prison, you know you will be treating prisoners, but for other hospitals, you never know if your county sheriff will bring in someone. You need to know the boundaries for who pays what. Get it all worked out in a contract and establish what the rates are."
Hoy recalled a case when an out-of-state patient brought into a hospital by law enforcement authorities subsequently received about a month's worth of treatments for kidney failure.
Ultimately, the man was not charged with a crime. But because he was technically never in the custody of law enforcement, the county was not responsible for his medical charges. The hospital was on the hook for services rendered.
Hoy, who has served as legal counsel for a California hospital, says whoever has the patient in custody pays for their services. Prison inmates are generally not a problem, she says, because they are generally clearly in the custody of the prison.
"Although I did hear of some prisons furloughing prisoners to get expensive surgeries and then re-incarcerating them to get around paying," Hoys says.
A bigger issue, for example, is when a person is arrested and taken to the emergency department for medical clearance either because of odd behavior, or suspected intoxication. As long as the patient is in custody, the custodian (county or state law officers, etc.) is responsible for payment of medical charges. A proviso in many states is that the patient is responsible for reimbursing those costs.
Hoy has seen patients "unarrested" and left to receive the care, while they were in actuality still in "custody" and not free to leave the healthcare facility according to the sheriff.
"The local authorities wanted us to police these people with our security guards and then tell law enforcement when they were ready to go so they could come take them directly to jail," Hoy recalls. "All to get out of paying for their care."
Hospitals staff should ask certain questions answered before a potential incarcerated patient presents:
Was the patient charged at the time of arrival to the hospital?
Was the patient charged during his stay?
Was he arrested upon discharge?
Who is responsible for paying for the services rendered for each circumstance?
"The C-Suite may not realize this is going on and has become an issue," says Hoy. "The point-of-care staff may not realize it's an issue either. This can be a lot of money. From the C-Suite standpoint, I think they need to have a dialogue with their local and state authorities and clear contracts for when they will and won't pay."
"I think that hospitals that are close to a prison already generally have this," says Hoy, "but other hospitals don't always think of it because it's not your every-day thing that occurs. But when it does, they are really going to be stuck if they haven't met and negotiated with the city and county and/or jail authorities in advance."
The OIG also announced January 24 that CMS made payments totaling $91.6 million to healthcare providers for services to approximately 2,600 unlawfully present beneficiaries during calendar years 2009 through 2011.
CMS, in a statement released to HealthLeaders Media, said that "for cases where Medicare is informed of patients' unlawful presence after claims have been paid, we are working with OIG to implement a process for quickly and completely recouping these improper payments."
Since its inception in March 2007, the Medicare Fraud Strike Force has charged more than 1,480 defendants who collectively have falsely billed the Medicare program for more than $4.8 billion.
The fraud agents are not done, however, one healthcare leader warns.
"The government Medicare enforcement agents are under added pressure to increase their fraud recoveries," says Roy Snell, CEO of the Health Care Compliance Association in Minneapolis.
"The pressure has increased due to the cost of healthcare reform and concerns about addressing the deficit. The list of Medicare compliance issues you should be concerned about are too long to list, but they are outlined in detail in the Office of Inspector General’s annual Work Plan."
The Medicare Fraud Strike Force was in full force just a short three months ago. A seven-city operation, part of the Health Care Fraud Prevention & Enforcement Action Team (HEAT), led to charges against 91 individuals including doctors, nurses and other licensed medical professionals for participating in Medicare fraud schemes involving approximately $429.2 million in false billing.
CEOs can ensure their organizations' compliance programs are functioning as intended by following these guidelines:
1.Hire experienced compliance professionals. "It’s very simple," Snell says of a healthcare CEO’s role in compliance. "Hire an experienced compliance professional to manage a comprehensive compliance program and give him/her the independence and authority to fix the problems he/she finds. Increasing the compliance resources is helpful, but without the freedom to prevent, find and fix fraud, the CEO will always be facing an uphill battle."
2.Ensure no one gets in the way. Healthcare CEOs should ensure that compliance officers are free of interference and able to do his/her job, Snell adds. "In my opinion, it is the single biggest impediment to the CEO’s success with a compliance program," the HCCA chief says.
3.Make time for your chief compliance officer. Your compliance officer should meet with you on a regular basis. During these meetings, the compliance officer should share reports showing all the functioning elements of the compliance program and provide a list of the issues that have been discovered by or reported to the compliance program, Snell adds.
4. Request audit reports. "An audit report listing the work being done to ensure you have addressed the issues identified on the OIG Work Plan would be helpful," Snell says. "The CEO should be informed of anyone interfering with the implementation of the compliance program or interfering with the resolution of issues."
5. Encourage balance between OIG and peers. Ensure that compliance officers focus on the issues the OIG intends to investigate, but also on issues that the compliance officer identifies from conversation with his/her peers in the field. "There should be a balanced effort on all the elements of a compliance program," Snell says, "but I would focus more on auditing and resolving problems."
6.Keep the board informed. The CEO should not deliver the compliance reports to the board. Rather, the compliance officer should meet with the CEO prior to the board meeting, and together they should report to the board. "The reports should be essentially an executive summary of the reports mentioned previously," Snell says.
Healthcare leaders who know their financial data points understand there's one business metric that should never be on the upswing: discharged not final billed (DNFB). If an organization's bills don't leave the front door, its cash flow and opportunities to earn interest certainly will.
The C-Suite must set acceptable DNFB standards that are consistent in their measurement and organizational-specific issues, says Lou Ann Weidemann, MS, RHIA, CPEHR, FAHIMA, director of HIM Solutions at the American Health Information Management Association (AHIMA) in Chicago.
What can make DNFB rise?
Lack of qualified coders.
Bills held up during pre-bill audit reviews.
Poor internal review systems between the departments that code records and the clinicians who complete pathology and operative reports.
Most organizations set a three-day threshold for accounts, she says, meaning that accounts that are not coded or dropped within three days of discharge appear on the DNFB. Other organizations choose to keep the DNFB at a percentage of overall revenue (e.g. 2%) as their measurement.
"Choose the measure that best fits the organization and stick with it," Weidemann says.
Urge collaboration
"Also, develop a collaborative team within the organization that includes representatives from HIM, coding, quality assurance, and others that meets on a regular basis to discuss ongoing issues. In the beginning, this group may meet weekly, and then taper off to a monthly meeting once improvement is seen. In the end, assign the responsibility of the DNFB monitoring to one individual and ensure that they have the tools and resources to review the report, identify process issues, and make corrections."
In most situations, the CEO or CFO has the HIM director deliver the DNFB rates, Weidemann says. It may differ; for instance, at an integrated delivery system or those in which the coding professionals do not report to the HIM director.
Ultimately, the HIM director should lead the effort to improve DNFB rates and should work with representatives from across many groups: business office, coding, chargemaster, admitting, case management or utilization review, quality management, and HIM.
"The HIM director should know on a daily basis what the DNFB is, the expected coder productivity, reason for large dollar amounts on the DNFB, etc., and be able to answer questions to the C-Suite," Weidemann adds.
Successfully monitoring and controlling DNFB lies within understanding its cause, says Darice M. Grzybowski, MA, RHIA, FAHIMA, founder and president of HIMentors, LLC, in Westchester, IL.
A HIM department may struggle with getting records coded, Grzybowski says, while other times it may attempt to code the medical record, but find that key information such as a pathology report or dictated operative report is missing.
Success keys
"In some cases, the record is outstanding due to other reasons, such as a problem with a duplicate account number, or there is a question regarding a charge error," Grzybowski adds. "Whatever the reason, it should be classified in a category and not lumped together for one sum number. The HIM department should work in conjunction with the business office to agree on a method of classifying, tracking, and reporting this data on a regular basis to the C-Suite."
How else can healthcare leaders ensure their DNFB rates improve? Gryzbowski says leaders can start by:
Investing in an HIM operational assessment to identify causes of DNFB and possible solutions
Putting an ongoing tracking mechanism in place to monitor DNFB
Ensuring the Patient Financial Services (PFS) department and HIM teams agree how DNFB will be defined and measured
Enforcing record-completion policies
Ensuring that deficiency analysis takes place before coding (within the first 24 hours post discharge) to identify missing data earlier in the lifecycle of record processing, and to improve coder productivity to avoid them spending time searching for missing information
"Those facilities that have undergone a thorough HIM and Revenue Cycle operational assessment can identify the areas that need improvement," Gryzbowski adds. "And by implementing various changes in process, adjusting staffing, or providing better analytical tracking of the DNFB, problems can be avoided with the proper solutions."
Staffing and technology
Be aware that a shortage of qualified, credentialed, and experienced coders can make your organization's DNFB rise. A lack of an adequate staff working seven days a week in the scanning, analysis, and coding areas could mean higher rates, Gryzbowski warns.
"ICD-10 may make that shortage more severe and have a detrimental effect on DNFB," she says. "Electronic health records and a good electronic document management system that makes physician completion of record deficiencies easier to manage actually helps improved and decrease the DNFB rate."
Even when your organization is doing well preparing for audits like the CMS Recovery Audit Program, you may be hurting your DNFB.
"Some organizations are choosing to pre-bill review these types of accounts as a precautionary measure which leaves it on the report longer," Weidemann says. "External audits often post big risks for an organization, and no organization can afford to pay back audits for multiple accounts. Some organizations are choosing to be proactive in their audit activities and mitigate their risk by placing accounts on ‘hold' in order to review the documentation and code assignment internally before the account is dropped."
The HIPAA omnibus final rule released by the Department of Health & Human Services January 17 will cost hospitals some time and money in regulation analysis, training, and policy revision, but shouldn't break the bank, healthcare leaders and privacy and security experts say.
The HIPAA "mega rule," so-called by some in the industry, represents the largest set of modifications to the HIPAA privacy and security rules to date.
"The new law needs to be analyzed and will have some impact on current processes, although they appear after my high level review to be expected and minor in nature," says Chris D. Van Gorder, FACHE, president and CEO of Scripps Health in San Diego.
"There will be costs to Scripps to analyze the regs, revise policies, revise and distribute the Notice of Privacy Practice (NPP), and to revise our standard Business Associate agreement if legal determines that is necessary and get our BA's to sign the new version."
The final omnibus rule enhances a patient's privacy protections, provides individuals new rights to their health information, strengthens the government's ability to enforce the law, and requires updates to business associate contracts.
The rule, required by the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law in February of 2009, is enforceable beginning September 24. It holds accountable third-party subcontractors who use and disclose PHI to HIPAA rules and penalties.
Regulation review Healthcare leaders must direct someone, most likely privacy and security officers, to perform a thorough review to identify high level process and policy changes necessary for compliance with the new rule. "I think for CEO and CIO, the first step is to ensure your privacy and security officers get right on this and digest it," says Kate Borten, CISM, CISSP, former head of information security at Massachusetts General Hospital in Boston and the president of The Marblehead Group, a healthcare privacy and security consultancy in Marblehead, MA. "They are your internal experts, and this is a big part of their role."
Organizations charged with HIPAA compliance must understand now that all signs are pointing to increased enforcement, adds Brad M. Rostolsky, partner in the Philadelphia office of the law firm Reed Smith, LLP.
"The 'good old days' of voluntary compliance and 'slaps on the wrist' seem to be a thing of the past," Rostolsky says. "As a result, it's important that regulated businesses, from the top down, are seen to have buy-in to HIPAA compliance efforts. HIPAA privacy and security officers should be involved at the highest levels of compliance planning."
Increased penalties for noncompliance HHS made official in the omnibus rule increased civil monetary penalties ranging from $100 in the "did not know" category to $1.5 million in the "not corrected" category. The factors that will be considered when determining civil money penalties for non-compliance have expanded significantly, says Rebecca Herold, CISSP, CIPP/US/IT, CISM, CISA, FLMI, partner in Compliance Helper and CEO of The Privacy Professor of Des Moines, IA.
"To date, the factors really only involved the implementation of controls, as required by HIPAA, and any levels of 'willful neglect' involved in the associated situations," Herold says. "So pretty much the sanctions applied were based upon the preventive actions that were in place, or lacking. Now there are significant additional considerations: the impacts of the breach will be considered."
What will HHS review in terms of the extent of breaches in the new omnibus rule?
Number of individuals affected
Time period during which the violation occurred
Nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
Whether the violation caused physical harm
Whether the violation resulted in financial harm
Whether the violation resulted in harm to an individual's reputation
Whether the violation hindered an individual's ability to obtain healthcare
"I find the consideration of harm to an individual's reputation to be of particular interest, since that has been comparatively hard to prove in past court cases," Herold says. "However, this particularly points to the need to keep patient information off social media sites, since that has been a source of many breaches involving patient information."
Action steps for C-Suite Though enforcement will not come until the fall, CEOs must know the changes will require actions that go beyond the simple checklist approach to compliance that has been par for the course over the past several years, Herold says. "Those responsible for compliance must be able to implement, and maintain, controls that will fit the organizational environment, and that will be incorporated into every-day work activities," she adds.
Healthcare leaders, she says, should consider the following compliance action steps:
Support more training, and significantly more ongoing awareness communications than most CEs and BAs currently are providing
Encourage more oversight of BAs. This means better tracking of the BAs.
Update the organization's breach-response plans. The rule eliminates the "harm threshold" provision, which allowed covered entities and business associates to avoid breach notification if they determined themselves a breach would not cause harm to an individual. HHS now calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual.
Establish a way to monitor compliance and risks on an ongoing basis, along with metrics/statistics, to most quickly identify when problems areas with regard to security and privacy emerge
Implement better PHI safeguards by CEs and all others (BAs and their subcontractors) which will lead to fewer breaches and also help to ensure more accurate PHI
Assign a person/team responsibility for doing a gap analysis between current practices and the new requirements
Identify all BAs and make sure they know the new requirements, and provide some type of evidence to demonstrate their compliance activities
Plan to provide an awareness communication about the upcoming changes to personnel as soon as possible, and then plan a training session with all personnel sometime in the near term (e.g., within the next month or two; by the March 25 effective date would be ideal).
Implement ongoing compliance monitoring actions, with associated metrics.
"From my perspective, a covered entity or business associate's most important reaction to the final rule is to make sure that it has recently undertaken a Security Rule risk analysis," Rostolsky says. "Although the final rule includes many areas of significant change, the Office for Civil Rights (the HIPAA enforcer under HHS) is clearly viewing the failure to conduct a risk analysis as a key trigger to enforcement action."
Further, BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).
"The HITECH rules already addressed this, and enough guidance was provided in HITECH and within that next year so that Scripps has already revised our standard BAA," Van Gorder says. "We might expect that some smaller BAs may go out of business or change their business if they are un-willing or unable to comply with the HIPAA rules, particularly the Security Rule."
A major rule regarding HIPAA privacy is still due: The accounting of disclosures rule that will greatly impact patients' rights to request records and potentially give them more access to who viewed their records through an "access report."
"I would share with a board that it doesn't seem these final rules are creating too many ripples in the HIPAA pond," says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, AZ.
"But be aware that one of the big questions about whether patients' will have the right to an access report has yet to be answered. That is one area I see as one of the most challenging and ambitious HIPAA requirements to be decided upon."
HIPAA compliance 101—policies, training, monitoring, and risk assessments—might have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say.
Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights over potential HIPAA security violations and spent another $17 million in breach response costs.
On March 13, BCBST and the OCR, the government's HIPAA privacy and security enforcer, reached the second largest financial settlement of its kind, behind CVS Caremark's $2.25 million price tag a little more than three years ago.
The agreement also requires BCBST to update its HIPAA compliance policies and procedures, obtain OCR approval on all policy changes, and conduct unannounced random audits of its own employees.
This is OCR's first enforcement action related to a breach that was reported per the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements, according to the Department of Health & Human Services.
'Not following the basics' In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained protected health information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes, birthdates, and health plan identification numbers.
"This breach seems to be another instance of not following the basics—policies, training, monitoring," says Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY. "When organizations include privacy and security as key components of their culture and begin applying similar methods to those used in safety and quality programs, the awareness of these issues increases. A well-trained workforce is a tremendous asset in preventing many breaches, especially breaches of this type."
In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.
The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."
CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:
Move data files and tapes to another facility
Implement a new information system
Change access controls
Change off-site storage companies or procedures
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.
"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."
To date, there is no indication of any misuse of personal data from the stolen hard drives, according to BCBST. The company's response included the encryption of all its at-rest data as well as investigation, notification, and protection efforts—to the tune of $17 million, according to its statement. That amounts to about $17 per breached record.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in the statement to HCPro, Inc.
Message in the CAP In addition to the settlement, BCBST must adhere to its corrective action plan (CAP), which states that the health insurer must:
Review, revise, and maintain its privacy and security policies and procedures
Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA
Perform and monitor reviews to ensure BCBST compliance with the CAP
BCBST must also conduct unannounced audits of BCBST facilities housing portable devices and audit 25 BCBST workforce members who use portable devices.
"That's really something I have not seen before," says Ali Pabrai, MSEE, CISSP, chief executive of ecfirst, home of The HIPAA Academy. "They are making them randomly audit their facilities that house portable devices. The fact they are saying it should be done randomly and unannounced shows they are serious about this."
The interim final rule on breach notification went into effect in August of 2009, only months before the BCBST breach. Pabrai says entities should take note that OCR is willing to go back years to investigate breaches.
"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."
The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.
"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.
"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.
HITECH breach notification role The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.
As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.
"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."
Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.
"I would think that self-reported breaches of PHI would be a high priority for HHS to investigate and act on," Borten says. "Otherwise, how much value is there in the reporting requirement? Further, even though a breach occurred, this is still identified as a 'settlement of a potential violation,' not a finding of fault, although the penalty is in line with the HITECH Act civil penalties. How much clearer could this be?"
Asked why it took this long to settle the BCBST case, the OCR spokesperson said, "As one can see from OCR's list of breaches over 500, many of these cases have been resolved quickly through corrective action. More complex cases take time to move from investigation to resolution."
LARGEST SETTLEMENTS TO DATE The OCR's largest settlements for HIPAA violations include:
CVS Caremark Co.: $2.25 million, February 2009
Blue Cross Blue Shield of Tennessee: $1.5 million, March 13, 2012
Rite Aid: $1 million, July 2010
Massachusetts General Hospital: $1 million, February 2011
University of California at Los Angeles Health System: $865,500, July 2011
Note that in February of 2011, OCR fined Cignet Health a $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.
Editor's note: Follow these links for more material on the BCBST settlement with OCR:
The Office for Civil Rights (OCR) has reached its first settlement with an organization on its large patient information breach list required in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HIPAA privacy and security enforcer settled Tuesday, March 13, with Blue Cross Blue Shield of Tennessee (BCBS) for $1.5 million for its 2009 HIPAA breach that affected more than 1 million individuals, according to a Department of Health & Human Services (HHS) press release. OCR reports to HHS.
The health insurer also agreed to a corrective action plan to "address gaps in its HIPAA compliance program."
BCBS reported to OCR in the fall of 2009 that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee containing PHI of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
In a statement released to HCPro, Inc., BCBS said the settlement covers the 2009 theft of 57 hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included "varying degrees" of personal information on about 1 million members.
To date, there is no indication of any misuse of personal data from the stolen hard drives, according to BCBS.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," said Tena Roberson, deputy general counsel and chief privacy officer for BlueCross. "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process."
Leon Rodriguez, OCR director, said the settlement tells covered entities and business associates to "have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients' right to private and secure health information."
OCR launched its breach notification website required by the HITECH Act under breach notification in February 2010 and through December 2011 had received an average of 17 reports per month. As of March 13, it lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals.
In the last two months, the government enforcer has posted about 10 reports per month. Six entities are in OCR's million-plus patient record breach club, including BCBS as the sixth largest breach:
TRICARE Management Activity (TMA): 4,901,432, lost backup tapes
Health Net, Inc.: 1,900,000, unknown
New York City Health & Hospitals Corporation's North Bronx Healthcare Network: 1,700,000, stolen electronic medical record
AvMed, Inc.: 1,220,000, stolen laptop
The Nemours Foundation: 1,055,489, lost backup tapes
Blue Cross Blue Shield of Tennessee: 1,023,209, stolen hard drives
More than 18 months have passed since OCR last gave an update on the interim final rule on breach notification requirements. That rule, published in the Federal Register August 24, 2009, is in effect. OCR developed a final rule and sent it to the Office of Management and Budget for review May 14, 2010.
In addition to the $1.5 million settlement, BCBS must:
Review, revise, and maintain its privacy and security policies and procedures
Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA
Perform monitor reviews to ensure BCBST compliance with the corrective action plan
One of the requirements calls for BCBS to randomly audit facilities using portable devices.
"That's really something I have not seen before," saidAli Pabrai, MSEE, CISSP, chief executive of ecfirst, home of The HIPAA Academy. "They are making them randomly audit their facilities that house portable devices. The fact they are saying it should be done randomly and unannounced shows they are serious about this."
The interim final rule on breach notification went into effect only months before the BCBS breach. Pabrai says entities should take note that OCR is willing to go back years to investigate breaches.
"Go back and get as much detail as you can," Pabrai says of earlier breaches reported to OCR. "You've got to be ready for this."
Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.
"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.
Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.
Numbers game
The numbers at the HIPAA Summit told the story:
1 in 4: Organizations reporting a data breach (source: Pabrai)
250,000 to 500,000: Medical identity thefts (source: Pabrai)
330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)
From how and from where the 500-or-more breaches are coming:
How:
Theft: 50%
Unauthorized access disclosure: 20%
Loss: 16%
Hacking/IT: 7%
Where:
Paper records: 24%
Laptop: 23%
Desktop computer: 17%
Portable electronic device: 16%
Network server: 10%
In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.
"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?
"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."
Too many duties
So what are the struggles today for privacy and security officers?
In some cases, many in these roles are performing too many tasks. For example, the privacy officer is also the health information management director, the security officer is also the compliance officer, or the compliance officer handles privacy complaints.
These multiple roles, if possible, should be avoided, said Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates, LLC, Purchase, N.Y.
In many organizations, the compliance officers have been given the role of privacy officer, but Patrick maintains that they're different roles with different regulations.
"I don't advocate that the compliance officer also be the privacy officer," Patrick told the audience, though she does recognize many smaller facilities must do so.
Policy on policies
What suffers when privacy and security officers are doing too many things? Policies and procedures that don't get updated or delivered and staff members who are not properly educated on them.
In some cases, such as the case of the Pittsburgh Pirates and social media, they were never written.
Angel Hoffman, RN, MSN, corporate quality/compliance officer, Kane Regional Medical Centers and principal, Advanced Partners in Health Care Compliance in Pittsburgh, told the audience about Major League Baseball's Pittsburgh Pirates, which fired an employee for inappropriate Facebook posts about the organization.
But since the Pirates did not have a policy for social media use, it had to rehire the employee.
Hoffman said organizations must have a sanctions policy for enforcement.
Remind employees that when something's written, it never goes away, Hoffman said. Organizations cannot ban social media use among its employees, but they must have a policy for it and educate employees on the consequences of inappropriate posts.
Even OCR says you need to have strong policies.
"Make those real," Michael Leoz, OCR deputy regional manager in San Francisco, said, referring to HIPAA privacy and security policies and procedures. "Don't just have them sit on the shelf."
Recalling a case involving a laptop left in a Boston subway car by a Massachusetts General Hospital employee, Leoz said OCR found the policies and procedures that were in place were not adequate for HIPAA privacy and security compliance. That led to a $1 million settlement and a corrective action plan.
Board support
And what good are a policy and an education plan if senior management and board members aren't on board?
One HIPAA privacy officer at the Summit said he does not have that problem. He told a story dispelling an accepted belief that hospital boards are not engaged in HIPAA compliance issues.
When the officer rolled out some online learning to his staff at his large healthcare system, he got his first notification of a completed quiz 20 minutes later.
From whom? The chairman of the board of the directors for the hospital system. That's the same chairman with whom the privacy officer meets monthly.
Disengaged? Hardly. At least not at this facility.
HIPAA audits coming
That's a good thing because OCR – or least its contractor, KPMG, LLP -- could come knocking starting this Fall and into next year thanks to a $9.2 million auditing plan stemming from the HITECH Act.
Leoz of OCR said the audits will review covered entities' approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.
About 20 to 25 covered entities will be part of a testing phase. "We're going to try to look at different types of covered entities," he said. OCR's contractor will look for what programs different kinds of covered entities have in place.
"We will give an advance notice of the audit," Leoz said. "There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities' staffs."
2012 – and down the road
As for your organization's HIPAA 2012 and beyond compliance efforts?
The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.
And right behind encryption? Authentication.
William R. Braithwaite, MD, PhD, and chief medical officer at Anakam, Inc., said at the Summit that the healthcare industry needs to have strong authentication. And for patients who want remote access to their records it needs to be multi-factor authentication. Braithwaite is known as "Doctor HIPAA."
For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.
And as for tracking who's looking at what, that can't be a generic effort, Pabrai says.
"There are too many generic accounts across the industry where you cannot trace an action back to an individual," Pabrai said. "The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts."
And don't forget social media, Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization's firewall system.
"You may take a photograph now, and you're transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot" protect.
Social media, Pabrai said, is an "area of significant challenge."
Hopefully it is for those three percent Pabrai mentioned as well.
The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.
Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.
Hotspot: Incident detection and response (OCR's top issue)
Greene: I recommend both a top-down and bottom-up approach. From the top, covered entities and business associates should evaluate whether they are reasonably logging system activities and reviewing those logs in a way that is reasonably likely to detect impermissible uses and disclosures.
From the bottom, covered entities and business associates should ensure that all staff who have access to PHI are reasonably trained to be able to spot an impermissible use or disclosure and report it to the appropriate person (since the HITECH Act makes clear that the entire organization is treated as knowing of a breach if anyone, other than the person who committed the impermissible use or disclosure, knows of the breach.
Hotspot: Review of log access
Greene: No entity can review every instance of access. The key is how to reasonably spend your limited resources in a way that will best identify problems. This generally should include looking for patterns of unusually large access by an employee and paying special attention to high risk areas such as access to patient records of VIPs.
If appropriate for your organization, this may also include more sophisticated algorithms, such as comparing patient addresses and employee addresses to detect potential cases of neighbor snooping by employees, or looking for access that is unusual for a department (e.g., a labor and delivery nurse looking up a male patient).
There is no one-size-fits-all answer, but covered entities and business associates should document what options they have considered and how they concluded that their approach was reasonable.
Hotspot: Secure wireless network
The May 2011 OIG report regarding CMS oversight of the Security Rule is helpful here, highlighting a number of vulnerabilities in wireless networks that the OIG found when auditing hospitals. For example, OIG found hospitals where no authentication was required to access the network or where there was an inability to detect devices intruding on the network.
For smaller providers, it may be less complicated issues, such as ensuring that encryption is turned on, and that the administrative access to configure the access is properly password protected.
Hotspot: Management of user access and passwords
Greene: Covered entities should ensure that there are policies generally prohibiting the sharing of user IDs, systems are configured to require strong passwords when accessing higher-risk information and to require changing of default passwords, and that access to administrative accounts is closely controlled.
Hotspot: Theft or loss of mobile devices
Greene: Good policies and training on safeguarding mobile devices is a good first step. But, no matter what administrative steps are taken, mobile devices will get lost or stolen. Accordingly, I would highly recommend encryption of such devices and trying to maintain PHI centrally, whenever possible (rather than storing PHI on mobile devices themselves).
Hotspot: Up-to-date software
Greene: Covered entities and business associates should ensure that patches that address vulnerabilities are pushed out to workstations [regularly] and should consider whether an upgrade to software or an operating system is necessary if that version is no longer supported by the vendor. Of course, it is also imperative to keep anti-malware software up-to-date.
Hotspot: Role based access - lack of information access management
Greene: Staying on top of role-based access is always challenging. If standards are too lax, there are significant security risks. If standards are too tight, then patient safety may be jeopardized due to unexpected situations in which an employee needs legitimate access to information but does not have the needed access level. A closely monitored break-the-glass solution may help remedy some of the concerns.
HIPAA compliance auditors contracted by the Office for Civil Rights will review whether covered entities have corrective action plans in place and if they diligently work to remediate any problems, according to an officer of the HITRUST Alliance.
In a recent audio conference with Susan McAndrew, deputy director of health information privacy for OCR, Cliff Baker, chief strategy officer at the HITRUST Alliance, summarized the key goals of a HIPAA audit, which align with some of the major issues on OCR's radar for the industry:
Incident detection and response (OCR's top issue)
Access log review
Secure wireless network
User access and passwords management
Theft or loss of mobile devices
Up-to-date software
Role-based access -- lack of information access management
OCR in June awarded KPMG, LLP a $9.2 million contract to administer the HIPAA privacy and security compliance audits required by Congress via HITECH. The first phase of the audits -- in which OCR plans to visit 150 covered entities -- is expected to this fall and will end by December 31, 2012.
OCR is taking a systematic approach to determining which organizations to audit based on risk, Baker said. Audits will no longer be driven by responses to complaints or breaches, but will be directed at organizations that OCR selects based on an overall risk profile.
"The audits are seen as an opportunity to gather information about exposures in the industry and proactively identify certain issues ahead of time before they result in breaches across the industry," Baker says. "The results of the audit will be a learning opportunity for the entire industry."
Conducting the audits
OCR is working on a model for objectively selecting organizations for audit based on risk factors (e.g., size, type of entity).
"The audits will not simply focus on organizations that had an incident," Baker said. "The initial focus will largely be on covered entities, as this is a group that's identifiable today."
Entities will receive advanced notice before any audits. And though OCR is budgeted for 150 audits, Baker said it's "unlikely" the auditors will get through that many by the end of 2012. OCR plans to release aggregate findings across all audits as a "learning process for the industry," Baker says.
"OCR expects that organizations are performing risk assessments," Baker adds. "Risk assessments are not expected to be 'clean,' but it's important that organizations have corrective action plans in place and are diligently working to remediate issues."
An Office for Civil Rights investigation into the nation's largest drugstore chain for potential HIPAA violations that cost the industry's second- and third-largest chains millions of dollars in settlements one year later is still just that – an investigation.
Last August, OCR confirmed its investigation into Walgreens based on the same television media reports that led to million-dollar settlements with CVS and Rite Aid for potential HIPAA violations.
Contacted recently, Amanda Fine, spokesperson for OCR, offered no comment but confirmed in an e-mail to HealthLeaders Media that the investigation into Walgreens remains "open."
"OCR cannot comment on the timing or the details of an open investigation," Fine said when asked about Walgreens.
The government's investigations into the pharmacies date back four years. The HIPAA privacy and security rule enforcer's investigation into CVS and Rite Aid began September 27, 2007, according to each pharmacy chain's consent agreement with the Department of Health & Human Services.
The agreement included a $2.25 million settlement for CVS (announced February 18, 2009) and a $1 million payment by Rite Aid (announced July 27, 2010) with HHS.
Though neither consent agreement mentioned an investigation into Walgreens, OCR confirmed last year that it is looking into the HIPAA compliance practices of the Deerfield, IL, company.
Walgreens operates the most number of drugstores in the country ahead of No. 2 CVS and No. 3 Rite Aid.
HHS's consent agreements with CVS and Rite Aid revealed that the pharmacies disposed pill bottles and prescriptions that included protected health information in trash containers without proper safeguards.
WTHR, the Indianapolis television outlet that broke the improper disposal practices after a nationwide "dumpster-diving" investigation, reported that Walgreens was one of the pharmacies where it found PHI in Dumpsters with easy access by the public.
In addition to paying HHS $1 million, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.
CVS, meanwhile, agreed to implement a robust corrective action plan that requires:
Privacy rule compliant policies and procedures for safeguarding disposed patient information
Employee training on HIPAA
Employee sanctions for noncompliance
In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.
Rite Aid's corrective action plan is similar.
The money collected by OCR through these settlements goes to "enforcement activities under the HITECH Act and the HIPAA Privacy and Security regulations," OCR wrote in an e-mail to HealthLeaders Media.