Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
Fear of HIPAA Sells
[By Darrelkl K. Pruitt DDS]
“The HHS Office for Civil Rights (OCR) can show up at your door and ask to perform an audit on short notice, and your organization will need to be ready, or face fines of up to $50,000 per day for each regulatory provision violated.”
– Gene Kraemer [Customer Relationship Director at The Coding Institute]
The most successful of opportunistic HIPAA consultants are the scariest
As a dentist for almost 30 years, I’ve noticed that along with even rumors of mandate enforcement, ambitious compliance consultants’ fear-inspiring ads start interrupting happier thoughts. It happened with OSHA’s push into dentistry 20 years ago and we clearly see the aggressive sales pitches with HIPAA as well.
The scariest part of Gene Kraemer’s description of HIPAA’s tedious requirements and bankruptcy-level liabilities is that he is simply telling the truth. So if you are a HIPAA covered dentist, be scared.
On the other hand, if you don’t store or send your patients’ digital PHI – choosing instead to use the US Mail – you are increasingly fortunate in the dentistry market. For one thing, our patients are fed up with identity thefts, and paper dental records are the gold standard in security. In addition, nothing is holding down your competitors’ costs for HIPAA compliance and it is increasing much faster than the cost of postage.
De-identify now or lose computerization, Doc. If your patients’ PHI is not present it simply cannot be hacked by an identity thief. Guaranteed more secure than Cloud. Arguably more secure than even paper dental records.
Or … You can hire The Coding Institute.
You can bet Gene Kraemer isn’t someone who would hold down the cost of compliance.
From: Gene_Kraemer@mail.vresp.com
Subject: HIPAA Audits & Enforcement: New Penalties & Push for Compliance – Final Notice!
Good Morning,
The US Department of Health and Human Services (HHS) is currently implementing audits to meet requirements in the HITECH Act in the American Recovery and Reinvestment Act of 2009 (ARRA) for performing periodic audits of compliance with the HIPAA Privacy and Security Rules, and up to 150 random HIPAA compliance audits will be performed by the end of 2012. While in the past, audits had been performed only at entities that had had a complaint filed against them, the new rule calls for audits whether or not there is a complaint. This means, the HHS Office for Civil Rights (OCR) can show up at your door and ask to perform an audit on short notice, and your organization will need to be ready, or face fines of up to $50,000 per day for each regulatory provision violated.
Join us for this live audio conference on Tuesday, April 24, 2012 at 1 pm ET | 12 pm CT | 11 am MT | 10 am PT. This conference is being presented by Jim Sheldon-Dean, the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to health care firms and businesses throughout the Northeast and nationally. He serves on the HIMSS Information Systems Security Workgroup, the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and co-chairs the WEDI HIPAA Updates sub-workgroup. Sheldon-Dean is a participating member of the advisory board of Vermont Information Technology Leaders (VITL), and has participated in VITL’s Vermont Health Information Technology Plan working group, VITL’s Physician EMR adoption project, and the Security Workgroup of the New Hampshire/Vermont Strategic HIPAA Implementation Plan (NHVSHIP).
Highlights of the session :
• Fines and penalties for violations of the HIPAA regulations have been significantly increased and now include mandatory fines for willful negligence that begin at $10,000 minimum.
• HIPAA Audits have been few and far between in the past, but that’s now changing – the HHS will be auditing HIPAA covered entities and business associates even if there have been no complaints or problems reported.
• What HHS OCR is likely to ask you if you are selected for an audit, and what you’ll have to have prepared already when they do.
• The rules are that you need to comply with will be explained. Learn about the policies you can adopt that can help you come into compliance and be prepared for an audit.
• How the HIPAA rules have changed and how you may need to change. How you work to keep up with them.
• How having a good compliance process can help you stay compliant and respond to audits more easily.
• The documentation needed to survive an audit and avoid fines will be described.
• A discussion on what you’ll need to think about to deal with current and future threats to the security of patient information.
If interested, please click the following link to register and get your early bird discount : –
Please apply discount code “GENE20” at checkout to get your $20 discount on early registration.
Looking forward to having you onboard here.
Thanks,
Gene Kraemer
Customer Relationship Director
The Coding Institute LLC
2222 Sedwick Drive,
Durham, NC 27713
************************************************************************************8*************************
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
- DICTIONARIES: http://www.springerpub.com/Search/marcinko
- PHYSICIANS: www.MedicalBusinessAdvisors.com
- PRACTICES: www.BusinessofMedicalPractice.com
- HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
- CLINICS: http://www.crcpress.com/product/isbn/9781439879900
- ADVISORS: www.CertifiedMedicalPlanner.org
- BLOG: www.MedicalExecutivePost.com
- FINANCE:Financial Planning for Physicians and Advisors
- INSURANCE:Risk Management and Insurance Strategies for Physicians and Advisors
Share this:
Filed under: Health Law & Policy, Information Technology, Op-Editorials, Practice Management, Pruitt's Platform, Quality Initiatives | Tagged: eDRs, EHRs, Enter the HIPAA Fear Mongers, Gene Kraemer, HHS, HIPAA, OCR, PHI, The Coding Institute LLC |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
Gene Kraemer
Customer Relationship Director
The Coding Institute LLC
2222 Sedwick Drive,
Durham, NC 27713
Gene,
In the interest of fair play, you are invited to comment and/or opine on the above ME-P.
Cordially.
Ann Miller RN MHA
[Executive-Director]
LikeLike
Ann – I wish to thank you and the Medical Executive-Post for inviting Gene Kraemer, Customer Relationship Director for The Coding Institute, to share his knowledge of HIPAA compliancy with us.
I have been asking for an estimate of the cost of HIPAA compliance for years from EHR stakeholders – including vendors, consultants and even the American Dental Association Department of Dental informatics. Nobody responds.
Maybe Mr. Kraemer will be more friendly to customers.
D. Kellus Pruitt DDS
LikeLike
Good reasons to fear HIPAA —
The HIPAA horror stories in the press in the past few years usually involve larger hospitals, universities, insurers and larger health care providers. It seems more stories of the smaller medical practices are coming forth.
Take today’s story on ModernPhysician.com
(http://www.modernphysician.com/article/20120417/MODERNPHYSICIAN/304179990?AllowView=VW8xUmo5Q21TcWJOb1gzb0tNN3RLZ0h0MWg5SVgra3NZRzROR3l0WWRMVGJVUHdHRWxYek9UYktwUGZUamg5b1g4WFFERmhzbHhkSXRUYk9WYUk9&utm_source=link-20120417-MODERNPHYSICIAN-304179990&utm_medium=email&utm_campaign=mpdaily )
of Phoenix Cardiac Surgery of Phoenix hit with a $100,000 agreed upon fine by HIPAA. The practice was “posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible.”
Paper calendars sound a lot cheaper!
David K. Luke, MIM
Physician Financial Advisor
LikeLike
HIPAA isn’t cheap, and neither are KPMG auditors
Want to see what a HIPAA-covered provider has to do wrong to get hit with a $100,000 fine from HHS Office of Civil Rights (OCR)?
Today, Robyn Sterling, writing for Proskaur posted a list of alleged violations that ended up costing Phoenix Cardiac Surgery (PCS) dearly. See: “HHS Settlement for Lack of HIPAA Safeguards.”
http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb
Sterling notes that the OCR investigation was in response to a complaint alleging that PCS had exposed patients’ Protected Health Information (PHI) by carelessly making it available on the Internet. The settlement was reached for the following alleged violations of the HIPAA Privacy and Security Rules uncovered during the investigation that was triggered by the initial complaint.
– PCS did not adequately provide and document training of its employees on how to appropriately handle patients’ PHI.
– PCS did not have appropriate and reasonable administrative, physical and technical safeguards in place to protect patient data. For example, PCS allegedly “posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar.” In addition, employees e-mailed PHI to their own personal e-mail accounts.
– PCS did not appoint a security officer as required by HIPAA.
– PCS did not perform an accurate and thorough risk assessment required by HIPAA.
– PCS did not obtain “satisfactory assurances in a business associate agreement” from its business associates. Sterling explains: “This suggests that either business associate agreements were outright lacking or the language did not meet the requirements under HIPAA.”
The fact that KPMG itself was determined to be guilty of HIPAA violations just before winning $9 million HHS contract to help the OCR with HIPAA audits, means that ambitious KPMG auditors working for commission have sufficient incentive to prove that if KPMG can’t be 100% compliant, nobody can. Due to the intentionally subjective nature of the HIPAA Rule, even a dentist’s overly-generous investment of non-productive staff time into ineffective security requirements could easily become wasted effort under close inspection. You know that, Doc.
And Doc, what about those private, recurring worries these days about real and imagined data breaches of your patients’ identities? You know exactly what I’m talking about, don’t you? I assure you that non-dentists just don’t understand that it’s those very private worries which keep up to 170,000 dentists in the nation from joining my public discussions concerning HIPAA and EDRs. Am I right?
OCR intends to conduct random as well as complaint-driven audits in the future. So it seems to me that if dentists wanted to distance their practices from KPMG employees having a bad day and bankruptcy-level HIPAA fines, simply not putting patients’ PHI on computers is plain, common sense. Making dental patients’ PHI less available to thieves is hands-down better than risking $100,000 – followed by a year or more of close monitoring by KPMG employees working on commission.
It’s in clueless dental patients’ Hippocratic interest that this dentist is never forced to become a HIPAA-covered entity. They could lose their most successful representative on privacy matters.
As for you, Docs, save computerization in dentistry. De-identify now!
D. Kellus Pruitt DDS
LikeLike
“The worst thing about being lied to is knowing you weren’t worth the truth”
– Unknown
LikeLike
Experts Debate Privacy Regulations
Is there too much regulation of healthcare information privacy, or too little? That was a key question that largely went unanswered for more than an hour, but sparked a lively debate among panelists and the audience at the Second International Summit on the Future of Health Privacy in Washington. Probably, the most provocative statement during that June 5 debate came from panelist and privacy lawyer James Pyles, of the Washington firm of Powers Pyles Sutter & Verville, who called on rule makers to add a definition of privacy principles to federal privacy regulations under the Health Insurance Portability and Accountability Act of 1996.
“HIPAA doesn’t even define privacy,” Pyles said. Amendments to HIPAA under the health information technology provisions of the more recent American Recovery and Reinvestment Act of 2009 don’t either. Courts say individual control over what is shared is the key term in defining privacy that’s known and shared about them, Pyles said. The public believes they have a right to privacy and should have a right to privacy, and you will get sued if you violate it, he said.
Source: Joseph Conn, Modern Healthcare [6/6/12]
LikeLike
Appeals Court Says Knowledge of HIPAA Isn’t Required for Proof of a Violation
The U.S. Court of Appeals for the Ninth Circuit on May 23 refused to reconsider its May 10 decision that a former researcher was guilty of criminal violations of HIPAA even though the government had not shown he knew his actions of snooping into records were illegal.
In the May 10 ruling, the court said the government did not need to prove that a defendant in a criminal HIPAA case knowingly broke the law, dismissing the appeal of Huping Zhou and upholding a lower court’s imposition of a four-month jail sentence and fines for the former researcher at the University of California at Los Angeles Healthcare System. In 2010, Zhou pleaded guilty to four misdemeanor charges of violating HIPAA.
Source: Report on Patient Privacy [June 2012]
LikeLike
HHS Auditors Release HIPAA Audit Protocol
The Office for Civil Rights at HHS has published what it describes as “a comprehensive audit protocol” containing the requirements that will be assessed when it conducts privacy and security compliance audits as outlined in the American Recovery and Reinvestment Act of 2009.
The newly posted audit protocol covers HIPAA privacy-rule requirements for the notice of privacy practices for personally identifiable healthcare records, a patient’s right to request privacy protection for his or her records, patient access to personal records, the uses and disclosures of patient information, an accounting of disclosures, amending records, and other administrative requirements.
Source: Joseph Conn, Modern Healthcare [July 5, 2012]
LikeLike
Dermatology Practice That Lost Patient Data Will Pay Feds $150K
[Skin in the Game]
In September 2011, someone broke into the locked car of an employee of Adult & Pediatric Dermatology in Concord, Massachusetts, and stole a computer bag. Inside the computer bag was a thumb drive containing information on roughly 2,200 patients who had undergone Mohs surgery. The thumb drive was unencrypted. It was as if 2,200 paper charts had fallen off a truck and fluttered down the highway.
Last week, the US Department of Health and Human Services (HHS) announced that the practice had agreed to pay the government $150,000 as part of a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA), passed by Congress to keep patient data out of the wrong hands.
The settlement does not amount to admission of liability by the dermatology practice nor a concession by HHS that the law had not been broken. The 12-physician practice also agreed to analyze the security risks of its computer systems and electronic media and then develop a plan to improve security.
Source: Robert Lowes, Medscape News [12/31/13]
LikeLike
Your Doctor Knows You’re Killing Yourself
[The Data Brokers Told Her]
You may soon get a call from your doctor if you’ve let your gym membership lapse, made a habit of picking up candy bars at the check-out counter or begin shopping at plus-sized stores.
That’s because some hospitals are starting to use detailed consumer data to create profiles on current and potential patients to identify those most likely to get sick, so the hospitals can intervene before they do.
http://money.msn.com/business-news/article.aspx?feed=BLOOM&date=20140626&id=17734185
So, is this fear mongering OR security realism?
Greta
LikeLike
Random HIPAA Audits of Covered Entities & Business Associates to Begin in 2016
The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) has recently announced that it will begin the second phase of its random HIPAA audit program in the first quarter of 2016. This round of audits will include review of Business Associates (e.g., vendors who receive or have access to patient information), as well as Covered Entities (e.g, providers and health plans). The OCR has not yet published an updated audit protocol, however, it is being reported that this second round of audits will be different than the pilot program because:
• OCR will target specific common areas of noncompliance identified in the pilot audits and subsequent enforcement actions (e.g., the most common deficiency previously identified was failure to have a risk analysis).
• The audits will include a much larger number of entities.
• The audits will consist of a combination of desk reviews of policies as well as onsite reviews.
Whether you are a Business Associate or a Covered Entity, you need to prepare for the possibility of these audits by ensuring that your facility has:
• implemented an effective HIPAA compliance program (including all required policies, forms and training);
• completed, and maintains, a thorough up-to-date risk analysis;
• a business associate agreement in place with all required parties;
• evaluated the effectiveness of its HIPAA compliance program.
Garfunkel Wild, P.C.
LikeLike
HIPAA Audits Coming
“OCR Releases Details of Phase 2 HIPAA Audits Starting Soon.”
By Sara Heath for HealthIT Security, March 21, 2016.
http://healthitsecurity.com/news/ocr-releases-details-of-phase-2-hipaa-audits-starting-soon
“Although HIPAA audits are intended to be improvement-oriented with the end goal of creating better protocols to help entities adhere to HIPAA, there are some incidences in which an entity presents a glaring issue with security.”
Then what?
“In these events, OCR may investigate further, but it does not plan on publishing individual audit information publically. That said, the agency does maintain that under the Freedom of Information Act (FOIA), it may need to release audit notification letters should the public ask for them.”
When a patient learns through the media that their dentist is being investigated for HIPAA violations, will that help or hurt the practice?
Anyone interested in de-identification of primary dental EHRs? If patients’ identities are unavailable, they cannot be hacked.
Otherwise, one can count on the marketplace to eventually inform consumers that paper dental records are both cheaper and safer than EHRs.
Then what?
D. Kellus Pruitt DDS
LikeLike
Second Phase of HIPAA Audits Shifts into High Gear
The long-awaited second phase of the HIPAA audit program of the HHS Office for Civil Rights is now in full swing. According to OCR, some covered entities have received notification letters regarding their inclusion in the desk audit portion of the program. “These entities have 10 business days, until July 22, 2016, to respond to the document requests,” OCR said in the announcement. “Desk audits of business associates will follow this fall.
Phase 2 of OCR’s audit program is primarily focused on desk audits of policies and procedures, compared with Phase 1. OCR hopes this approach will enable the agency to be more effective in audits with fewer resources than would be required to support full onsite audits for all organizations. “The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA rules,” according to the announcement. “OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of non-compliance.”
Source: Greg Slabodkin, Health Data Management [7/18/16]
LikeLiked by 2 people
Washington continues to disadvantage HIPAA-covered dentists
As government regulations continue to raise the cost of dentalcare, non-productive HIPAA requirements predictably create pricing advantages for paper-based dentists who choose not to file dental claims electronically. What’s more, informed patients naturally prefer the security of paper over electronic dental records.
“HIPAA requires practices to name both a privacy officer and a security officer. The two roles do have some overlap; however, Robben suggests that having two separate people fill them allows for checks and balances. Both the privacy officer and the security officer need to have a thorough understanding of how the practice operates, where the problems with compliance are most likely to occur and a good idea of what will motivate the staff. They both need to be connected to every part of the practice, from the doctors and nurses to the billing and front office staff.”
(See: “How to choose your HIPAA security officer” By Dava Stewart for ModernMedicine, September 29, 2016
http://medicaleconomics.modernmedicine.com/medical-economics/news/how-choose-your-hipaa-security-officer?page=0,0
In addition:
“Congress says HHS has to step up efforts to secure nation’s medical records” (By Joseph Conn for Modern Healthcare, September 28, 2016).
http://www.modernhealthcare.com/article/20160928/NEWS/160929887/congress-says-hhs-has-to-step-up-efforts-to-secure-nations-medical
There is nothing holding down the cost of HIPAA, yet the price of paper has been relatively stable for decades.
D. Kellus Pruitt DDS
LikeLike
No more HIPAA audits?
“Trump Proposes Hefty HHS Budget Cuts for OCR, ONC – Experts Analyze Potential Impact on Privacy, Security Efforts”
By Marianne Kolbasuk McGee
(HealthInfoSec), May 23, 2017.
http://www.govinfosecurity.com/trump-proposes-hefty-hhs-budget-cuts-for-ocr-onc-a-9940
Trump Proposes Hefty HHS Budget Cuts for OCR, ONC
http://www.govinfosecurity.com
The Trump administration’s detailed budget proposal for fiscal 2018 calls for hefty cuts for the two Department of Health and Human Services agencies responsible
McGee: “OCR officials had originally planned to also conduct a smaller number of more comprehensive on-site audits in the first quarter of calendar 2017. But by February, officials said plans to conduct those onsite audits were being pushed back.
If Congress does indeed approve the proposed OCR budget cut, onsite audit plans could be on hold indefinitely.”
Darrell K. Pruitt DDS
LikeLike
HIPAA for Regular Folks
https://www.washingtonpost.com/lifestyle/wellness/hipaa-vaccine-covid-privacy-violation/2021/05/22/f5f145ec-b9ad-11eb-a6b1-81296da0339b_story.html?utm_source=pocket-newtab
Stu
LikeLike