Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
On OCR Director Jocelyn Samuels
[By D. Kellus Pruitt DDS]
When the explosions of breaches of patients’ medical identities occur – as predicted by the FBI and others – will the new OCR Director Jocelyn Samuels continue to be as sympathetic and forgiving as Leon Rodriguez has been?
Or; will she take on the role of bad cop?
The Replacement
Samuels, who is tying up loose ends in her current position with the civil rights division at the Department of Justice, has replaced Rodriguez as the new head of the HHS’ Office for Civil Rights – which prosecutes HIPAA violations. Many are wondering about her level of enthusiasm for enforcement, especially since data breaches are only getting worse, not better.
Privacy and security attorney Adam Greene, who once served as a member of the OCR staff, tells GovInfo that the challenge for Samuels is “to strike the balance where HIPAA is seen as having ‘teeth’ but covered entities and business associates can still count on OCR as being reasonable when there are areas of ambiguity or privacy or security issues occur despite good efforts at compliance.”
(See: “Impact of New HIPAA Enforcement Leader – Are New Strategies, Directions on the Horizon?” by Marianne Kolbasuk McGee for GovInfoSecurity.com, July 11, 2014).
http://www.govinfosecurity.com/impact-new-hipaa-enforcement-leader-a-7049/op-1
Healthcare Harm
Principals in healthcare – providers and patients – continue to be harmed by EHRs designed to satisfy third-parties’ questionable Meaningful Use requirements rather than principals’ needs. For example, on April 8, the FBI warned that EHRs are becoming increasingly vulnerable to hackers. (See: “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain”).
Under Rodriguez, OCR has arguably spared the rod (mostly), choosing instead to discuss and correct HIPAA violations in an informal, private, non-punitive manner. I think both Rodriguez and Secretary Sebelius backed off of more aggressive enforcement because they recognized that without cooperation from doctors and patients, EHRs are certain to fail – mandate or no mandate. Nevertheless, it has proven to be far too easy for stakeholders who cannot be held accountable to patients, to marginalize their needs.
[New OCR Director Jocelyn Samuels]
Example
Rodriguez did his best to appease all sides. For example, it was under his watch that the name of the HHS website listing breaches of 500 or more patients’ identities was changed from “Wall of Shame” to the more benign “HHS Breach Reporting Tool.”
For hapless providers whose data breaches were unavoidable, the name change eliminates some of the shame associated with being nationally recognized as a careless doctor who cannot keep thieves from stealing patients’ identities.
Assessment
As long as there is nothing holding down the cost and liability of HIPAA compliance, there will always be room for more regulation, and the cost of healthcare will never be cheaper.
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
- DICTIONARIES: http://www.springerpub.com/Search/marcinko
- PHYSICIANS: www.MedicalBusinessAdvisors.com
- PRACTICES: www.BusinessofMedicalPractice.com
- HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
- CLINICS: http://www.crcpress.com/product/isbn/9781439879900
- ADVISORS: www.CertifiedMedicalPlanner.org
- BLOG: www.MedicalExecutivePost.com
- FINANCE: Financial Planning for Physicians and Advisors
- INSURANCE: Risk Management and Insurance Strategies for Physicians
- and Advisors
Share this:
Filed under: Pruitt's Platform, Risk Management | Tagged: Darrell K. Pruitt DDS, HIPAA, Jocelyn Samuels, Leon Rodriguez, OCR |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
Are Patient Privacy Laws Being Misused to Protect Medical Centers?
HIPAA has been cited to scold a mom taking a picture of her son in a hospital, to keep information away from police investigating a possible rape at a nursing home, and to threaten VA whistleblowers.
http://www.propublica.org/article/who-do-federal-privacy-laws-protect-patients-or-medical-centers?utm_source=et&utm_medium=email&utm_campaign=dailynewsletter
Bruce
LikeLike
Are you audit-proof yet, Doc?
“Are your HIPAA ducks in a row? The next round of OCR HIPAA audits is approaching,” by Beau Patterson for JDSupra.com, July 28, 2014.
http://www.jdsupra.com/legalnews/are-your-hipaa-ducks-in-a-row-the-next-31827/
Timeline for Audits
-OCR will begin sending audit notification and data request letters beginning later this summer and into early fall.
-Covered entities and business associates will have two weeks following receipt to respond to the initial data requests. OCR will not consider data submitted late.
-OCR will conduct audits remotely through “desk audits.” Desk audits will be made using an updated audit protocol which OCR has not yet made available.
-Audit participants will not have an opportunity to provide clarifications or supplemental information after responding to the initial data request.
-Within 60 days following their submissions, audit participants will be presented with a draft version of OCR’s final report for review prior to publication.
———————————-
Miss paper yet? Give it time. You will.
D. Kellus Pruitt DDS
LikeLike
USDHS – Hacked?
A company that performs background checks for the U.S. Department of Homeland Security just reported it was the victim of a cyber attack, saying that “it has all the markings of a state-sponsored attack.”
http://news.msn.com/science-technology/us-homeland-security-contractor-reports-computer-breach
So, where is the sheriff?
http://www.medicalpracticeinsider.com/news/8-areas-insure-against-cyber-threats?email=MARCINKOADVISORS@MSN.COM&GroupID=90115
Ann Miller RN MHA
LikeLike
“OCR Fines Are the Least of Your Worries”
I was warning doctors about data breaches’ damaging effects on reputations before it was cool.
“OCR Fines Are the Least of Your Worries in a HIPAA Related Breach – Lost patient records sparks negative publicity. Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.” – Guest blog post on EMR & HIPAA, by Art Gross, Founder of HIPAA Secure Now! (EMR & HIPAA discloses that HIPAA Secure Now! advertises with the publication).
http://www.emrandhipaa.com/guest/2014/08/27/ocr-fines-are-the-least-of-your-worries-in-a-hipaa-related-breach/
Art Gross’ claims are supported by related findings of a 2012 study by the National Cyber Security Alliance: “60 percent of small firms go out of business within six months of [reporting] a data breach.” – White Paper posted by FireEye security.
https://www2.fireeye.com/smb_five_reasons_wp.html
Nobody can deny that there is a tangible limit to the amount of liability the EHR market will tolerate before vulnerable HIPAA-covered entities reject the technology – mandate or no. For all we know, that threshold might have already been exceeded. I would place a sporting wager that a data breach even larger than Community Health Systems’ loss of 4.5 million patient records has occurred since the CHS breach was reported two weeks ago on August 17. If my guess is correct, and the monster breach is lawfully reported to HHS, the details should appear on the HHS Wall of Shame in 60 days – the deadline for notifying soon to be former patients.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
For all we know, if such a breach has occurred, the victims’ social security numbers and other personal information may already be available on the internet. It’s only a matter of time, Doc. Someone in healthcare needs to grab some courage and open a conversation. Where is leadership?
D. Kellus Pruitt DDS
LikeLike
HIPAA compliance and small practices
If you are HIPAA compliant, Doc, you are one of the few.
Survey: With HIPAA audits looming, small practices far from compliant – ATLANTA, Dec. 3rd, 2014 PRNewswire
“NueMD in partnership with Porter Research and The Daniel Brown Law Group, today announced the results of its recent survey on HIPAA compliance within small practices and billing companies. The survey of more than 1,100 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act (HIPAA).”
http://insurancenewsnet.com/oarticle/2014/12/03/survey-with-hipaa-audits-looming-small-practices-far-from-compliant-a-575693.html#.VH9g4zHF9yQ
The survey found:
– 66% of respondents were unaware of HIPAA audits
– 35% of respondents said their business has conducted a HIPAA-required risk analysis
– 34% of owners, managers, and administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
– 24% of managers, owners, and administrators at medical practices reported that they’ve evaluated all of their Business Associate Agreements
– 56% of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year
Darrell K. Pruitt DDS
LikeLike