Small Physician Practice Settles HIPAA Complaint for $100,000

Eagle Consulting Blog

Small Physician Practice Settles HIPAA Complaint for $100,000

By Gary Pritts | Published: April 19, 2012

Phoenix Cardiac Surgery, PC, a small physician practice, settled a HIPAA privacy and security complaint for $100,000 and agreed to a Corrective Action Plan. The settlement agreement (in which the practice does not admit liability) is the culmination of an investigation that found minimal compliance with HIPAA Privacy and Security.

This 5 physician practice, with two locations in Arizona, is owned by Pierre R. Tibi, M.D. and H. Kenith Fang, M.D. Based on a review of their website, these physicians are well regarded in their community and each have authored multiple research publications.

The HHS investigation stems from a 2009 complaint that the practice posted its surgery schedule on a publicly-accessible, Internet-based calendar. On February 19, 2009, just days before the new, stiffer HIPAA penalties went into effect, The Department of Health and Human Services Office for Civil Rights (“OCR”) notified the practice of the complaint and started its investigation. Click to read the rest!

Posted in HIPAA, HIPAA Enforcement, HIPAA Penalties, HIPAA Privacy, HIPAA Security, Unassigned | Tagged encrypted email, Meaningful use, OCR, risk analysis, small practice | Leave a comment

Risk Analysis – Probability of Smartphone loss/theft

By Gary Pritts | Published: April 11, 2012

In this latest installment about risk analysis we continue the difficult quest to quantify risk of data breach. Hospitals and physician practices are conducting computer security risk analyses for HIPAA compliance and for meaningful use (per HIPAA Security 45 CFR 164.308(a)(1)) and must assess the threats and likelihood of occurrence.

Today the Wall Street Journal reports a cooperative effort of the FCC, Verizon, AT&T, Sprint and T-Mobile to develop a national database of stolen cell phones in response to an “explosion of thefts” nationwide. The article cites an internal NYC police department report indicating 21,000 incidents of mobile phone thefts in the first 10 months of 2011. Based on a number of assumptions, this would represent roughly a 1% chance of theft per person per year. This presumably is based on police reports of theft. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Security, Meaningful use | Tagged HIPAA Security, Meaningful use, risk analysis | Leave a comment

Risk Analysis – Quantifying Risk and Impact – Part 2

By Gary Pritts | Published: March 31, 2012

Hospitals and physician practices conducting computer security risk analyses for HIPAA compliance and for meaningful use (per HIPAA Security 45 CFR 164.308(a)(1)) must assess the threats and likelihood of occurrence. Because most breaches are never reported, accurate information on likelihood of occurrence is difficult to come by. Another study was recently published, by identity and access intelligence vendor Veriphyr. While this is a small study, the results are instructive. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Security, Meaningful use | Tagged HIPAA Security Breach, risk analysis, risk assessment | Leave a comment

A Tale of Two Presidents – Lessons for ACOs

By Gary Pritts | Published: March 27, 2012

OK, Dick Cheney wasn’t president but was a heartbeat away. Both Dick Cheney and another former leader, Bill Clinton, have been in the news recently as a result of their heart conditions. Their previous histories of heart treatments have been widely reported in the media. What lessons do these contrasting stories have for ACOs?

Vice President Cheney displays the external battery pack for his surgically implanted pump

A slimmed-down and symptom-free Bill Clinton now enjoys his plant-based, whole foods diet

Age	Vice President Cheney	President Clinton
37	1^st Heart Attack
43	2^nd Heart Attack
47	3^rd Heart Attack	Hillary Clinton recruits famous lifestyle medicine physician Dean Ornish, MD to improve health of White House food.
58		Chest Pain, shortness of breath, 90% arterial blockage. Quadruple bypass.
59	4^th Heart Attack. Quadruple bypass.	Surgery to address complication from last year’s quadruple bypass.
60	Chest pain. Angioplasty. Pacemaker. Implantable defibulator.
64		Two stents inserted. Two months later, the grafted arteries are re-clogged. After personal research, begins whole foods, plant-based diet espoused by Caldwell Esselstyn, Jr., MD. This diet is similar to Ornish’s heart disease reversal diet.
66	Episode of arterial fibrillation	Bill Clinton has maintained his lifestyle change for two years, is free of heart disease symptoms, has returned to his high school weight, reports more energy, and through his foundation advocates for healthier lifestyles among all generations.
67	Procedure to replace heart monitor
69	5^th heart attack; surgery to implant pump to support weakened heart
71	Heart transplant

Lesson 1. Heart disease remains a deadly and costly condition among the Medicare population. Coronary artery disease often involves multiple costly interventions over the life of a patient.

Lesson 2. A significant body of peer-reviewed medical literature exists that demonstrates that lifestyle interventions can reverse coronary artery disease. This research can be found by anyone who looks. The specific interventions are well documented and supported with over 20 years of history.

Lesson 3. Achieving behavior change among patients is difficult. Of course, we all knew that already. It was widely reported that Bill Clinton enjoyed junk food. Clinton was first introduced to Ornish’s diet in 1993; it took him 17 years and multiple heart procedures to embrace this lifestyle change.

Lesson 4. Teachable moments exist. Clinton’s came in the Spring of 2010. Two months after two stents were inserted, Clinton reports that he was discouraged when his new bypasses are re-clogged again. He wanted to live to be a grandparent. He conducts his own research, and begins Esselstyn’s heart disease arrest and reversal diet. These teachable moments exist with many patients. If the ACO can re-engineer its delivery system to detect and intervene appropriately at these teachable moments, the health system can succeed in empowering patients with radical lifestyle changes that improve health, reduce costs and increase profits.

This author thanks both of these men for their many years of public service and wishes both of them good health in the future.

Posted in Accountable Care Organizations | Tagged Caldwell Esselstyn, coronary artery disease, Dean Ornish, lifestyle modification | 1 Comment

Risk Assessment: Quantifying Risk and Impact

By Gary Pritts | Published: March 8, 2012

HIPAA Covered entities, including hospitals and physicians who are implementing electronic records with hopes of attaining Meaningful Use and qualifying for federal incentives, are performing a computer security risk analysis, or risk assessment. Conducting regular risk assessments has been a requirement of HIPAA since 2005. However, many organizations have been weak in their compliance. Organizations have additional incentive to comply now, since the meaningful use requirement of conducting a risk analysis per 45 CFR 164.308(a)(1) [the HIPAA Security Risk Analysis requirement] is necessary to earn significant incentive payments. While HIPAA does not prescribe the method or format for this analysis, all methods share the requirement to 1) quantify risk levels, and 2) estimate the impact of availability, integrity or confidentiality failures. A recent study by the Ponemon Institute provides some help for both of these requirements. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Security, Meaningful use | Tagged Encryption, risk analysis, risk assessment | Leave a comment

Risk Assessment: Forget the PHI, they want your money

By Gary Pritts | Published: March 2, 2012

The computer security risk assessment mandated by HIPAA in 45 CFR 164.308(a)(1), and also the Meaningful Use regulations, is focused on protecting the availability, integrity, and confidentiality of Protected Health Information (PHI).

There is another risk – theft of your money using your online banking credentials. Click to read the rest!

Posted in County board, Developmental Disability, HIPAA, HIPAA Security | Tagged 45 CFR 164.308(a)(1), online banking theft, risk assessment | Leave a comment

Securing your Home Wi-Fi Network

By Gary Pritts | Published: February 29, 2012

Virtually everyone has a home wi-fi network. It provides convenient access for laptops, smartphones, tablets and gaming devices. How do you protect yourself?

Administration Account. The first step is to secure the administration account for your wireless router or wireless access point. Change the factory admin account name, and use a strong password (at least 8 characters with upper case letters, lower case letters, and digits). Disable remote access, that is, set it up so that it must be administered from a computer connected directly with an Ethernet cable. Don’t forget the password! Click to read the rest!

Posted in County board, Developmental Disability, HIPAA, HIPAA Security | Tagged Encryption, wifi, wireless | Leave a comment

45 CFR 164.308(a)(1), 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3) Explained

By Gary Pritts | Published: February 24, 2012

The Meaningful Use rules, part of the HITECH Act, specify the requirements for physicians and hospitals to receive their portion of $32 Billion in federal health information technology incentives. Those rules include many legal citations that are unfamiliar to many. These citations are explained in this post. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Security, Meaningful use | Leave a comment

Wake-up Call for Business Associates – Comply with HIPAA Now

By Gary Pritts | Published: February 23, 2012

Last month Minnesota Attorney General Lori Swanson filed suit against Accretive Health, Inc., a company which provides revenue cycle management services for two Minnesota Health Systems – Fairview Health Services and North Memorial Health Care. According to the complaint, a computer laptop with sensitive information on 23,500 patients was stolen from a rental car. Eight violations of the HIPAA Security Rule are alleged. The state seeks statutory damages and payment of its legal costs.

HIPAA Business Associates and advisors alike have noted that the Federal Department of HHS has not yet finalized the HIPAA changes enacted in the HITECH act, signed on February 17, 2009. However, the HITECH statute is clear that Business Associates would be regulated by HIPAA one year later, on February 17, 2010. Further, HITECH empowered state Attorney Generals to enforce HIPAA. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Enforcement, HIPAA Security, Revenue Cycle Management, Unassigned | Tagged Business Associate, Lori Swanson, State AG | Leave a comment

First OCR HIPAA Audits Underway

By Gary Pritts | Published: February 17, 2012

Adam Greene, JD, MPH, a former regulator in HHS, recently shared details about the random audit program begun by the HHS Office of Civil Rights (OCR). The audit targets are selected using stratified random samples based on a database of covered entities created by OCR by consulting firm Booz Allen Hamilton. Four categories of organizations were created: Click to read the rest!

Posted in County board, Developmental Disability, HIPAA, HIPAA Enforcement, HIPAA Privacy, HIPAA Security | Tagged compliance audit, OCR | Leave a comment

Management and Technology Specialists for the Healthcare Industry

Eagle Consulting Blog