Phoenix Cardiac Surgery probably never thought they would be a poster child for HIPAA safeguards, but this 5-physician cardiothoracic practice in Prescott, Arizona has become famous for something no medical practice wants to be famous for – not protecting their patient information.

Today’s HHS Press Release reads as follows:

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCR’s investigation also revealed the following issues:

• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

What Can We Learn?

1. You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules.
2. Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy.
3. Physicians are not exempt from responsibility. Most physicians do not want to use the hospital or practice network email – they want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business. This is a bad habit. Emails to and from the physicians announcing meetings and reminding them of tasks are fine, but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information.
4. Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk!

;

Resources

Health Information Privacy for For Small Providers, Small Health Plans, and other Small Businesses here

Summary of the HIPAA Privacy Rule

Summary of the HIPAA Security Rule

There are lots of resources available from the AMA, your state medical society, your specialty society and MGMA. There are also a number of consultants specializing in this area.

Don’t forget to talk to your IT person – they should be looking after your best interests and helping you with privacy and security issues.

For practices looking for a secure place to share files and collaborate on documents with encrytpted upload and download capability, please consider FileConnect, a product brought to you and supported by Manage My Practice. For more information, call Abraham at 919-370-0497 or email him at abe@managemypractice.com.

As part of President Obama’s commitment to reducing regulatory burden, Health and Human Services Secretary Kathleen G Sebelius today announced that HHS will initiate a process to postpone the date by which certain health care entities have to comply with International Classification of Diseases, 10^th Edition diagnosis and procedure codes (ICD-10).

The final rule adopting ICD-10 as a standard was published in January 2009 and set a compliance date of October 1, 2013 – a delay of two years from the compliance date initially specified in the 2008 proposed rule.  HHS will announce a new compliance date moving forward.

“ICD-10 codes are important to many positive improvements in our health care system,” said HHS Secretary Kathleen Sebelius.  “We have heard from many in the provider community who have concerns about the administrative burdens they face in the years ahead.  We are committing to work with the provider community to reexamine the pace at which HHS and the nation implement these important improvements to our health care system.”

ICD-10 codes provide more robust and specific data that will help improve patient care and enable the exchange of our health care data with that of the rest of the world that has long been using ICD-10.  Entities covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be required to use the ICD-10 diagnostic and procedure codes.

Last week the U.S. Department of Health and Human Services (HHS) announced a new initiative to help improve care for patients while they are in the hospital and after they are discharged. Doctors, hospitals, and other health care providers can now apply to participate in a new program known as the Bundled Payments for Care Improvement initiative (Bundled Payments initiative). Made possible by the Affordable Care Act, it will align payments for services delivered across an episode of care, such as heart bypass or hip replacement, rather than paying for services separately.  Bundled payments will give doctors and hospitals new incentives to coordinate care, improve the quality of care and save money for Medicare.

“Patients don’t get care from just one person  – it takes a team, and this initiative will help ensure the team is working together,” said HHS Secretary Kathleen Sebelius.  “The Bundled Payments initiative will encourage doctors, nurses and specialists to coordinate care. It is a key part of our efforts to give patients better health, better care, and lower costs.

Payment bundling is the future

In Medicare currently, hospitals, physicians and other clinicians who provide care for beneficiaries bill and are paid separately for their services.  This Centers for Medicare & Medicaid Services (CMS) initiative will bundle care for a package of services patients receive to treat a specific medical condition during a single hospital stay and/or recovery from that stay – this is known as an episode of care. By bundling payment across providers for multiple services, providers will have a greater incentive to coordinate and ensure continuity of care across settings, resulting in better care for patients.  Better coordinated care can reduce unnecessary duplication of services, reduce preventable medical errors, help patients heal without harm, and lower costs.

The Bundled Payments initiative is being launched by the new Center for Medicare and Medicaid Innovation (Innovation Center), which was created by the Affordable Care Act to carry out the critical task of finding new and better ways to provide and pay for health care to a growing population of Medicare and Medicaid beneficiaries.

Four bundled payment models

Released today, the Innovation Center’s Request for Applications (RFA) outlines four broad approaches to bundled payments.  Providers will have flexibility to determine which episodes of care and which services will be bundled together.  By giving providers the flexibility to determine which model of bundled payments works best for them, it will be easier for providers of different sizes and readiness to participate in this initiative.

Three models involve a retrospective bundled payment arrangement, and one model would pay providers prospectively.  Through the Bundled Payments initiative, providers have great flexibility in selecting conditions to bundle, developing the health care delivery structure, and determining how payments will be allocated among participating providers.

“This Bundled Payment initiative responds to the overwhelming calls from the hospital and physician communities for a flexible approach to patient care improvement,” said CMS Administrator Donald Berwick, M.D.  “All around the country, many of the leading health care institutions have already implemented these kinds of projects and seen positive results.”

Cost savings for Medicare and for patients

The Bundled Payments initiative is based on research and previous demonstration projects that suggest this approach has tremendous potential. For example, a Medicare heart bypass surgery bundled payment demonstration saved the program $42.3 million, or roughly 10 percent of expected costs, and saved patients $7.9 million in coinsurance while improving care and lowering hospital mortality.

“From a patient perspective, bundled payments make sense.  You want your doctors to collaborate more closely with your physical therapist, your pharmacist and your family caregivers.  But that sort of common sense practice is hard to achieve without a payment system that supports coordination over fragmentation and fosters the kinds of relationships we expect our health care providers to have,” said Dr. Berwick.

Letter of Intent to participate due in September

Organizations interested in applying to the Bundled Payments for Care Improvement initiative must submit a Letter of Intent (LOI) no later than September 22, 2011 for Model 1 and November 4, 2011 for Models 2, 3, and 4. For more information about the various models and the initiative itself, please see the Bundled Payments for Care Improvement initiative web site here.

Resources

Interested parties may obtain answers to specific questions by e-mailing CMS at BundledPayments@cms.hhs.gov.

This initiative is part of a broader effort by the Obama Administration to improve health, improve care, and lower costs. A brief summary of other efforts, including those authorized by the Affordable Care Act, can be found here.

For more information about the CMS Innovation Center click here.

Additional information:

HHS fact sheet

Federal Register Posting

Health and Human Services Secretary Kathleen Sebelius today announced the launch of HealthCare.gov on Facebook: http://www.facebook.com/Healthcare.gov.

“HealthCare.gov on Facebook offers Facebook users a new tool to understand and stay informed about the Affordable Care Act,” said Secretary Kathleen Sebelius. “This new page is another resource that people can use to learn about and discuss health care issues that are important to them, their family, or their small business.”

HealthCare.gov on Facebook provides additional resources that allow consumers to take health care into their own hands.

HealthCare.gov on Facebook allows people to:

• Search for insurance coverage using our “Insurance Finder” tool. The tool asks users to fill out two fields with basic information about themselves and the state they live in. Users are then redirected to a page on HealthCare.gov that continues with the insurance finder process based on the information provided.
• Share thoughts and ideas with other members of the HealthCare.gov network.
• Learn more about what the Affordable Care Act means for individuals, families, or small businesses.
• Stay informed with new blog posts and webchats.

To join HealthCare.gov on Facebook visit http://www.facebook.com/Healthcare.gov, and click the “Like” button at the top of the page.

*Text from today’s press release

NOTE: The date has been changed to July 5, 2011. delayed indefinitely.

************************************************************************************

Physicians and “eligible” providers received a jolt today in the May 5, 2010 Federal Register as the date for enrollment in PECOS was moved up (pending the comment period and any changes resulting from the comment period) six months for providers that order or supply durable medical equipment (DME) for Medicare patients.  Instead of the January 3, 2011 date previously announced by CMS, the Patient Protection and Affordable Care Act (Affordable Care Act or PPACA) has provisions to move the go-date to July 6, 2010, just 60 days away.

What does this mean to you? Unless something changes based on public comments, beginning July 6, 2010:

1. Providers with a National Provider Identifier (NPI) must include it on their Medicare and Medicaid enrollment applications and claims.
2. Providers of medical items/other items/services and suppliers that qualify for a National Provider Identifier (NPI) must include their NPI on all applications to enroll in the Medicare and Medicaid programs AND on all claims for payment submitted under the Medicare and Medicaid programs.
3. The ordering/referring supplier must be a physician or an eligible professional with an approved enrollment record in the Provider Enrollment Chain and Ownership System (PECOS) thus changing the previously reported January 3, 2011 date given by CMS.
4. Claims that do not meet these requirements will be rejected by Medicare contractors.

You can read the rule in its entirety here.

Want to read the comments on this interim final rule when they are published? Go here.