OCR Seeks FY2012 Budget Increase of $5.6M for HIPAA Compliance and Enforcement

HealthLeaders reports that the Office of Civil Rights (OCR) is seeking an additional $5.6 million in its Fiscal Year 2012 budget proposal to fund its HIPAA compliance and enforcement activities.

The article also details the most current reported numbers on breaches reported to OCR. As of March 16 there have been 249 entities that have reported breaches affecting 500 or more individuals. To view the current data and details on reported breaches go to the OCR Breaches Affecting 500 or More Individuals.

OCR Imposes $4.3M Penalty for Violation of HIPAA/HITECH Privacy Rule

UNTIL TODAY, many health care providers questioned whether HHS and the Office of Civil Rights (OCR) would ever issue any significant penalties for violations of the HIPAA Privacy Rule. However, will OCR ever be able to collect the penalties.

Today, HHS Office of Civil Rights (OCR) announced a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George's County, MD for violating the HIPAA Privacy Rule. This is the first ever civil money penalty issued by OCR for a violation of the HIPAA Privacy Rule. It is significant not only because it is the first - but also because of the size of the penalty and the basis for the violation.

OCR issued a Notice of Final Determination on February 4, 2011, outlining the procedure for payment of the $4.3 million civil money penalty. The Notice of Final Determination also indicates that Cignet failed to request a hearing on the matter or reach settlement with OCR. Prior to the issuance of the final notice, OCR had issued a Notice of Proposed Determination on October 20, 2010, which details the basis for the penalty, details the findings of fact, grounds for violation of HIPAA, and calculation of the penalty amount.

The Notice of Proposed Determination indicates that Cignet violated HIPAA by failing to provide individuals access to their health information under 45 CFR 164.524 and failed to cooperate with an investigation under 45 CFR 160.310(b). The Notice states:

1. Failure to Provide Access (45 C.F.R. § 164.524). Cignet failed to provide 41 individuals listed in Attachment A timely access to obtain a copy of the protected health information about them in the designated record sets (medical records) maintained by Cignet. These failures constitute violations of 45 C.F.R. § 164.524. Cignet's failure to provide each individual with access constitutes a separate violation of 45 C.F.R. § 164.524, and each day that the violation continued (that is, from the date specified in column 5 of Attachment A until April 7,2010) counts as a separate violation of 45 C.F.R. § 164.524.

2. Failure to Cooperate with an Investigation (45 C.F.R. § I60.310(b)). Cignet failed to cooperate with OCR's investigation of 27 complaints regarding Cignet's noncompliance described in paragraph 1 above. These failures to cooperate with an investigation constitute violations of 45 C.F.R. § 160.310(b). Cignet's failure to cooperate with OCR's investigation of each complaint constitutes a separate violation of 45 C.F.R. § 160.310(b), and each day that the violation continued (that is, from the date specified in column 7 of Attachment A until April 7, 2010) counts as a separate violation of 45 C.F.R. § 160.310(b). Each violation of 45 C.F.R. § 160.310(b) was due to Cignet's willful neglect of its obligation to comply with 45 C.F.R. § 160.310(b). Willful neglect means the conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. See 45 C.F.R. § 160.401.

The press release issued by HHS points out that the HIPAA Privacy Rule requires that health care providers must provide a patient with access and/or copy of their health information within 30 days (and no later than 60) days after the patient requests such information. Further, the press release indicates that covered entities and business associates must uphold their responsibility to provide patients with access to their own health information.

Read the HHS Press Release and OCR Press Release. More details via the OCR's Resolution Agreement page. For more background on Cignet Health check out David Harlow's post at HealthBlawg, HIPAA CMP's: What's the point?

WVDHHR Transfers OHFLAC Staff and Operations to OIG

According to the West Virginia Department of Health and Human Resources (DHHR), the West Virginia Office of Health Facility Licensure and Certification (OHFLAC) will be transferred to the West Virginia Office of Inspector General (OIG) effective February 1, 2010. OHFLAC oversees the state and federal licensure and certification process in West Virginia for hospitals, critical access hospitals, behavioral health facilities, home health agencies, hospice agencies, ESRD services, and other health care services.

All personnel and positions currently assigned to OHFLAC will be administratively transferred. DHHR has states that this action is to further enhance the integrity of the regulatory unit of the Department of Health and Human Resources.

Body Browser: Think Google Earth for the Human Body!

Yesterday Google released Body Browser. Think Google Earth for human anatomy.

Body Browser is described as a 3-dimensional multi-layered anatomical model of the human body that you can rotate, zoom in on, and search. More information about Body Browser is available in Google Labs.

Great to see Google developing this new tool that should be useful for educators, physicians, and others in the health care field. I can't wait to show this new tool to my kids.

Thanks to Brian Klepper over at Care and Cost for blogging about this new Google health tool.

Very cool!

West Virginia Connect

Today's Charleston Gazette features an article on a new health care demonstration project, West Virginia Connect, funded by a $36 million federal Health Resources and Services Administration (HRSA) grant.

The article indicates that the funding will be for eight West Virginia primary care clinics to provide preventative care services to eligible health consumers for a flat $35 per month. The services will include unlimited doctor visits, immunizations and screenings, chronic disease management, and minor surgical procedures.

To be eligible to particpate a person must have a job, be between 19 and 64, and make less than $43,320 for a single person or $88,200 for a family of four. In return, participants have to let the state fold their medical data - blood pressure, blood sugar, etc. - into an anonymous 10,000-person database the state plans to use to make more informed choices as health-care reform unfolds.

The article indicates that the primary care centers involved say the project is intended to:

• generate useful information about uninsured West Virginians and cost-effective ways to treat chronic diseases;
• demonstrate lowered emergency room usage, hospital stays, and times when people don't show up for appointments;
• develop an electronic patient tracking system other centers can use;create a catalogue of best practices that help people take better care of their own health;
• help the health system get ready for 2014, when hundreds of thousands will be newly insured through federal reform.

This is the first I have heard about this demonstration project. Other than this Grantee Project Abstract at HRSA website, I was unable to find any additional information or links about the demonstration project online. The article indicates that the project is currently governed by a steering committee of the DHHR secretary, insurance commissioner, and director of the GO HELP office.

West Virginia PEIA: Innovative Steps to Improve Long Term Health of West Virginia

This past week the West Virginia Public Employees Insurance Agency (PEIA) announced a creative and proactive health initiative to improve the health of West Virginians and move toward keeping future health care costs down for state and public school employees and ultimately for West Virginia taxpayer. Charleston Gazette's Phil Kabler reports on the initiative in "PEIA insurees can offset premiums increase."

The Improve Your Score initiative is a part of PEIA's Pathways to Wellness. PEIA announced that state and public school employees will have no health care premium increase this year if they comply with two requirements.The two requirements:

• Undergo a four-step wellness screening to measure waist circumference, total cholesterol, blood pressure, and blood glucose. Completion of the screening provides a $10-a-month premium discount.
• Submit an affidavit verifying they have filed an advanced directive for end-of-life care, sometimes called a "living will." That provides an additional $4-a-month discount.

Wonderful to see West Virginia, often more known nationally for unhealthy news, taking a proactive approach to improving West Virginians health by promoting a wellness activity and encouraging end of life care planning. Both initiatives will help to curb the long term impact on our state's health care cost problems and help West Virginia's become more active in understanding and managing their (un)healthy problems.

WVHIN: Public Comment Period on Proposed Privacy and Security Policies

The West Virginia Health Information Network (WVHIN), West Virginia's health information exchange, has issued proposed privacy and security policies and is seeking public comments on the proposed policies from December 3, 2010 through January 3, 2011. The WVHIN is a public/private partnership created in 2006 under W.Va. Code 16-29G-1 et seq. and is charged with building a secure electronic health information system for the exchange of patient data among physicians, hospitals, diagnostic laboratories, other care providers, and other stakeholders.

The proposed privacy and security policies that are available for review and comment are as follows:

• Patient Consent - General
• Patient Consent - Permissible Purpose
• Patient Consent - Sensitive Health Information
• User Authorization
• User Authentication
• Patient Amendment of Protected Health Information
• Patient Access to Protected Health Information
• Minimum Necessary
• Breach Notification

Pursuant to a press release from the WVHIN on the proposed privacy and security policies:

“WVHIN has been developing our core privacy and security policies that will guide us in our initial health information exchange implementation and pilot for 2011. We expect to have changes to the policies as a result of learning how to improve our operations through testing in the pilot period.“

“The policies have been developed over the past few months by the WVHIN Privacy and Security Committee and legal counsel, and are based upon an established WVHIN Privacy Framework and national best practices recommendations in Health Information Exchange (HIE). The committee is made up of stakeholder organizations including provider groups, state government, and consumer groups. The committee followed a cycle of reviewing and vetting the policies that have resulted in our drafts.”

“We have established a public comment period for the draft policies and would like to invite any member of the public to comments on these policies. Thus, we would like to request your assistance in forwarding this e-mail to any parties you may feel would like to comment on the policies. We welcome all feedback”, according to Business Development Manager Samantha Stamper.

Written comments on the proposed privacy and security policies may be submitted to Samantha Stamper, Business Development Manager by January 3, 2011 at sstamper@wvhin.org.

Thanksgiving 2010: Will You Engage With Grace?

Will You Engage with Grace this Thanksgiving weekend? I hope so.

For the third year running I am participating in the Thanksgiving holiday Engage with Grace Blog Rally. A viral effort to communicate the importance of having a conversation with your family and loved ones around end of life care wishes. Would you prefer to die in a hospital, or at home? Can your family correctly describe how you would want to be treated in the case of a terminal illness or sudden traumatic accident? Does your family know where you keep your living will and advanced directive?

At the heart of Engage With Grace are five questions designed to get the conversation about end-of-life started. They’re not easy questions, but they are important. The key is having the conversation before it’s too late. Throughout the year I continue to promote the Engage with Grace effort (and so can you) by using the One Slide (see the slide below) at the end of my power point presentations.

So in the spirit of the upcoming Thanksgiving weekend, take time after your dinner, turn off the TV, and take time with your family and friends to engage in the Engage with Grace conversation. 

Thanks to Alexandra Drane, Paul Levy, and many other health care bloggers and professionals for continuing to inspire and share the Engage with Grace message. Learn more about Engage with Grace and the One Slide Project at http://www.engagewithgrace.org.


Some other resources you may want to read and explore:

• Atul Gawande's thought provoking piece in the New Yorker, Letting Go: What should medicine do when it can't save your life? 

•  Alexandra Drane sharing the concept behind Engage with Grace at this year's TEDMED event. Read the full text of her presentation. 

• CNN article, At Thanksgiving, the hardest conversation which features a video interview with Alexandra Drane and good advice from  Jeffrey Asher, an elder-care attorney with Eaton & Van Winkle LLP in New York on how to get the end of life care conversation started. 

•  My 2008 Engage with Grace Blog post where I shared how Alexandra Drane's talk at the 2008 Health 2.0 Conference personally touched me because of my experience as a young 12 year old boy who lost his mother to cancer who was allowed to die at home surrounded by her husband and family.

• For my West Virginia readers who want to learn more about end of life care. Check out the resources provided by the West Virginia Center for End of Life Care. There is also valuable information for health care professionals. You can find forms for the standard West Virginia Living Will and Medical Power of Attorney. The site also includes information, FAQs, list of West Virginia palliative/hospice providers and other resources. 

AMA Issues New Policy To Guide Physicians’ Use of Social Media

Today the American Medical Association announced that it has adopted and issued a new policy offering guidance to physicians on the use of social media. The new policy focuses on helping physicians to "maintain a positive online presence and preserve the integrity of the patient-physician relationship."

The press release indicates that the policy encourages physicians to:

• Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.
• Routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.
• Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.
• Consider separating personal and professional content online.
• Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.

UPDATE (11/10/10): Below is a copy of the complete AMA Policy on Professionalism in the Use of Social Media that Jane Sarasohn-Kahn obtained from Katherine Hatwell, AMA Media Relations.

AMA POLICY: PROFESSIONALISM IN THE USE OF SOCIAL MEDIA

The Internet has created the ability for medical students and physicians to communicate and share information quickly and to reach millions of people easily. Participating in social networking and other similar Internet opportunities can support physicians’ personal expression, enable individual physicians to have a professional presence online, foster collegiality and camaraderie within the profession, provide opportunity to widely disseminate public health messages and other health communication. Social networks, blogs, and other forms of communication online also create new challenges to the patient-physician relationship. Physicians should weigh a number of considerations when maintaining a presence online:

(a) Physicians should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments, including online, and must refrain from posting identifiable patient information online.

(b) When using the Internet for social networking, physicians should use privacy settings to safeguard personal information and content to the extent possible, but should realize that privacy settings are not absolute and that once on the Internet, content is likely there permanently. Thus, physicians should routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and, to the extent possible, content posted about them by others, is accurate and appropriate.

(c) If they interact with patients on the Internet, physicians must maintain appropriate boundaries of the patient-physician relationship in accordance with professional ethical guidelines just, as they would in any other context.

(d) To maintain appropriate professional boundaries physicians should consider separating personal and professional content online.

(e) When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities.

(f) Physicians must recognize that actions online and content posted may negatively affect their reputations among patients and colleagues, may have consequences for their medical careers (particularly for physicians-in-training and medical students), and can undermine public trust in the medical profession.