Health Information Compliance Alert

Enforcement News:

New Settlement Highlights That Privacy Remains an OCR Issue

Plus: A new offering from CMS helps practices with the technical side of MACRA.

HIPAA breaches that expose ePHI and violate the Security Rule have dominated the news over the past year, garnering huge financial penalties. But last month the OCR struck out against a hospital system for giving up a patient’s PHI to his employer via fax, resulting in a hefty settlement for the privacy violation.

The Spencer Cox Center for Health, now called the Institute for Advanced Medicine, is run by the St. Luke’s-Roosevelt Hospital Center, Inc. in New York and provides healthcare to chronic care patients, particularly those dealing with HIV and AIDS.

In 2014, an employee at Spencer Cox Center disclosed the private information of a patient that “included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse,” sending it by fax to the patient’s employer instead of to a personal post office box, which was requested, said an HHS-OCR release from May 23, 2017. The OCR did not take the loss of such sensitive PHI lightly, and fined St. Luke’s $387,000 for the HIPAA violation.

“Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI,” said Roger Severino, OCR director. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.”

During its investigation, the OCR uncovered another incident of impermissible disclosure of PHI. St. Luke’s has agreed to a Corrective Action Plan as it resolves its HIPAA issues.

In regard to the large settlement for the solitary breach, Severino weighed in on the severity. “In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements,” he warned in the release.

To take a look at the HHS-OCR release, visit https://www.hhs.gov/about/news/2017/05/23/careless-handling-hiv-information-costs-entity.html.

In other news …

With the online tool to uncover your Merit-Based Incentive Payment System (MIPS) status up and running, you can now discover whether you’re in or out of the new Medicare reimbursement program. But, if the transition from one reimbursement model to another has you in a quandary, CMS wants to alleviate your stress with some technical assistance.

CMS understands that many are still in the dark about Medicare’s new payment system and has assembled on-the-ground support and resources for both small, rural, and underserved practices and larger group practices with more than 15 eligible clinicians. The Quality Payment Program (QPP) Technical Assistance Resource Guide endeavors to make the transition for Medicare Part B providers from the Sustainable Growth Rate (SGR) fee-for-service system to the new value-based, quality-focused plan under MACRA painless and efficient.

“We’re offering support to help you successfully participate in the Quality Payment Program, in either the Merit-based Incentive Payment System (MIPS) or the Advanced Alternative Payment Model (APM) track,” the Technical Assistance Resource Guide fact sheet states. “This support is from on-the-ground organizations and resources that you can get for free right away.”

The guidance suggests that education and assistance will go to smaller and rural practices first with touch points available by region. Currently, 11 organizations across the nation are there to support providers struggling with the changes and demands of reporting the new measures.

For bigger groups of 15 or more, the Quality Innovation Network-Quality Improvement Organizations (QIN-QIO) offers tech support.

For more information about the QPP and this new technical-advice initiative, visit: https://qpp.cms.gov/docs/QPP_Technical_Assistance_Resource_Guide.pdf.