Month / Year

Category: Industry News

Mississippi Medical Center Hit with $2.75M Fine for Privacy Breach

From: The Hill – 7/25/16

The Department of Health and Human Services hit the University of Mississippi Medical Center (UMMC) with a $2.75 million fine over a health data breach, its second major privacy action in a week.

The HHS Office for Civil Rights (OCR) is penalizing UMMC for a series of alleged privacy and security violations of the Health Insurance Portability and Accountability Act, also known as HIPAA. The settlement relates to a password-protected laptop that went missing from the hospital’s intensive care unit in March 2013. After an investigation, the medical center determined the computer was likely stolen by a visitor who had asked to borrow it.

According to the Office of Civil Rights, the hospital’s network was easily accessed with a “generic” username and password, granting access to the protected health information of 10,000 patients. UMMC said the laptop was assigned to the unit, and while accessing the network required individual log-ins, accessing the patient record database did not.

The settlement also called for a three-year corrective action plan that addresses the deficiencies the agency found in its investigation. Specifically, officials alleged that the medical center failed to install physical safeguards for workstations containing protected data, failed to implement tracking features for users accessing electronic health information and failed to notify all individuals affected by the breaches. The medical center did not admit liability in the settlement.

In a statement, they admitted to some of the shortcomings but said that there is no evidence that any protected data were accessed.

“In the last several years, UMMC has initiated substantial improvements in its information security program,” the statement reads. “Among other initiatives, the Medical Center is requiring that all laptop computers have encryption software installed, restructured the role and reporting relationships of its Chief Information Security Officer, and brought in an outside firm for a complete assessment and overhaul of its IT security program.”

On July 18, the Office of Civil Rights settled another HIPAA case with Oregon Health & Science University (OHSU) for $2.7 million after four breaches in 2012 and 2013 compromised the data of more than 3,000 individuals. In those cases, two unencrypted laptops and one unencrypted thumb drive were lost or stolen. Government officials also said the hospital failed to implement a required security agreement with a cloud service provider where health data were stored.

The university agreed to a three-year corrective action plan to address the alleged shortcomings in its security procedures, but the hospital did not admit liability in the settlement. The university said there have been no reports that the data have been mishandled and that it had expanded computer encryption software across its network.

The recent string of settlements highlights the OCR’s intention to step up enforcement as health data breaches continue to make headlines. On June 29, OCR announced its first HIPAA settlement with a business associate, or contractor, that handles medical data for organizations like hospitals and insurance companies.

The fines come as the agency kicks off its highly anticipated second phase of HIPAA audits, after a long delay following its pilot program in 2012. On July 11, OCR notified 167 healthcare organizations — or covered entities, as they’re known under HIPAA — of their selection for the probe’s desk audit portion. The agency eventually plans to initiate on-site audits.

Read more:

Mississippi Medical Center Hit with $2.75M Fine for Privacy Breach



Back to top

Many Well-Known Hospitals Fail to Score 5 Stars in Medicare’s New Rating

From: Kaiser Health News – 7/27/16

Article Excerpt:

The federal government released its first overall hospital quality rating on Wednesday, slapping average or below average scores on many of the nation’s best-known hospitals while awarding top scores to dozens of unheralded ones.

The Centers for Medicare & Medicaid Services rated 3,617 hospitals on a one- to five-star scale, angering the hospital industry, which has been pressing the Obama administration and Congress to block the ratings. Hospitals argue the ratings will make places that treat the toughest cases look bad, but Medicare has held firm, saying that consumers need a simple way to objectively gauge quality. Medicare does factor in the health of patients when comparing hospitals, though not as much as some hospitals would like.

Just 102 hospitals received the top rating of five stars, and few are those considered as the nation’s best by private ratings sources such as U.S. News & World Report or viewed as the most elite within the medical profession.

Medicare awarded five stars to relatively obscure hospitals and at least 40 hospitals that specialize in just a few types of surgery, such as knee replacements. There were more five-star hospitals in Lincoln, Neb., and La Jolla, Calif., than in New York City or Boston. Memorial Hermann Hospital System in Houston and Mayo Clinic in Rochester, Minn., were two of the  nationally known hospitals getting five stars.

Medicare awarded the lowest rating of one star to 129 hospitals. Five hospitals in Washington, D.C., received just one star, including George Washington University Hospital and MedStar Georgetown University Hospital, both of which teach medical residents. Nine hospitals in Brooklyn, four hospitals in Las Vegas and three hospitals in Miami received only one star.

“Consumers can use this trustworthy program to compare hospitals side by side,” said Debra Ness, president of the National Partnership for Women & Families, a Washington nonprofit. “This is a huge step forward.”

Some premier medical centers received the second highest rating of four stars, including Stanford Health Care in California, Duke University Hospital in Durham, N.C., New York-Presbyterian Hospital and NYU Langone Medical Center in Manhattan, the Cleveland Clinic in Ohio, and Penn Presbyterian Medical Center in Philadelphia. In total, 927 hospitals received four stars.

Medicare gave its below average score of two-star ratings to 707 hospitals. They included the University of Virginia Medical Center in Charlottesville, Beth Israel Medical Center in Manhattan, North Shore University Hospital (now known as Northwell Health) in Manhasset, N.Y., Barnes-Jewish Hospital in St. Louis, Tufts Medical Center in Boston and MedStar Washington Hospital Center in D.C. Geisinger Medical Center in Danville, Pa., which is a favorite example for national health policy experts of a quality hospital, also received two stars.

Nearly half the hospitals — 1,752 — received an average rating of three stars. Another 1,042 hospitals were not rated, either because they did not have enough cases for the government to evaluate accurately, or, as with all Maryland hospitals, Medicare does not collect the necessary data.

Medicare based the star ratings on 64 individual measures that are published on its Hospital Compare website, including death and infection rates and patient reviews. Medicare noted that specialized and “cutting-edge care,” such as the latest techniques to battle cancer, are not reflected in the ratings.

Read more…

Back to top

AHA Faults CMS’s ‘short-sighted’ Policies on New Off-Campus PBDs

From: AHA News – 7/7/16
The AHA Wednesday expressed “extreme dismay” with the provisions for new off-campus hospital outpatient departments contained in the Centers for Medicare & Medicaid Services’ (CMS) outpatient prospective payment system (PPS) proposed rule for 2017.
“It appears that CMS is aiming to freeze the progress of hospital-based health care in its tracks,” AHA Executive Vice President Tom Nickels said of the regulations for new off-campus provider-based departments, or PBDs, contained in the agency’s July 6 proposed rule.
The rule proposes to implement the site-neutral provisions of Section 603 of the 2015 Bipartisan Budget Act. With the exception of dedicated emergency department services, the section requires services furnished in off-campus PBDs that began billing under outpatient PPS on or after Nov. 2, 2015 to no longer be paid under that outpatient payment system.
Instead these services would be paid under other applicable Part B payment systems beginning Jan. 1, 2017. CMS proposes that, in 2017, the physician fee schedule would be the applicable payment system for the site-neutral rates for the majority of services furnished in a new off-campus PBDs.
CMS would pay physicians furnishing services in these departments at the higher “nonfacility” PFS rate. There would be no payment made directly to the hospital by Medicare. Existing off-campus PBDs that expand their services to include those in new clinical families would receive the site-neutral rate for those services.
In addition, any existing off-campus PBD that relocates after Nov. 2 would lose its excepted status and be subject to site-neutral payments. An existing off-campus PBD that undergoes a change of ownership would only maintain its excepted status if the new owner accepts the existing Medicare provider agreement from the prior owner.
“We are extremely dismayed by the short-sighted policies” in the proposed rule, Nickels said. He said the AHA will submit detailed comments to the agency urging it to revise “these misguided policies so that hospitals can continue to provide the highest quality health care to their communities.”
PPS update. In the rule, CMS proposed to update outpatient PPS rates by 1.55% in 2017 compared to 2016.
Meaningful use. As urged by the AHA, CMS proposes to offer greater flexibility in the meaningful use of electronic health records under the Medicare program by shortening the reporting period for 2016 from a full year to 90 days for all hospitals and physicians. CMS also proposes, beginning in 2017, to remove two measures for eligible hospitals and critical access hospitals – computerized provider order entry and clinical decision support – and reduce the requirements for patients to view, download and transmit their information from 5% to at least one patient.
Stage 3 of meaningful use would still be required by all hospitals in 2018. However, the thresholds for most measures would be reduced to the level required in Modified Stage 2.
Quality reporting. For the CY 2020 outpatient quality reporting program, CMS proposes seven new measures – hospital admissions and ED visits for outpatient chemotherapy patients, hospital visits following outpatient surgery, and five measures derived from a new Outpatient and Ambulatory Surgical Center Consumer Assessment of Healthcare Providers and Systems (OAS CAHPS) survey.
The OAS CAHPS is a 37-item survey intended to assess the experience of care for patients that have received surgeries and other procedures in HOPDs and ASCs. CMS would require OAS CAHPS data to be collected and submitted quarterly starting with visits on Jan. 1, 2018. CMS proposes the same measures from the OAS CAHPS for the CY 2020 ASC Quality Reporting Program.
Comments on the proposed rule are due Sept. 6.
Back to top


Receive a no obligation consultation on how Toyon can help make your cost reporting simpler, easier, and trusted.