Stanford Hospital & Clinics Pay $4 Million for privacy offense

Practice, clinics an hospital not only have to worry about HIPAA laws at a federal level but they need to take into account the state privacy laws that can cost them as well!

In California, the law requires that medical providers maintain their patients’ medical information confidential and prohibits the disclosure of such information without a patient’s written authorization.

Stanford Hospital and Clinics has had 5 big HIPAA breaches in the last 3 years compromising the protected health information of more than 92,000 patients.  Four of the breaches involved the theft of unencrypted company laptops.   It would have been much better if this was merely property losses as opposed to data losses. They may now be required to pay a $4.1 million class action settlement after violating California’s medical privacy law.

The settlement was given approval last week by Los Angeles County Superior Court Judge Elihu Berle from a 2010 incident when Stanford notified 20,000 of its patients that their protected health information was wrongfully posted to a student website. The information was posted on a public website  for almost a year included medical diagnoses and patient names.

In September 2011, Shana Springer, a patient, filed a $20 million class action lawsuit against Stanford and its business associate Multi-Specialty Collection Services for violating California’s Confidentiality of Medical Information Act.

When Stanford Hospital and Clinics notified patients, it claimed it had sent Multi-Specialty Collections services encrypted patient information for “permissible business purposes,” making the company “responsible by law and contract for protecting all patient information provided to it for its services.”

HIPAA-covered entities and business associates have paid over $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year which does not include the state and private legal settlements.

2014 Hardship Exemptions

The hardship exception rule in the Meaningful EHR Incentive Program has allowed for relief to some providers and hospitals to apply for exceptions to anticipated penalties if their EHR vendor did not obtain EHR certification for 2014.

Since some vendors did not have the time or resources to get their product 2014 certified the additional flexibility has been put in the exception rule i

There are a couple stipulations to this flexibility in the hardship exception rule:

  • The application can only be submitted for 2014.
  • CMS is said you may apply for the exception.  This will not guarantee not that you will get the exception.  CMS will determine if you will receive the exception on a case by case basis.
Providers and hospitals should be encouraged to do everything in their power to get the certified EHR technology implemented and meet meaningful use in 2014.  However, if things are running close I would encourage eligible providers and hospitals to apply for the hardship exemption if it looks like they are going to run into into implementation and workflow issues.

If you have any further questions or need additional help regarding Hardship exemptions, EHR and Practice Management selection, contract negotiations, project management, implementation, EHR training, EHR optimization, EHR template customization, Meaningful Use Gap Analysis, Meaningful Use Attestation, HIPPA Privacy/Security Assessments and Mitigation Plans, EHR Safety, and Meaningful Use Audits please contact Vanessa Bisceglie at 847-322-0139, 1-800-376-0212, or

Vanessa Rose Bisceglie, President, EHR & Practice Management Consultants, Inc.

2015 EHR Certification

The Office of the National Coordinator is looking to create an EHR certification system for 2015 that would be guided by more responses from feedback by stakeholders. The 2015 certification will incorporate “bug fixes” to make 2014 certification rules “clearer and easier to implement,” and “reference newer standards and implementation specifications.”

The end goal of the 2015 certification will be to promote innovation and enhancing interoperability.  The 2015 certification system would be voluntary.

It is not expected a majority of EHR technology developers will seek testing and certification to the 2015 Edition.  However, if the new certification meets its objectives, eligible providers would have additional choices with “updated capabilities, standards, and implementation guides.”

Among some of the proposed changes are the following:

  • Separate EHR “content” and “transport” capabilities,
  • “View, download, transmit to 3rd party” criteria,
  • Expand health information exchange services by making it easier for patients to choose where they want to send their personal health information.
  • Streamlining “bug fixes”

“(W)e have determined that it would best support industry interoperability approaches and provider choices for electronic exchange services if we permitted ‘data content’ capabilities to be tested and certified separately from ‘data transmission’ capabilities,” ONC regulators wrote.

If you have other questions regarding EHRs, Practice Management Systems, Portals, and other related topics please contact EHR & Practice Management Consultants, Inc.( at 800-376-0212 or

EHNAC will accredit Practice Management Systems

Electronic Healthcare Network Accreditation Commission is aligned with the Workgroup for Electronic Data Interchange to create the Practice Management Systems Accreditation Program.

PMSAP is designed as a common baseline for Affordable Care Act requirements, HIPAA, privacy and security, best practices, business processes and performance.

I anticipate that accreditation of these practice management systems will be an invaluable tool that can assist practices in the product selection process, and then in optimizing their solutions to access meaningful data.”

Additionally, there will be an ICD-10 component as well. While the ICD-10 portion won’t involve formal testing, the self-attestation will verify that vendors have plans to upgrade their software for the new code set.

Additionally, if you need a qualified practice management IT consultant to help you further down select which is the best system for your practice, clinic, or billing firm we have a 11 years of experience of helping you select and negotiate the best contract for your practice management system.  Please contact Vanessa Bisceglie at EHR & Practice Management Consultants, Inc. for additional assistance at 800-376-0212 ext. 1, 847-322-0139 or email us at


To meet Meaningful Use measures for Stage 1 and Stage 2 Eligible Professionals (EPs) and Eligible Hospitals (EHs) must register their intent to submit data within the first 60 days of their selected reporting period to the Illinois Department of Public Health (IDPH).
IDPH, as the Public Health Authority (PHA), is tasked with registering EPs and EHs that intend to submit data to IDPH in fulfillment of Meaningful Use Requirements.

EP Stage 1,   EP Stage 2,   EH Stage 1,   EH Stage 2

This registration system will collect the required information for your facility and will inform IDPH of your request to test, validate and submit production-level data for core and optional Public Health Meaningful Use objectives.

A Critical Software Update for Apple iOS

A very serious security flaw has been discovered in Apple’s iOS operating system.  This flaw impacts all iPhones and iPads.  If you use one of these devices, you should immediately apply a critical software update that Apple released over the weekend.
To apply this update, go to your Settings app, click General then Software Update then click Download and Install and follow the instructions.  You will need to be connected to WiFi to apply this update.

The security issue involves a flaw that will expose communications that should be encrypted, like e-mail and certain other types of messaging.  We recommend that all users of iPhones and iPads apply this update without delay.  Please share this improtant information with your teams.

Former Hospital CFO Charged with Healthcare Fraud by Falsely Attesting for Meaningful Use Incentives

Eligible Professionals (EPs) and Eligible Hospitals (EHs) could easily lead to errors in meaningful use (MU) attestations. If audited these errors would turn up based on pre- and post-payment attestations and separate the knowledge gaps from willful actions.

As for looking at this case a grand jury indictment is not evidence of guilt, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.” For the details of the indictment we have the FBI to thank:

“Joe White, 66, of Cameron, Texas, was indicted by a federal grand jury on January 22, 2014, and charged with making false statements to the Centers for Medicare and Medicaid Services (CMS) and aggravated identity theft.”

“According to the indictment, on November 20, 2012, White falsely attested to CMS that Shelby Regional Medical Center (Shelby Regional) met the meaningful use requirements for the 2012 fiscal year. However, Shelby Regional relied on paper records throughout the fiscal year and only minimally used electronic health records. To give the false appearance that the hospital was actually using Certified Electronic Health Record Technology, White directed its software vendor and hospital employees to manually input data from paper records into the electronic health record (EHR) software, often months after the patient was discharged and after the end of the fiscal year.”

“The indictment further alleges that White falsely attested to the hospital’s meaningful use by using another person’s name and information without that individual’s consent or authorization. As a result of the false attestation, CMS paid Shelby Regional $785,655. In total, hospitals operated by Dr. Mahmood, including Shelby Regional, were paid $16,794,462.66 by the Medicaid and Medicare EHR incentive programs for fiscal years 2011 and 2012.”

“If convicted, White faces up to five years in federal prison for making a false statement and up to two years in federal prison for aggravated identity theft.”

As more and more federal stimulus money is made available to providers to adopt Electronic Health Record systems and meaningfully use them our firm is expecting to see many more cases like this case.

If you need help with a Meaningful Use Audit, Meaningful Use Appeal,  Mock Audit or Have Questions on Attesting for Meaningful Use we would be happy to help you to avoid these pitfalls.  Feel free to contact Vanessa Bisceglie MBA, B.S. with EHR & Practice Management Consultants, Inc.  at 800-376-0212 or email her at

For 2014 eRX Events You No Longer Need to Report G-codes (G8553)

Did you know that 2013 was the final program year for participating and reporting in the Medicare Electronic Prescribing (eRx) Incentive Program?

The 6-month 2014 eRx payment adjustment reporting period, which began on January 1, 2013 and ended on June 30, 2013, was the final reporting period to avoid the 2014 eRx payment adjustment. You do not need to report G-codes (G8553) for 2014 eRx events.

Thinking Outside the Box: Combining Sexual Health and Portals

Considering there are Roughly 330 million people in this country there are 110 million sexually transmitted infections (STIs) among men and women with 20 million new STIs reported each year.  The CDC calculates the costs to patients and our country each year to be at 16 billion annually.

Additionally, City health departments in Maryland are seeing local repercussions, too. 40% of people tested for STIs at the Baltimore Department of Health’s clinics don’t receive their results because they don’t come back for their test outcomes. Therefore, some of these patients will never find out they have an STI and will not receive treatment and risk the safety of their sexual partner.

Private Results, an online, open-source STI test results delivery system created by the folks at Sexual Health Innovations.

Jessica Ladd, Founder, who has worked in sexual health for the past 10 years, said Private Results acts as a patient portal, but a more holistic, personalized one compared to many portals today.

Jessica Ladd as well as many other people who use patient portals to day to receive lab results believe that they should not just deliver results but be powerful educational tools to help them protect their own health.

When logged in to Private Results it provides an individual where and when to be re-screened for STIs, choose to receive text or email screening reminders and find the closest place to buy condoms.

Individuals who were tested for an STI are given a card containing portal login information from their local clinic. They can then login to view their test results. To eliminate confusion for people who may think ‘positive’ is a good thing, rather than listing, say, ‘positive’ or ‘negative’ for chlamydia, the results are clearly explained that positive denotes you have the disease, or negative means you do not.

Providers are also able to sign in on the back end to view and better understand incidence numbers, what patients need follow ups and individual labs, making Private Results a powerful public health tool.

What Private Results dies is not only provide patient portals to patients to patients and providers but to the overall public heath sector taking this a step further than the traditional patient portal.
This open source tool is designed to disrupt this area and allow this area to become more collaborative.  Additionally, they are building an API into Private Results that makes it really easy to share real-time STI outbreak data between a clinic, a local health department and a state department, and for them to send data back to providers about possible outbreaks occurring.  This may help change how frequently they screen certain communities for emerging STIs.

Patients Who Actively Engage With Patient Portals Have Better Outcomes and Lower Costs to Care

If improving patients’ health matters, and your organization’s bottom line is top of mind, then the notion of patient engagement should catch your attention.

It’s a hot topic in today’s world, as more and more clinical evidence underscoring the benefits of patient engagement catches the industry spotlight.

Chanin Wendling from Geisinger Health System said the numbers do the talking when they conducted by research at the University of Oregon.  They examined health engagement data on approximately 30,000 patients across 40 Minnesota-based primary care clinics. At the conclusion of their research they found patients that had the lowest patient engagement levels cost from 8% to 21% more than the patients who were actively engaged in their health.

“I can sit with a patient as a provider and tell them they need to stop smoking and that all of their health issues stem from the fact that they’re smoking, but I can’t actually stop the smoking for the patients themselves,” said Wendling. “I can get them counseling; I can send them to the appropriate resources, but the patient actually has to take steps themselves to be involved in their healthcare.”

Geisinger health system utilized text messaging, portals, iPads and touch screens to connect patients to their care.

“Unfortunately, providers have very little time with patients,” added Wendling. So, “if you can get the patient to be actively involved in managing their conditions, life is better both from the patient health outcomes perspective as well as the cost to the system.”

For more information on selecting and implementing a patient portal in your medical office (practice) or hospital please contact Vanessa Bisceglie M.B.A., B.S. at EHR & Practice Management Consultants, Inc. 847-322-0139 or