“Insider Tips To Make Your Medical Practice Run

Faster, Easier And More Profitably”

brainlink HIPAAStorm

Get More Free Tips, Tools, and Services At My Web Site: www.RajGoel.com

For many medical practices, the default answer is “more of the same”.

That’s also the wrong answer.

In November 2011

NIST (National Institute of Standards and Technology) released the

HIPAA Security Rule toolkit The Joint Commission (JCAHO) issued guidance stating health care

professionals should not use text messaging for orders

US Dept of Health and Human Services (HHS) released updated

HIPAA enforcement highlights

In 2011/2012

UCLA Health System, Cignet and Mass General paid sizeable, and

precedent setting penalties.

HHS conducted joint raids with FTC, State Attorney Generals and US

Postal Service Inspectors that led to scores of arrests.

The HHS wall of shame grew significantly larger.

Several small medical practices were fined for HIPAA violations

In the past 12 months, we

Conducted an in-depth HIPAA compliance audit for a major RHIO

Assisted several IT firms in conducting IT Security and Compliance

audits for their clients

Educated several thousand CISSPs in Privacy and Security

challenges with Cloud Computing Provided Ethics CLE and CPE training to several hundred attorneys

and accountants

If you haven’t had an HIPAA Security Rule mandated Information

Security Compliance Audit within the past 24 months, let’s talk.

If you have questions about what your employees, contractors and

Business Associates can and cannot do, with patient data, let’s talk.

If you have questions about HIPAA, PCI-DSS, GLBA, RED FLAG or

other compliance issues, call me at 917-685-7731 or email

raj@brainlink.com

- Raj Goel, CISSP

Catherine Patsos, Esq

“As a business owner, you don’t have

time to waste on technical and

operational issues. That’s where we

shine! Call us and put an end to your

IT problems and HIPAA/HITECH

compliance challenges!”

Volume V, Issue V May 2012

New York, NY

Inside This Issue…

What does 2012 hold for HIPAA/HITECH

Compliance?.........................................Page 1

New Year’s Eve Burglary Triggers Medical

Records Firm’s Bankruptcy…………..Page 2

$100,000 Fine Levied on Physician

Group…………………………………Page 2

In Honor Of Mother’s Day …………..Page 3

Learn from the BC/BS of Tennessee HIPAA

breach………………………………....Page 3

How To Detect Privacy Breaches…… Page 4

EHR Meaningful Use Stage 2 A High

What does 2012 hold for HIPAA/

HITECH compliance?

How To Detect Privacy Breaches

Just like your patients need routine checkups,

your computers and other devices can also use

a good sweeping from time to time.

For only $599 per office or location, we will

have a trained expert perform a “Preliminary

Network Exam” of your computers and

networks to detect privacy and security

violations. For only $599, we’ll come onsite

to perform a system maintenance check to:

Detect hidden spyware

Check your privacy settings, firewall

and network security

Perform various system checks and

maintenance to speed up your

computer and network

Block annoying pop-up ads and

check your online security settings

Check for system errors, conflicts, or

other problems

Verify your data backups

Normally we charge $995 for this maintenance

service, but it’s yours for only $599. But you

have to hurry…this special is only good

through the end of May, so call today!

917-685-7731

Page 4

EHR Meaningful Use Stage 2 A High Priority for HHS – Are You Prepared?

By Catherine G. Patsos, Esq.

Earlier this year, the Department of Health and Human Services (HHS) cited EHRs as

one of the agency’s top priorities in its regulatory agenda for 2012. Yet according to a

recent study released by Computer Services Corporation (CSC), many providers are

not ready to meet the recently proposed requirements of Stage 2 Meaningful Use

(MU).

In its regulatory agenda, HHS states that it “continues to encourage health care

providers to become meaningful users of health information technology by

accelerating health IT adoption and promoting electronic health records to help

improve the quality of health care, reduce cost, and ultimately, improve health

outcomes.”

According to the CSC study, however, eligible providers (EPs) either deferred or were

exempted from several Stage 1 MU requirements. Many of these requirements related

to improving care coordination and patient involvement, which are measures that will

likely be required for Stage 2 MU. Specifically, medication reconciliation, providing

patients with access to electronic health information and providing summary records at

transitions in care were among the requirements most often deferred by EPs.

Some of the biggest challenges for EPs in Stage 2 will be allowing patients to review

and download their electronic health information and transmitting summary-of-care

records at transitions of care. According to the CSC study, only 12% and 24%,

respectively, were prepared to fulfill these requirements. There has also been much

criticism of the proposed Stage 2 requirement that at least 10% of patients view their

own electronic health information, because fulfilling this requirement is not within

providers’ control.

The CSC study recommends that providers not wait until the Stage 2 final rule is

issued to begin to operationalize Stage 2 MU requirements, particularly with regard to

engaging patients and coordinating care. Specifically, the CSC study cites three areas

in which providers should begin building capabilities:

1) Providing patients access to electronic health information;

2) Establishing means to communicate with patients electronically; and

3) Exchanging patient information at transitions of care.

The CSC study can be accessed at http://assets1.csc.com/health_services/

downloads/CSC_Moving_Ahead_with_Stage_2_of_Meaningful_Use.pdf.

Catherine Patsos is a health care attorney with extensive experience in representing health care providers.

She concentrates her practice in health care reimbursement, regulatory and compliance matters, and fraud and abuse issues. For more information, visit www.healthcarelawllc.com.

Brainlink International, Inc.

87-90 118 Street

Richmond Hill, NY 11418

Get More Free Tips, Tools and Services at www.RajGoel.com or call me at 917-685-7731

Page 2 Page 3

HIPAA In The News

New Year’s Eve Burglary Triggers Medical Records Firm’s Bankruptcy

Still think HIPAA compliance is strictly for the big guys?

Still think your small medical practice or medical billing business is safe from hackers, criminals and litiga-

tors?

From the Wall Street Journal:

The New Year’s Eve burglary of a California office building has led to the collapse of a national medical

records firm.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led

to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed

in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security

numbers and medical diagnoses.

Police never caught the criminals, and company executives were required by law to report the breach to state

attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, in-

cluding the Department of Labor, are still investigating the matter, the company said in court papers.

- http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm%E2%80%99s-collapse/ _______________________________________________________________________________________

$100,000 Fine Levied on Physician Group If your company needs another reminder that policies and procedures, risk assessments, documentation and

training are critical elements for HIPAA compliance programs, we have another corrective action plan – and

monetary fine – that should be utilized as a “teachable moment” for health care providers and business asso-

ciates alike.

Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan un-

der a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil

Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and

Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

OCR investigated the physician practice following a report that it had been posting clinical and surgical ap-

pointments on a publicly accessible Internet-based calendar. OCR’s investigation, dating back to 2003,

found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropri-

ately safeguard patient information. OCR also concluded that the physician practice did not adequately doc-

ument employee training on the Privacy and Security Rules, identify a security official, conduct a risk analy-

sis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email

providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodri-

quez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agree-

ment and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security

Rules.

- http://www.jdsupra.com/post/documentViewer.aspx?fid=28efff74-2781-485c-b366-d75563ca0e8f

The Lighter Side…

In Honor Of

Mother’s Day

A mother is a person who, seeing there are only four pieces of pie for five people, promptly announces she never did care for pie. ~Tenneva Jordan Being a full-time mother is one of the highest salaried jobs in my field, since the payment is pure love. ~Mildred B. Vermont A suburban mother's role is to deliver children obstetrically once, and by car forever after. ~Peter De Vries The phrase "working mother" is redundant. ~Jane Sellman The moment a child is born, the mother is also born. She never existed before. The woman existed, but the mother, never. A mother is something absolutely new. ~Rajneesh Some mothers are kissing mothers and some are scolding mothers, but it is love just the same, and most mothers kiss and scold together. ~Pearl S. Buck .

Google’s New Privacy Policy: What You Need To Know .On March 1st, Google implemented a new, unified privacy policy that affects

the browsing history and information Google has on you, both past and present.

Prior to this change, your Google history of the searches you made and sites you

visited was not shared with Google's other services, particularly advertisers.

Naturally, Google is one of the biggest media and marketing companies in the

world, and your preferences and search information is pure gold from a

marketing standpoint. Marketers armed with that information would know

exactly what products and services to display to you as you use the search

engine.

However, your search history can reveal a lot about you including details on

your location, interests, age, sexual orientation, religion, health concerns and

more. If you want to keep Google from combining your web history with the

data they have gathered about you in their other products, such as YouTube or

Google Plus, you may want to remove all items from your web history and stop

your web history from being recorded in the future. To do this, sign into your

Google Account and go to the “History” section, then select “Remove All

History.”

Of course, clearing the web history in your Google account will not prevent

Google from gathering and storing your preferences, searches and information

and using it for internal purposes. It also does not change the fact that any

information gathered and stored by Google could be obtained and used against

you by law enforcement.

With web history enabled, Google will keep these records indefinitely; with it

disabled, they will be partially anonymized after 18 months, and certain kinds of

uses, including sending you customized search results, will be prevented. This

brings up a whole other topic of what kind of information should you post about

yourself (or store) online.

If you would like to learn more about how to protect yourself, your kids and

employees from Social Media, then watch the video at http://

www.RajGoel.com/blog/what-to-teach-your-kids-employees-and-interns-about-

social-media/

Learn from the Blue Cross Blue Shield of Tennessee HIPAA breach

In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data

breaches. BCBSoTenn failed to encrypt hard drives containing voicemail files.

Is YOUR medical practice encrypting hard drives and flash drives embedded

within

Laptops

Desktops

Servers

Copiers

Voice Mail systems

And other smart systems

The settlement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/

examples/resolution_agreement_and_cap.pdf.

Get More Free Tips, Tools, and Services At: www.RajGoel.com Get More Free Tips, Tools, and Services At: www.RajGoel.com