JUser: :_load: Unable to load user with ID: 643

Under a proposed new payment model for physicians, Medicare expects to favor large physician practices for bonuses, while practices with fewer than 10 clinicians bear the brunt of penalties.

According to Medicare, new performance measures take effect in January 2017. The agency says that “positive adjustments” and “negative adjustments” in pay, based on new benchmarks, will begin in 2019. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) set the parameters for this new payment model.

A chart from Medicare, available on our blog, shows the anticipated lopsided impact on small practices.

According to Medicare’s estimates:

  • Of nearly 103,000 solo practitioners, 87 percent can expect an average negative adjustment of $2,900 in 2019. Practices of fewer than 10 clinicians are likely to fare only slightly better.  
  • By contrast, in practices of 100 or more clinicians, 81 percent will likely receive positive adjustments averaging $1,800.

Medicare’s proposed changes would usher in a radical shift away from the current volume-based payment system to one of merit pay for doctors and other Medicare-eligible clinicians.  

Those participating in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs will be expected to meet 10 objectives, with Objective No. 1 being the protection of patient health information under information under the Health Insurance Portability and Accountability Act (HIPAA).

The American Medical Association (AMA) called the proposed new rules the “most sweeping change in physician payment policy in the last 25 years.” AMA said it would issue comments after a detailed analysis of the proposal.

Through June 27, Medicare will accept public comments on the new rule. 

Additional Resources from Medicare

Here are two summary sheets:

  1. A 14-page overview titled Quality Payment Program Fact Sheet
  2. A 6-page paper, titled Advancing Care Information, explaining proposals for the Merit-based Incentive Payment System (MIPS) performance category relating to the use of electronic health records. MIPS applies to Medicare Part B clinicians, including physicians, physician assistants, nurse practitioners, clinical nurse specialists, and certified registered nurse anesthetists.

The proposed rules would replace the current Meaningful Use program.

Independent Reviews of the Proposed Rules

For quick highlights, you may view:

Five things to know about the proposed new rules from the website of the American Journal of Managed Care.

Physician payment in Medicare is changing: Three highlights in the MACRA proposed rule that providers need to know from the Brookings Institution.

Doctors and patients, listen up. Starting in 2019, private insurers may hold unprecedented power in determining standards of care for Medicare patients.

To understand what’s at stake under a newly announced payment model, let’s go step by step:

  • If you are covered under Medicare, the kind of treatment you receive depends in large part on what Medicare covers in reimbursements to doctors and others.

  • Medicare has now unveiled a new payment model, which it says will “guide a clinician to follow a standard plan of care.” For you as a patient, this means that in the future, your particular treatment will likely be determined by statistics, presumably showing what works best in your circumstances.

  • Absent a uniform system of best practices, Medicare’s new model makes it possible for private insurers to set patient care standards, which Medicare will recognize by awarding physicians and other clinicians 5 percent performance incentives. Medicare further says that “positive” and “negative” payment adjustments will increase over time.

In a newly released 14-page report, titled Quality Payment Program, Medicare says this: “Clinicians could qualify for incentive payments based, in part, on...payment models developed by non-Medicare payers, such as private insurers or state Medicaid programs." The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) set the parameters for this new payment model.

Indeed, the idea of rewarding doctors for following best practices could improve patient care and reduce wasteful spending. But what happens if the statistics are wrong?

As a tax-supported program, Medicare owes it to beneficiaries – and taxpayers – to determine best practices based on meaningful and transparent data analysis. According to an earlier government study, the nation won’t even have the advanced technology for comprehensive data analysis, and sharing of information among providers, until 2024. That report, titled A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure, specifies that important lessons are yet to be learned “to improve interoperability in support of nationwide exchange and use of health information across the public and private sector.”

One complicating factor: The dismal state of Electronic Health Record (EHR) systems in use today. In 2015, 36 professional associations raised questions about the very security of patient information contained in EHRs. In a letter to the feds, the associations raised concerns about poorly functioning EHRs resulting in “medical record errors, inaccurate documentation, lack of interoperability, slow performance, lost patient information, and safety concerns.”

Separately, in a July 2013 federal government report, titled Capturing High Quality Electronic Health Records Data to Support Performance Improvement, findings point to highly functioning EHRs as key to the implementation of payment reform tied to performance measures.

“As the industry moves toward value-based reimbursement—reimbursement based on quality and cost measures—improving the quality of the data used for measurement is imperative,” the report noted.

One featured section of the report discusses a federally funded project in Rhode Island, in which goals had been set for improving the health of diabetes patients. As local medical practices began accessing EHR data in order to report on improvements in diabetes care, they discovered data quality issues due to missing or inaccessible data or wide variations in outcomes that could not be explained by the actual delivery of care.

This report, issued by the same government agency that oversee Medicare, concluded that the Rhode Island “experience highlighted the need for practices to focus resources on improving EHR data capture and quality before using results to create quality improvement strategies and tactics.”

Against this backdrop, profit-driven insurers will now be trusted to write the standards for so-called value-driven care under Medicare?

Come on. We’re talking about the federal insurance program for an estimated 55 million people 65 and older, plus those with permanent disabilities. According to the Kaiser Foundation, Medicare accounted for 14% of the federal budget in 2014, with benefit payments totalling $597 billion in tax dollars.

Far too much is at stake to move prematurely toward standardized patient care that cannot be supported by trustworthy data. The lesson from the Rhode Island project should be heeded: First figure out how to capture quality data before using statistics to determine uniform treatment methods for patients.  Treating people based on bad data could put the health of untold millions at risk.

Launch coincides with the start of HIPAA audits; MyHIPAA Guide Publisher authors accredited course

Troup, Tx. -- April 15, 2016 -- Pedagogy Inc., a continuing education company for healthcare providers, announces a vital new online course to counter a growing number of publicly reported incidents of patient information posted to social media.

Nurses, technicians and other healthcare workers are often the culprits, with information and photos originating from physician offices, hospitals, nursing homes, and other healthcare facilities.

Last year, reports co-published by ProPublica and the Washington Post revealed startling examples of abuses, including some patients exposed naked on SnapChat and other platforms.

In a case reported last month by USA Today, a New York nurse took photos of an unconscious patient’s penis, and shared them with co-workers. The nurse initially faced a felony charge, but agreed to give up her nursing license for a reduced sentence.

Pedagogy’s new course coincides with the start of long-awaited federal audits under the Health Insurance Portability and Accountability Act (HIPAA). Meanwhile, in a 2016 survey co-sponsored by the nonprofit Health Care Compliance Association, participating healthcare providers ranked social media as their #1 compliance concern.

The new course is authored by Diane Evans, Publisher of Akron, Ohio-based MyHIPAAGuide.com, a news and information service to help healthcare providers stay compliance with HIPAA rules.

Course participants will receive instruction in how:

  • Patient information really does end up on social media

  • Daily carelessness threatens the privacy patient health information, and exposes providers to liabilities

  • Even simple risk-mitigation practices help safeguarding patient information

  • A culture of vigilance can prevent bad practices that can lead to breaches

For information about the course, contact This email address is being protected from spambots. You need JavaScript enabled to view it.. For more information on social media breaches in healthcare, contact Diane Evans at This email address is being protected from spambots. You need JavaScript enabled to view it..


Long-awaited federal audits are finally here under the the Health Insurance Portability and Accountability Act (HIPAA). The shift toward proactive enforcement of patient privacy laws sends a clear message: Healthcare providers of all sizes, and their business associates, must be accountable for securing patient information – or they can face fines under HIPAA.

While some providers may groan, the times require serious protection against very real threats to patient privacy, ranging from cybercrime to careless lapses. Increasingly, government and media reports reveal atrocities, such as embarrassing patient images posted to social media, often the result of healthcare workers snapping photos and sharing them.

Such incidents are not only violate patients’ rights, but also human dignity.

Ideally, federal audits will heightened awareness of risks and the importance of a culture of vigilance in places where it is lacking. Even simple precautions and good daily habits can prevent abuses.

The challenge is to create a mindset of high respect for privacy, and to enforce policies and procedures that reduce the chance of violations.

Think of the senselessness, and the consequences of a case reported last month by USA Today. A New York nurse took photos of an unconscious patient’s penis, and the shared the photos with co-workers. The nurse initially faced a felony charge, but agreed to give up her nursing license for a reduced sentence. Nursing homes are particularly ripe for similar types of abuses involving nakedness, as ProPublica has reported.

Incidents are far from isolated. Earlier this year, the National Council of State Boards of Nursing (NCSBN) released survey findings, indicating 48% of responding nursing boards (33 in total) faced social media challenges. In some cases, complaints related to images of wounds and procedures photographed on mobile phones and then shared.

Even for smaller practices, HIPAA settlements and fines can be steep. Last September, for instance, a group of radiology oncologists in Indiana agreed to pay $750,000, resulting from the theft of a laptop bag from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former cancer patients. The government’s investigation found that the medical group had not conducted a proper risk analysis.

The government determined that a proper device and media-control policy could have educated employees on their responsibilities for safeguarding devices with patient information.

In 2016, the audit program will focus on a review of policies and procedures followed by healthcare providers and their business associates.

According to the government’s announcement, auditors will review documents and share draft findings with auditees, who will have the opportunity to respond. Auditees will be alerted by email and asked for information. For organizations with automatic spam filtering and virus protection, the government cautions that you are expected you to check your junk or spam email folder for emails from OCR (email address: This email address is being protected from spambots. You need JavaScript enabled to view it.).

Nursing home administrators should be especially careful in limiting the use of personal devices among employees; HIPAA rules require adherence to specific policies and procedures to reduce the risk of breaches.

Read reports in ProPublica on the social media abuses happening within nursing care facilities. 

Tuesday, 12 April 2016 10:17

Learn Details about the HIPAA Audits

Written by

On March 21, the federal Office for Civil rights (OCR) announced the start of the next phase of audits under the Health Insurance Portability and Accountability Act (HIPAA). Read the OCR's announcement here.

In sum, audits will be extend to all types and sizes of organizations required to follow HIPAA rules, including business associates of healthcare providers. The 2016 audits will primarily be desk audits, although some on-site visits will be included.

Those selected for an audit will receive an email, asking for contact information. The contact person or office will then receive a pre-audit questionnaire.

Here is something especially important to know:

“Communications from OCR will be sent via email and may be incorrectly classified as spam,’’ the agency said in its announcement. “If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.”

MyHIPAAGuide.com subscribers may click here for detailed information including:

  • Sample letter to auditees
  • Pre-screening questionnaire
  • Sample template entities may use to develop their list of business associates
  • Details of the audit process
Tuesday, 05 April 2016 10:23

Guest Viewpoint: Easy HIPAA Security Tips

Written by

By Martin Stranges, President Pittsburgh Computer Solutions

IT security in an office environment can be a very complex issue to tackle. The flow in a busy practice makes matters worse. Simple and effective steps can be taken to eliminate some of the burden.


Get a junk email address. There’s a lot of free services available and some have great functionality like shareable calendars you may use. We all have to subscribe or sign up for something that requires a contact address. In a lot of cases, these addresses are sold or rented to solicitors. Let this be the catch all for the marketing material and potential ransomware coming your way. Your professional inbox will thank you.

Email attachments and the office staff that opens them have been the bane of IT for decades. Viral threats started out as nuisance or joke programs that were fairly easy to remedy and didn’t usually cause excessive down time. Currently we’re seeing a new breed of programs that encrypt your data and hold it hostage until a ransom is paid. There’s been documented cases where a covered entity had to pay a $16,000 ransom to decrypt their own data. Two easy steps to help avoid the impact of ransomware are:

  • Train your staff not to open email attachments unless they’re absolutely sure it came from a reliable source. Call IT if there’s any question to ensure the email is genuine. We’re always happy to get the call before a problem starts.

  • Since accidents happen, have at least two backups of your data in place. One of them should be cloud based that does revisions or periodic snapshots of your systems.


Having an antivirus in place is a no brainer. We see a lot of practice workstations with a mix of factory installed antiviruses. Some working, some expired and others that just won’t update on their own. Invest in a cloud managed business class antivirus. You’ll know exactly what’s going on across the entire organization from the dashboard at a glance. It’s also less expensive than paying one at a time for the wrong solution.


Have practice email or info on your mobile phone? Lock it. Lost or stolen phones are one of the biggest threats to your office security. Any newer smartphone with the latest updates is capable of encryption without added software. If your phone ends up out of your control, it’ll be useless to anyone that doesn’t have your password.


Ever consider digital faxing? Over the years it has become a more affordable and secure option over paper faxing. It’s actually less expensive to have a digital fax line than a phone line that attaches to a fax machine. Your faxes will show up in an email and not sit on your fax machine for hours until someone notices it arrived. They’re also HIPAA compliant, but make sure you sign up for the HIPAA plan when placing your order. Imagine the cost and time savings when you’re not buying toner or paper and you can even send secure faxes right from your desktop, phone or other mobile device.


Take advantage of patches and updates on your phone, mobile devices and workstations. They’re free and the majority of them enhance security. Some devices allow for automatic updates which will save time as well as ensure you’re always as protected as possible.

A little bit of time and effort goes a long way to securing what you’ve worked so hard to create.

Pittsburgh Computer Solutions offers complete IT solutions to keep healthcare providers compliant with privacy and security rules.

In a recent survey, co-sponsored by the Health Care Compliance Association, “social media” emerged as the No. 1 risk concern among respondents in healthcare.

In truth, patient information can and does end up on Facebook and on other Internet sites. In reviewing cases published in major media and by the federal government, the culprits are often those working within healthcare.

Consider a 2015 report published in the Journal of Nursing Regulation:

Referencing a 2014 survey, the National Council of State Boards of Nursing (NCSBN) revealed that 48% of responding Boards of Nursing (33 in number) face challenges with social media. Several boards in the survey reported images of wounds or procedures being shared across social media after being photographed on mobile phones.

NCSBA has called for greater awareness and vigilance to stop this kind of activity. In a published guide on uses of social media, SCSBA reminds nurses and others of the blanket responsibility to safeguard any and all patient information, and to limit disclosures only to members of a health care team who need to know for the purpose of providing care to an individual.

NCSBA has recommended numerous guidelines for nurses, which could also pertain to others. Examples include:

  • Do not transmit any patient-related image via any electronic media

  • Do not share, post or otherwise disseminate any information, including images, about a patient

Remember, too, that patient information can spread in unanticipated ways.

In one example, the Tampa Bay Times reported on a nurse who snooped out medical records of her nephew's partner, and learned that she had delivered a baby and had put the child up for adoption. The nurse gave a printout to another family member, and the news came out at a family funeral. Anyone who heard could have posted or Tweeted.

In an older case reported by the federal government, a different, less obvious kind of improper exposure is worth noting, because it illustrates how breaches can happen even in the course of normal business. In this case, a physical therapy provider agreed to a $25,000 settlement after posting patient testimonials to its website. The testimonials included full names and photographs, but the provider had not obtained valid, HIPAA-compliant authorizations. Enough said to beware.

Ultimately, the work of safeguarding patient information is about creating a culture in which daily habits put a priority on privacy and security.

Risk assessment, as required under HIPAA rules, is essential. In a healthcare organization, that means examining of how, where and under what circumstances information might be improperly seen, heard, accessed or compromised. The task is to go step by step, in anticipating potential threats, implementing solutions and then putting precautionary habits into daily practice.

In a culture of vigilance, the safeguarding of patient information is top-of-mind. In such a culture, it would be unthinkable to hand a relative a printout containing patient information.

By contrast, a culture of laxity invites breaches. And with the prevalence of social media, laxity opens an avenue for fast spread of patient information to the masses.

The way to protect against a social media nightmare: Strive to create a dream team in your midst - where those with access to patient information guard it jealously from any possible abuse. It is impossible to eliminate risk altogether. But a culture of vigilance closes off many of the access points that result in breaches in general and pathways to social media.

Friday, 26 February 2016 08:44

Carelessness Invites HIPAA Police

Written by

This year, the federal government plans to begin audits to ensure compliance with privacy and security provisions under the Health Insurance Portability and Accountability Act (HIPAA). The audits signal a shift to proactive enforcement of HIPAA rules, in contrast to the past, when the feds typically reacted to complaints of alleged breaches.

If you are a healthcare provider, far from the elaborate schemes of hackers, your greatest threat is more likely to be in carelessness or neglect. In recent years, the top two issues in the most serious HIPAA investigations related to:

  1. Impermissible uses and disclosures of patient information

  2. Inadequate safeguards

Often, violations go down to basic lapses in judgment, such as leaving computers containing patient information in unlocked rooms. Here are a few examples, illustrating the type of routine behaviors that lead to investigations:

  • In one case involving the Indiana-based Parkview Health System, a physician complained that as she was transitioning to retirement, Parkview employees left 71 cardboard boxes of patient health records unattended in her driveway in a high-traffic area. Parkview settled the case for $800,000.

  • In another case, Lahey Hospital and Medical Center, affiliated with Tufts Medical School, settled potential violations for $850,000 after a laptop was stolen from an unlocked treatment room. The feds reported evidence of widespread non-compliance with the HIPAA rules, including failure to conduct thorough risk assessments.

Aside from these more high profile cases, several lesser cases illustrate the everyday situations that spark investigations and lead to corrective action plans. Consider:

  • A mental health center failed to provide a notice of privacy practices to a father or his minor daughter, who was a patient at the center.

  • A private practice failed to provide a patient access to his medical records.

  • After treating a patient injured in a sporting accident, a hospital released the patient’s skull x-ray and other detailed information to a local newspaper. The hospital argued it acted in the public interest, but the feds said the disclosures did not meet the appropriate standard.

  • A staff member of a medical practice discussed HIV testing procedures with a patient in a waiting room, and by doing so, disclosed protected health information to others in the room. At this same practice, computer screens displaying patient information were easily visible to patients.

The lesson: Tend to the details, and create a culture that values the protection of patient privacy. It’s a mindset more than anything. The idea of patient information in open view on a computer screen, or on paper, should be as unthinkable as leaving the office doors wide open overnight.

After a recent workshop presentation, a woman asked me to explain the difference between security and privacy. In a medical practice, security relates to keeping patient records in locked rooms, for example, or contingency plans in the event of a natural disaster or power outage.

Security and privacy are inter-related, but privacy is more personal. In an environment where privacy is respected, no one would imagine chatting up HIV testing procedures in a waiting room where others could hear.

Of course, protect against hackers and other potential assaults from the outside. But look carefully around your workplace, and think hard about the real threats as a result of lax procedures. If someone walking by a work station can glimpse the protected health information of a patient, privacy has been violated. Worse yet, what’s to prevent that person from sharing this new found information on social media? Nothing. And if that happens, expect the HIPAA police.

The special healthcare edition of Crain's Cleveland discusses the help available to doctors through  MyHIPAAGuide.com.

The recently launched news & information service covers compliance, including updates in rules; preparation for coming audits; patient education; Meaningful Use reporting and more. Through MyHIPAAGuide.com, a seasoned journalist shows a clear path through the government maze of rules and reporting requirements.

Read about MyHIPAAGuide.com in the special healthcare edition of Crain's Cleveland.

Page 3 of 4

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    • Professionals' guide covering 2013 updates on communications.

    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access