August Goes Out with a Bang: Stage 2 Final Rule & HIPAA Arrest
August ended in a whirlwind of federal activity, with CMS and OCR publishing the long-awaited Meaningful Use Stage 2 Final Rule and its accompanying Standards & Certification Criteria. And, as if Stage 2 wasn’t enough excitement, the FBI arrested a former hospital employee for a solicitation scheme involving improper access to and sale of emergency department patient records.
Much dissected since their release on August 22 by CMS and OCR, the Meaningful Use Stage 2 Rules brought few surprises to those familiar with the Notices of Proposed Rulemakings (NPRMs) released back in March. In addition to formally delaying Stage 2 to 2014, the Final Stage 2 Rule limits the reporting period to 90-days for 2014 for ALL providers REGARDLESS of the Stage they are in.
While CMS took into consideration, and incorporated some revisions as a result of, public comment, the majority of the NPRMs carried over into the Final Rules (see my previous post on the Stage 2 NPRMs). EPs now must report on 17 core and 3 out of 6 menu objectives, while hospitals and CAHs must report on 16 core and 3 out of 6 menu objectives. Likewise, EPs must report on 9 out of 64 CQMs, and hospitals and CAHs report on 16 out of 29 CQMs. The majority of Stage 1 menu objectives and measures became core, and several Stage 1 core objectives and measures were consolidated into a single objective and measure(s), or eliminated (for example, “exchange of key clinical information” eliminated in favor of a new and more robust “transitions of care summaries” objective).
Public comments highlighted the concerns many providers had with new Stage 2 patient engagement requirements: those requiring patients utilize secure messaging with their providers (EPs) and online access to, viewing, and downloading of health information (EPs, hospitals and CAHs). Although the requirements were not eliminated, CMS reduced the associated measure thresholds from 10% to 5%. In addition, CMS reduced the measure thresholds of certain other objectives, including for electronic exchange of summary care records. Another area of concern reflected in the public comments, the electronic exchange of summary care records objective was also modified by CMS in response to such concerns to require at least one successful electronic exchange to a different EHR technology or a successful test with a CMS designated test EHR during the applicable EHR reporting period.
CMS has released several tipsheets and guidance documents to help EPs, hospitals and CAHs participating in the Medicare and Medicaid EHR Incentive Programs in understanding the new requirements for Stage 2, as well as those amendments to certain Stage 1 requirements. Additional information regarding Stage 2 can be found on CMS’ new Stage 2 webpage.
To add to August’s excitement, a former employee at Florida Hospital’s Celebration Health was arrested by the FBI for accessing patient emergency department records and selling those related to motor vehicle accidents. According to the FBI criminal complaint, the former employee was fired back in July 2011, but for an unrelated incident involving accessing without authorization the medical records of a physician who had been shot and killed in a Florida Hospital parking garage.
However, prior to his termination with Celebration Health, the former employee, Dale Munroe (along with his wife and a co-worker) improperly accessed over 750,000 patient emergency department records at the various Florida Hospital locations, allegedly then selling those records that related to a car accident to an entity, S.K. In turn, S.K. would sell the information to an entity or entities that solicited and referred patients for chiropractors and attorneys. Patients whose information was allegedly sold would receive a phone call shortly after their emergency department visit.
After Munroe was terminated, his wife and co-worker continued to access patient records. After the hospital was notified by an employee who had received a solicitation call, the wife and co-worker were also fired, and a breach reported in 2011. While the hospital was conducting audits in response to the breach, it discovered the depth of Munroe’s actions prior to his termination. Since then, the actions of these three individuals have been under investigation.
Munroe is the only one who has been arrested so far. The complaint alleges violations of the criminal provisions of HIPAA at 1320d-6(a) and 1320d-6(b)(3) for intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, which carries with it a fine of not more than $250,000, imprisonment of not more than 10 years, or both. While over 750,000 records were improperly accessed, only approximately 12,000 records are believed to have been viewed in depth and sold.