Consortium News

  • 02 Sep 2015 2:09 PM | Denny Brennan (Administrator)

    OCR Director Provides an Update, Announces a HIPAA Settlement

    Marianne Kolbasuk McGee (HealthInfoSec) • September 2, 2015   

    The Department of Health and Human Services' Office for Civil Rights is getting closer to resuming the random HIPAA compliance audit program. In addition, it's completed another HIPAA settlement related to a breach, and it's planning a number of compliance-related initiatives for the fall, OCR Director Jocelyn Samuels said in a Sept 2 presentation.

    Samuels' comments came during a keynote address at an annual HIPAA security conference in Washington, D.C., hosted by OCR and the National Institute of Standards and Technology.

    More HIPAA compliance audits "are coming," Samuel said, but she stopped short of offering a timeline or revealing how many covered entities and business associates that will be audited. "Audits are a critical tool. It enables us to get in front before [HIPAA noncompliance results in] a breach," she says. The audits provide technical assistance to address the most common problems in HIPAA non-compliance, she notes.

    OCR recently hired a vendor to assist in the audit program, Samuels revealed in her presentation. An OCR spokeswoman tells Information Security Media Group that FEi Federal recently signed a contract to provide support management services for the audits, which will actually be performed by OCR staff.

    The majority of the audits will be "desk" or remote audits, but there will also be "some" onsite audits, Samuels said. The audits will look a key areas of HIPAA compliance, especially those problem areas pinpointed during OCR's breach investigations, such as a lack of comprehensive, timely risk assessment and mitigation. "We're hopeful the audit program will send a message that complying with HIPAA is serious business," Samuels said.

    Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, who attended the HIPAA conference, says Samuels' announcement about the audit program is "reaffirmation" that OCR is ramping-up HIPAA enforcement efforts. "The biggest change is OCR saying it will use a contractor" to assist in the audits, he says, which could help OCR to better utilize its own stretched internal resources.

    Breach Settlement

    The lack of a timely risk analysis has been a reoccurring theme in OCR enforcement actions, including a new settlement and resolution agreement announced by Samuels during her Sept. 2 keynote.

    OCR has reached to a $750,000 settlement with Cancer Care Group, P.C., a radiology oncology practice in Indiana with 13 clinicians, which suffered a health data breach in 2012 as a result of the theft of an unencrypted laptop computer and back-up media from an employee's car. The computer and storage device contained names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care Group patients.

    An OCR investigation into the breach found widespread non-compliance issues, she says, including the lack of an enterprise-wide risk analysis. In addition, Cancer Care Group did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI from its facilities, even though this was common practice within the organization, she says.

    "An enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care's ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility," she says.

    A resolution agreement signed with the cancer practice includes a corrective action plan that includes a number of steps, including conducting a risk analysis, that the organization must take to improve its HIPAA compliance.

    Other Efforts

    Other OCR projects in the works that Samuels highlighted in her keynote address included:

    • Working with the National Institutes of Health on President Obama's Precision Medicine initiative announced in January. OCR is working with NIH on patient privacy protections "to be built into" the efforts, which focuses on the use of genomic, lifestyle and other patient information for "transformative developments" related to more personalized medical treatments.
    • Preparing new OCR guidance this fall that will provide patients and healthcare providers with information about patients' rights to access their health information and send it to third parties.
    • Developing guidance on cloud computing and HIPAA privacy and security.
    • Introducing a new Web portal, likely this fall, to help software developers navigate HIPAA compliance for emerging technologies. "We want to offer those developers of new technologies to have a dialogue with us," Samuels said.
  • 27 Aug 2015 2:58 PM | Denny Brennan (Administrator)
    Tony Bradley | CSO | Aug 27, 2015 8:52 AM PT

    Secure authentication is crucial to protect data and guard your identity from being stolen or hijacked. The vast majority of authentication used today is based simply on a username and password, which has proven time and time again to be inherently insecure. Perhaps it’s time to change our definition of authentication.

    The All-in-One CISSP Exam Guide (a book I *highly* recommend if you’re studying for the CISSP exam) describes authentication like this: “Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.”

    Let’s use the front door of your home as an example scenario. Something you know can be a secret knock or secret password or possibly a PIN code used to unlock a door. Something you have would be a physical key required to unlock the door. Something you are would be a fingerprint or retinal scan or facial recognition. It doesn’t even have to be high-tech. It can be as simple as me knowing what my brother looks like and granting him access based on a cursory visual inspection of the person standing on my porch.

    Now, let’s examine each of those a little closer. Something you are is difficult to replicate or steal. Your unique biometric characteristics are yours and yours alone. It is technically possible to clone a fingerprint or trick some facial recognition tools with a photo or mask, but even that is becoming less feasible. Microsoft recently revealed that Windows Hello can differentiate between two identical twins.

    Something you have is easier to steal or copy but requires some physical access or possession of the authentication method in most cases. For example, someone can steal the key to your front door or make a copy of the key to your front door so it’s possible for someone else to be in possession of your authentication method or for there to be more than one copy of the authentication method in existence.

    Then there’s something you know. Something you know is very easy to compromise or steal. Someone can eavesdrop on your secret knock or secret password. A password can be written down. It can be shared with others. It’s possible for five, fifty, or five thousand people to all know what your password is. It’s also possible to guess or crack something you know in most cases. It may take weeks, months, or years—but there is a finite number of possible things to know.

    That is the problem.

    There is only one you to be something you are. You only have one physical key, or USB device, or mobile device to be something you have—possibly a few in the case of a physical key. Something you know, however, can literally be something that everyone knows. There is no limit on how many people can know your special something. Something you know can be easily cracked or compromised. It is innately the least secure of the three authentication methods and it has been the direct cause of many—if not most—of the major security and data breaches in recent years.

    We need more devices with fingerprint scanners and more PCs equipped with the Intel Real Sense 3D camera necessary for Windows Hello facial recognition because it’s time to stop using passwords, PINs, or anything else in the something you know category as a means of authentication.

  • 26 Aug 2015 4:44 PM | Denny Brennan (Administrator)

    Aug 26, 2015, 4:11pm EDT: Jessica Bartlett, Reporter Boston Business Journal

    CVS Health is partnering with Boston-based American Well and two other virtual health care companies to explore collaborations into the area of remote medicine.

    CVS Health (NYSE: CVS) announced partnerships with Boston-based American Well, California-based Doctor on Demand, and Texas-based Teladoc to explore how the groups can all work together to deliver so-called telehealth — care that is delivered via either phone or video chat.

    “During our initial phase of exploration of telehealth in our store-based clinics, we learned that we could deliver excellent quality care and that patients were extremely satisfied with the care provided,” said Dr. Andrew Sussman, executive vice president/associate chief medical officer of CVS Health and president of MinuteClinic, in a release. “As we examine additional ways to utilize telehealth to improve and expand patient care, we have the opportunity to partner with telehealth organizations in the care of patients at home.”

    Brian Tilzer, senior vice president and chief digital officer for CVS Health, said in a statement that "some of the best ideas are already being developed."

    "We’re committed to partnering with other companies to explore and expand on these ideas together,” he said.

    While CVS will partner with all three companies, American Well recently filed a lawsuit against Teladoc for patent infringement.

    The partnerships follow several related moves on the part of CVS. In June it purchased Target pharmacies, then said it would open a Digital Lab in Boston. In July the company said it would partner with IBM's supercomputer Watson to analyze patient data, showcasing a broader business move to bring health care into increasingly retail and readily accessible environments.

    CVS is hoping to make telehealth available through CVS Health’s digital properties, and would explore enabling its 1,000 MinuteClinics to consult with physicians to expand the scope of the retail provider, or to even be a site for in-person exams to facilitate telehealth visits.

    “With the increased demand for patient care anticipated in future years as a result of the expansion of coverage through the Affordable Care Act, the primary care physician shortage, aging of the population and epidemic of chronic disease, telehealth gives us the opportunity to offer high quality care to an expanded group of patients in a variety of convenient and cost-effective locations,” Sussman said.

  • 26 Aug 2015 3:11 PM | Denny Brennan (Administrator)
    By Priyanka Dayal McCluskey, Boston Globe Staff,  August 25, 2015

    A federal program to reduce the cost of providing care to seniors produced sizable savings in Massachusetts over the past three years, adding momentum to efforts to change the way doctors and hospitals are paid for providing health care.

    New figures show five Massachusetts health systems saved a combined $141 million during that period as part of the program, which aims to rein in costs by better coordinating care for Medicare patients and cutting unnecessary hospital stays and medical services. Doctors manage care for these patients in pools known as Pioneer accountable care organizations.

    Nationwide, these organizations saved $304 million in three years, federal officials said Tuesday. Still, that is a tiny fraction of the more than $1 trillion spent during this period by Medicare, the government health insurance program for seniors.

    “The numbers tell me it’s working, that new payment mechanisms are getting providers to change the way they deliver care, and those changes are producing measurable results,” said Dr. Timothy G. Ferris, senior vice president of population health management for Partners HealthCare.

    Partners said it saved $40 million in providing care to the seniors in its accountable care organization from 2012 to 2014.

    Beth Israel Deaconess Care Organization, a network of health care providers including Beth Israel Deaconess Medical Center, saved $50 million over the same period, while Steward Health Care System saved $30 million.

    “It’s a great three-year story,” said Dr. Sanjay Shetty, president of Steward’s physician network. “It fits with Steward’s bigger strategy of bringing value and accountable care to as many patients as we can.”

    The physicians group affiliated with Mount Auburn Hospital saved nearly $14 million in three years, and the large physicians network Atrius Health saved $7.5 million. That was less than the other Massachusetts health systems, Atrius said, because it was already saving money by coordinating care for seniors before this federal program was launched.

    The savings are based on how much Medicare would have spent to provide care to patients under traditional payment systems, known as fee-for-service, which compensate doctors and hospitals for every visit, test, and procedure.

    Accountable care organizations give doctors and hospitals spending targets for providing care. When providers come in below budget and achieve high-quality scores, they earn more money and the federal government saves.

    Accountable care organizations are a key component of the federal Affordable Care Act, also known as Obamacare. Although they cover a small portion of Medicare patients nationwide now, federal officials have said they want to move most Medicare patients and their providers under such alternative payment programs in the next few years.

    Commercial insurers have developed similar models for patients in commercial health plans. The state’s largest insurer, Blue Cross Blue Shield of Massachusetts, in particular, is working to expand the number of members covered under such payment plans.

    Five of the 20 Pioneer accountable care organizations nationwide are in Massachusetts. Fifteen of them nationally saved money, while five had losses.

  • 25 Aug 2015 9:35 PM | Denny Brennan (Administrator)

    By Melanie Evans  | Modern Healthcare | August 25, 2015

    Three out of four Medicare accountable care organizations did not slow health spending enough to earn bonuses last year, a continuation of mixed results for an initiative that federal officials have targeted for rapid expansion.

    Medicare released 2014 results for 353 accountable care organizations, which include hospitals and physician groups that agreed to meet targets for quality and slow spending. Those that succeed can keep a share of money they save. In January the Obama administration announced plans to aggressively increase the share of Medicare spending under accountable care and other alternative payment models through 2018.

    Last year, 97 ACOs earned bonuses totaling $422 million out of $833 million in savings they produced. Savings are awarded under formulas that account for performance on quality targets after the first year in the program. (For ACOs in their first year, organizations must report quality scores but do not have to meet performance targets.)

    The CMS said results “show that ACOs with more experience in the program tend to perform better over time.”

    The results the agency published Tuesday include savings for 20 Pioneer ACOs, a small group of the most sophisticated organizations participating in a separate program administered by the CMS Innovation Center. That group began with 32 ACOs but several have dropped out, either to join Medicare's larger and less risky accountable care effort, the Shared Savings Program, or exiting entirely. One of the dropouts was included in 2014 results, though the organization did not stay the entire year.

    Eleven of the Pioneer ACOs earned savings bonuses that totaled $82 million. Another five Pioneer ACOs were required to return $9 million to Medicare. The average quality score for Medicare ACOs edged upward in 2014 from the prior year. Quality scores for 28 of the 33 measures improved.

    Some Pioneer ACOs reported significant savings. Banner Health Network, one of the remaining Pioneer ACOs, accounted for $29 million in total savings. The Montefiore ACO saved $18 million.

    Officials at both organizations said performance was boosted by attention to post-acute care costs and quality. Banner Health's ACO developed a preferred network of skilled-nursing facilities and recommends those facilities to patients.

    Other Pioneer ACOs have developed similar networks among skilled-nursing homes, where data show variation in quality and spending. Banner vetted local skilled-nursing facilities with questions on quality and culture.

    Shaun Anand, the Banner Health Network chief medical officer, said improvement in post-acute care was a significant contributor to the ACO's results.

    The Montefiore ACO worked with skilled-nursing facilities to avoid hospitalization, where possible, by finding alternatives for services that could be delivered elsewhere, such as blood transfusions.

    Ninety-two ACOs in the Medicare Shared Savings Program earned bonuses, but six did not receive payouts because they did not meet the quality requirements. Quality improved on 27 of 33 quality measure for those ACOs with more than one year of performance results.

    “These results show that accountable care organizations as a group are on the path towards transforming how care is provided," acting CMS Administrator Andy Slavitt said in a news release. “Many of these ACOs are demonstrating that they can deliver a higher level of coordinated care that leads to healthier people and smarter spending.”

    Medicare's shared savings program has struggled to push hospitals and doctors into contracts with more financial risk for hospitals and doctors. ACOs can earn bonuses but the bonuses are larger for ACOs that agree to absorb losses when patients' medical bills grow too rapidly.

    Contracts with more financial risk are a more powerful motivation for providers to achieve quality and cost-control targets. But many ACOs balked at plans to increase the financial risks after three years. Medicare conceded this summer, with new rules that allow more time without potential losses.

  • 25 Aug 2015 9:27 PM | Denny Brennan (Administrator)

    Aug 25, 2015, 4:34pm EDT

    Jessica Bartlett, Reporter, Boston Business Journal

    The Imprivata device scans patients' hands as a better way to identify them.

    Next time you walk into the hospital, you might be identified not by your social security number or birthday, but by the pattern of veins in the palm of your hand.

    Imprivata has launched a new patient identification process called “palm vein biometrics”, which takes a scan of a patient’s hand and captures the unique palm vein pattern.

    The Imprivata device scans patients' hands as a better way to identify them.

    The technology will link a patient to their medical record, and is intended to diminish duplicative electronic health records, reduce attempts at identity theft and diminish insurance fraud, without the stigma of fingerprints or the invasiveness of an eye scan.

    “It’s 100 times more accurate (than fingerprint biometrics). It’s convenient, there’s no stigma and it’s really easy to use,” said Omar Hussain, president and CEO of Imprivata. “Put your palm down and you’re easily identified. As patient ID becomes the next big issue, we thought this acquisition would position Imprivata to capitalize on great technology.”

    The technology came out of HT Systems of Tampa, a company Imprivata acquired in April for $19 million. Imprivata launched the technology through its own software system on Tuesday.

    The Lexington health IT company said it plans to market the device to hospitals, either as self-serve kiosks or at the enrollment station in hospitals. From there, the hospitals will likely deploy it to clinics where the hospital’s physicians participate.

    Hussain said Imprivata closed on the deal with HT Systems in June, and the company has spent the last several months ramping up the product and the branding.

    The technology will expand Imprivata’s offerings from data security for providers — such as a single log-in for electronic health records, to patient identification and enrollment.

    Patient identification is one of the biggest issues in health care, Hussain said. Studies have shown that approximately 10-15 percent of all medical records are duplicates. Another 6-10 percent of medical errors occur because a physician is treating the wrong patient.

    “You identify the wrong patient, you’re talking life and death. When you’re not sure of the patient, you start a new record,” Hussain said. “As health care systems start to get automated, that 10-15 percent of duplicative medical records becomes a patient safety issue and a monitoring issue. Fraud is up 22 percent in the U.S. because if one person doesn’t have insurance, they will use their brother’s information. If the hospital misidentifies the patient, the hospital gets sued.”

    Case studies in a Texas hospital showed there were 531 Maria Garcias with the same birthday enrolled in the hospital’s database. Another 70,000 patients matched up with another record that had the same first and last name and date of birth.

    “Right now, one of the biggest arguments in congress is unless you can uniquely identify a patient, all these arguments about interoperability and improving patient safety is irrelevant,” Hussain said.

    Imprivata has added dozens of employees to support the new technology, and Hussain said the 429-person company will expand to help product lines as needed.

    “We’re going to expand a successful technology and bring it to the market globally over the next year or so,” Hussain said.

  • 17 Aug 2015 10:06 AM | Denny Brennan (Administrator)

    Beth Walsh, Clinical Innovation + Technology, August 16, 2015

    The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment of the first guide in a new series of publications that will show businesses and other organizations how to improve their cybersecurity using standards-based, commercially available or open-source tools. 

    The step-by-step guide  demonstrates how healthcare providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.

    The guide was developed because the use of mobile devices to store, access and transmit EHRs is outpacing the privacy and security protections on those devices, according to a release.

    Securing Electronic Records on Mobile Devices  provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from the National Institute of Standards and Technology (NIST) and others, and to HIPAA rules. The guide takes into account the need for different types of implementation for different circumstances such as when cybersecurity is handled in-house or is outsourced.

    The draft guide was developed by industry and academic cybersecurity experts, with the input of healthcare providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback at multiple steps along the way.

    The team at the NCCoE built a virtual environment that simulates interaction among mobile devices and an electronic health record system supported by the IT infrastructure of a medical organization. They developed a scenario in which a hypothetical primary care physician uses her mobile device to perform recurring activities such as sending a referral containing clinical information to another physician or sending an electronic prescription to a pharmacy. Then, using commercially available technologies, they built a solution to improve privacy and security protections.

  • 14 Aug 2015 5:02 PM | Denny Brennan (Administrator)
    This week, Atrius Health announced that home health care affiliates VNA Care Network & Hospice and VNA of Boston received high Quality of Patient Care Star Ratings from the Centers for Medicare & Medicaid Services (CMS). These new scores from CMS will allow consumers to compare and choose among home health agencies on the basis of quality patient care. VNA Care Network & Hospice received a 4.0 out of 5.0 star rating, one of the 20% of home health agencies nationwide that received a 4-star rating or better. VNA of Boston received a 4.5 star rating, landing within the 8% of home health agencies in the country to receive that score or better. Both ratings are higher than the national and state averages, which are 3.0 and 3.5 respectively.

    "Delivering this level of home health and hospice requires compassionate care from dedicated staff who are willing to go above and beyond for their patients. I'm proud to say that our teams exceed those standards and we look forward to continuing to improve even more our provision of high quality care to those we serve," said Mary Ann O'Connor, President & CEO of VNA Care Network Foundation. "I am thrilled to extend my utmost congratulations to VNA Care Network & Hospice and VNA of Boston for their well-deserved Medicare Star Ratings."

    This year marks the first time CMS has evaluated home health agencies in quality patient care. The ratings will appear on the CMS Home Health Compare (HHC) website in October 2015. CMS calculated these ratings through patient assessments performed by each home health agency, and evaluated each agency based on 9 of the 29 quality measures posted on Home Health Compare.

    These nine quality measures include:

    • How often the home health team began their patients' care in a timely manner.
    • How often the home health team made sure that their patients have received a flu shot for the current flu season.
    • How often the home health team taught patients (or their family caregivers) about their prescribed drugs.
    • How often home health patients got better at walking or moving around.
    • How often home health patients got better at getting in and out of bed.
    • How often home health patients had less pain when moving around.
    • How often home health patients got better at bathing.
    • How often home health patients' breathing improved.
    • How often home health patients had to be admitted to the hospital.

    To view other recent blog postings about health care or to sign up, please go to

    About Atrius Health

    Atrius Health is the Northeast's largest nonprofit independent multi-specialty medical group. The Atrius Health practices-including Dedham Medical Associates, Granite Medical Group, Harvard Vanguard Medical Associates-together with VNA Care Network & Hospice serve 675,000 patients across eastern Massachusetts. A national leader in delivering high-quality, patient-centered coordinated care, the Atrius Health medical groups and home health agency & hospice work together, and in collaboration with hospital partners, community specialists and skilled nursing facilities, to develop innovative, effective and efficient ways of delivering care in the most appropriate setting, making it easier for patients to be healthy.

  • 13 Aug 2015 10:16 PM | Denny Brennan (Administrator)

    August 13, 2015, AAAS, by Rajiv Leventhal

    Researchers from Boston-based Beth Israel Deaconess Medical Center (BIDMC) have zeroed in on the potential benefits of allowing patients access to the notes their clinicians write after a visit.


  • 13 Aug 2015 10:57 AM | Denny Brennan (Administrator)

    Tech Crunch, Jordan Crook

    The company, launched back in 2011, provides software framework for things like payment processing, eligibility checks from insurance companies, referrals, claims submissions, online scheduling, patient identity management and provider search.


Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact us at

join our mailing list

© Massachusetts Health Data Consortium