Wednesday, March 14, 2012

MSBCBS of TN Settles HIPAA/HITECH Violation for $1.5M

The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.

The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.

Saturday, March 10, 2012

OHFLAC Announces New Independent Informal Dispute Resolution Procedure for West Virginia Nursing Homes

The latest West Virginia Health Care Association e-News Update announced that the Office of Health Facility Licensure and Certification (OHFLAC) has put into place a new Independent Informal Dispute Resolution (IIDR) review of disputed deficiencies for all nursing homes in West Virginia. The new IIDR procedure goes into effect immediately and three out of state vendors experienced in IDRs were selected to be the third party reviewers. The current Informal Dispute Resolution (IDR) will remain as an alternative option.

According to the e-News Update, the new procedure will be detailed in a letter to providers when OHFLAC returns the Statement of Deficiencies to the provider after a survey. The letter will contain instructions on how to request an IIDR. OHFLAC is proposing to use the following language in the letters:
In accordance with 42 CFR 488.331, you have an opportunity to question cited deficiencies through an informal dispute resolution process. To request an informal dispute resolution, please submit in writing the specific deficiencies being disputed and an explanation of why you are disputing those deficiencies to:

                                    Informal Dispute Resolution Review Committee
                                    Office of Health Facility Licensure and Certification
                                    408 Leon Sullivan Way
                                    Charleston, WV 25301-1713
You may also send your request via email to
This request must be sent during the same ten (10) calendar days you have for submitting a Plan of Correction (POC) for the cited deficiencies and must be contained on a document separate from the CMS-2567L, which contains the POC. 
You may choose between an informal dispute resolution (IDR) and an independent informal dispute resolution (IIDR).  You must clearly indicate your choice in the attention line of your request and the subject line of your email. An IDR will be completed by OHFLAC staff not associated with the referenced survey event.
Per West Virginia State Code §16-5C-12a, an IIDR will be completed by an independent review organization.  If an independent informal dispute resolution process is selected, the matter will be assigned to one of three independent review organizations accredited by the Utilization Review Accreditation Commission.  The facility may be subject to certain costs such as:
•     The cost of a face-to-face conference if one is requested; and
•     The cost charged by the independent review organization, should the facility not be successful in its dispute.
Please call us at 304-346-4575 if you have any questions.
The new IIDR procedure will allow nursing homes an alternative option to the standard IDR process when questions arise during the survey process and related POC requirement. The new procedure will allow a nursing home provider to challenge the particular survey finding through an alternative/independent process. Whether this new alternative procedure will be valuable to nursing home providers is yet to be seen.