Education, News Events, Social Media, Tip of the Week, Upcoming Events

National Health IT Week

National Health IT Week

September 26-30, 2016


Click for more activities, information, highlights and new health IT tools/resources

A Message from President Obama Commemorating National Health IT Week


“During National Health IT Week, we recommit ourselves to improving the health of our citizenry using the breakthrough technologies of our time and reaching for the next frontier of innovation…Because of our collective efforts, 97 percent of our Nation’s hospitals and three-quarters of doctors are using electronic records to care for their patients…These efforts help advance our Administration’s goal of fostering the seamless and secure flow of electronic health information when and where it is needed most. Though there is more to be done to realize a healthcare system that fits each of our needs, I am confident that if we continue working together, we can build a future of greater health and prosperity for coming generations.”

President Barack Obama, commemorating National Health IT Week

For the full message see:

Here are some of the events. View daily for updates

  • New resources: Health IT Playbook, EHR Contract Guide
  • Blockchain white papers posted
  •  Newest survey on hospitals using certified EHRs
  • Dr. Vindell Washington will be available on Tuesday, September 27 at 11:00 am ET using #AskVindell for Twitter Chat
  • Twitter Chat on Model Privacy Notice on Thursday, September 29th at 2:00 pm ET using #MPNchat
Education, News Events, Tip of the Week, Upcoming Events

Introduction to the Health IT Playbook



The Office of the National Coordinator (ONC) within the U.S. Department of Health and Human Services (HHS) developed this 1st edition of the Health IT Playbook (Release 1.0) to address many of the questions that providers ask during implementation and use of health IT. Created from compilation of multiple research, previously developed as well as newly created tools, this playbook provides content that addresses these questions and more:

  • How do I choose, implement, or upgrade an electronic health record (EHR) system?
  • How do I redesign workflows to improve and optimize practice efficiency and effectiveness?
  • How can I connect and share information with other providers and public health officials?
  • How can I activate and engage patients and their families?
  • How do I learn more about improving patient outcomes and prepare for new quality payment programs?
  • How do I protect the confidentiality, integrity, and availability of personal health information in my EHR system?

Will include Electronic Health Records, Certified Health IT, Health Information Exchange, Patient Engagement, Value-Based Care, Privacy and Security, Quality & Patient Safety, Care Settings, Population and Public Health, and Specialists.

For the complete playbook visit: The Office of the National Coordinator for Health Information Technology HEALTH IT PLAYBOOK:


Cyber Security, Data Breach, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Risk Analysis/Risk Management, Settlements

Largest Settlement Agreement to Date Assessed by the OCR

The Office for Civil Rights (OCR) has assessed the largest settlement amount to date against Advocate Health Care Network . The OCR fined Advocate $ 5.55 Million for multiple potential violations of the HIPAA Security Rule.

The investigations that eventually led to the fine were initiated in 2013 after three successive self-reported data breaches by Advocate. Two of the three were related to a Business Associate of Advocate. OCR stated, “This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

The press release and a link to the settlement agreement can be found here. Note that the link to the source document, the settlement agreement itself, stopped functioning a few hours after the press release went out. Please see: 

This settlement reinforces the importance of including all of an organization’s PHI in its risk analysis process, and a review and inclusion of all Business Associates and Business Associate Agreements.

Cyber Security, Data Breach, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Settlements

Improper Disclosure of Research Participants’ PHI Results in $3.9 million HIPAA Settlement

Readers, please make sure you read all the way to the end because this article points out a significant part of the Corrective Action Plan in this settlement, and the previous one.

March 17, 2016

From the HHS Press Office

Improper Disclosure of Research Participants’ Protected Health Information Results in $3.9 million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement may be found on the OCR website at

A notable and consistent theme present in the Corrective Action Plan (Appendix A) of both of the recent settlement agreements is the following section, “As a part of this process, [ENTITY] shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store [ENTITY] ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis.”  This is of significant note for two reasons:

  1. As consultants in the performance of risk analysis activities, we have seen that accurate inventory of data, systems, and applications is a Unicorn. It is both a beautiful thing, and non-existent.
  2. The requirement of the CAP includes personally owned devices which will then be incorporated into its risk analysis. Wow! This is a huge scope change for a risk analysis, and requires Physicians, APNs, Therapists, Executives, and others to allow their devices’ security to be assessed.

Hopefully the OCR will offer some clarification on this point either in presentations or through other methods as this small phrase in one sentence has huge implications!

Sponsored by: RISC Management and Consulting, LLC

Appendix A

Corrective Action Plan Between The Department Of Health And Human Services And The Feinstein Institute For Medical Research may be found on the OCR website at