Issue link: https://beckershealthcare.uberflip.com/i/1120168
44 CIO / HEALTH IT HHS implements HIPAA fine caps based on level of culpability By Andrea Park F ines for HIPAA violations in which the affected party had no knowl- edge of nor culpability in the priva- cy breach will now be capped at $25,000, a fraction of the previous $1.5 million limit, according to a notice of enforcement dis- cretion from the HHS. e update, issued on April 26, is not an amendment to HIPAA, but merely a new interpretation of the existing fine structure in the Health Information Technology for Economic and Clinical Health Act, which amended HIPAA in 2009. e previous reading of those provisions saw a total annu- al fine limit of $1.5 million for all HIPAA vi- olations, regardless of the level of culpability. Under the new interpretation, breaches will be penalized under one of four tiers. 1. Parties completely absolved of all cul- pability in the breach will be fined a maxi- mum of $25,000 per year. 2. ose who did not willfully violate HI- PAA but experienced a breach due to "rea- sonable cause" will be limited to $100,000 in annual fines. 3. Breaches that occurred due to "will- ful neglect" but were rectified in a timely manner will be fined up to $250,000. 4. e $1.5 million yearly cap will still ap- ply to the highest-tier violations, which are caused by willful neglect and are not corrected as soon as possible. Under the previous total fine cap of $1.5 million, HHS collected a record amount in HIPAA fines in 2018: a total of $28.7 million, including the largest-ever individ- ual settlement of $16 million, with health insurer Anthem. n Cerner to launch EHR-agnostic tool for bundled payments By Mackenzie Garrity C erner and naviHealth, a provider of post-acute care management, have extended their partnership to create a new offering for Medicare's Bundled Payments for Care Improvement Advanced program. The two companies have been working together for the past five years to de- velop the offering, which is expected to launch in January 2020. Cerner and naviHealth's new value-based, EHR-agnostic offering is expected to support af- fordable and accessible healthcare that is centered around the patient. Cerner has restructured its operating model to focus on pursuing break-through innovation. With this new offering, Cerner will be able to help organizations ad- vance clients' success, provide better health experiences and outcomes and become a partner in post-acute care. Today, naviHealth is active in the BPCI Advanced program, providing services in 22 states to more than 140 hospital partners. The company will leverage Cern- er's HealthIntent data platform to use against its predictive assessment tools, care management platform and care navigation expertise. Under BPCI Advanced, providers agree to a pre-defined reimbursement amount for 32 CMS-defined episodes of care or chronic conditions. These bun- dled payments aim to bring cost transparency to healthcare. n MD Anderson appeals $4.3M HIPAA penalty By Mackenzie Garrity H ouston-based University of Texas MD Anderson Cancer Center filed an appeal April 9, claiming the $4.3 million HIPAA fine that HHS imposed on the hospital was unlawful, according to GovInfoSecurity.com. HHS slapped MD Anderson with the fine after MD Anderson reported three data breaches that involved unencrypted devices. An investigation spurred af- ter three data breach reports in 2012 and 2013. The reports involved the theft of an unencrypted laptop and the loss of two unencrypted flash drives. The investigation found that while MD Anderson had encryption polices since 2006, it did not adopt systemwide encryption of electronic personal health in- formation until 2011. The Office for Civil Rights said MD Anderson also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013. In the appeal, MD Anderson argues that because HHS is a federal agency it does not have the authority to impose civil monetary penalties against the can- cer center because MD Anderson is a state agency. The hospital is also arguing that HHS exceeded its civil penalty authority "beyond the statutory caps" and imposed an "excessive" penalty, according to the report. MD Anderson is asking for a permanent injunction that would prohibit HHS from attempting to enforce or collect the $4.3 million penalty. The cancer center also is seeking to recover all its litigation costs. n