OCR Imposes $70k CMP for HIPAA Right to Access Violation. The Office for Civil Rights (OCR) announced a $70,000 civil monetary penalty (CMP) against a solo dental practice in Maryland that provides family dental care, as a result of an investigation based on a complaint that the dental practice failed to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.

OCR first received a complaint alleging that the dental practice had failed to provide the complainant with access to her and her children’s medical records. OCR sent a technical assistance letter notifying the practice of its obligation to respond to requests for medical records and closed the complaint. After the complainant filed a second complaint alleging they had still not provided the complainant with access to the requested records, OCR opened an investigation. OCR’s investigation found that the dental practice failed to take timely action in response to the patient’s right of access request. In March 2022, OCR issued a Notice of Proposed Determination seeking to impose a $70,000 civil monetary penalty. The dental practice challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge (ALJ). On September 29, 2023, the ALJ imposed a $70,000 civil monetary penalty, which was upheld on appeal. Read the Notice of Proposed Determination here.

OCR Releases Video Outlining Critical Ransomware Issues. OCR released a video to educate health care covered entities on critical ransomware issues. Released in conjunction with National Cybersecurity Awareness Month, the video updates viewers on the ransomware trends the agency has seen as it has conducted cybersecurity investigations. The video also details guidance and resources, best practices and practical advice on how HIPAA compliance can help HIPAA regulated entities prevent, detect, respond to, and recover from ransomware attacks. Additional topics include OCR breach and ransomware trend analysis; a review of prior OCR ransomware guidance and materials; an analysis of the ransomware attack chain; and exploring how Security Rule compliance can combat ransomware.

CISA and FBI Release Secure by Design Alert. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a Secure by Design Alert called “Eliminating Cross-Site Scripting Vulnerabilities.” The Alert continues the two agency’s plan to reduce critical infrastructure vulnerability to cyberattack. The Alert outlines that vulnerabilities like “cross-site scripting” continue to appear in software, enabling cyber criminals to exploit them. CISA and FBI recommend that business leaders at technology manufacturers review past instances of these defects and create a strategic plan to prevent them in the future. 

405(d) Publishes New Poster on Endpoint Protection. The HHS 405(d) program, a public-private partnership focused on improving the nation’s cybersecurity, published a new poster on endpoint protection. The 405(d) Program recommend the following: actions to safeguard endpoints: (i) Understand that health care organizations leverage devices that connect to the internet to access and share medical records, communicate with patients, and manage sensitive data; (ii) Recognize that computers, tablets, and mobile phones are entryways to an organization's network and it is essential to secure these endpoints to prevent unauthorized access and cyberattacks; (iii) Appreciate that maintaining excellent endpoint security helps ensure the confidentiality, integrity, and availability of patient data, reducing the risk of data breaches that can compromise patient safety and privacy. Go here to download the poster.

ASTP ONC Outlines Standards Adoption Among Health Information Exchange Organizations. In a blog post, the Assistant Secretary for Technology Policy, Office of the National Coordinator for Health IT (ASTP ONC) outlines the adoption of standards among health information exchange organizations (HIOs). HIOs are state and regional networks that enable electronic exchange of health information across their participants, which may include health care providers, public health agencies, payers, and other health care entities. ASTP ONC surveyed HIOs nationwide to assess current adoption and use of various standards, including the United States Core Data for Interoperability (USCDI) and Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®). Key findings from the survey include: (i) More than 90% of HIOs reported that they routinely or sometimes sent or made available to and received CDA documents from their participants. More than 80% of HIOs reported that they routinely or sometimes sent (or made available) and received any type of HL7 v2 messages; (ii)  More than 80% of HIOs reported that they routinely or sometimes sent (or made available) and received any type of HL7 v2 messages; (iii) Fully 90% of HIOs routinely received data from their participants in the format of HL7 v2 admission, discharge, and transfer (ADT) messages; and (v) About one-fifth of HIOs routinely or sometimes sent or made data available and received data via HL7 FHIR APIs.

HHS Announces 2024 LEAP in Health IT Awardees. The U.S. Department of Health and Human Services (HHS), through ASTP ONC announced two awards totaling $2 million under the Leading Edge Acceleration Projects in Health Information Technology (LEAP in Health IT) funding opportunity. LEAP in Health IT awardees seek to create methods and tools to improve care delivery, advance research capabilities, and address emerging challenges related to interoperable health IT. The May 2024 Special Emphasis Notice sought applications for two areas of interest: (1) develop innovative ways to evaluate and improve the quality of health care data used by artificial intelligence (AI) tools in health care, and (2) accelerate adoption of health IT in behavioral health settings. The 2024 LEAP in Health IT awardees are:

Area 1: Develop innovative ways to evaluate and improve the quality of health care data used by artificial intelligence (AI) tools in health care

Awardee: The Trustees of Columbia University in the City of New York, the governing board of Columbia University in New York City.
Project: Scalable, Shareable, and Computable Clinical Knowledge for AI-Based Processing of Hospital-Based Nursing Data (SC2K)

Overview: Advanced AI methods will increasingly use data documented by nurses. Insufficient knowledge of nursing practice, nurse decision-making, and nursing workflows risks both inaccurate and undiscovered data signals. The proposed study seeks to harness nursing knowledge in a systematic way to better capture the nuances of nursing data, leading to more comprehensive, accurate, and transparent algorithms. Additionally, the study seeks to develop scalable computational approaches to evaluate and improve the quality of data recorded by inpatient nurses and used in AI algorithms.

Objectives:

1. Test and validate different computational methods (e.g., large language model), logistic regression, neural network) within a health care process modeling (HPM) framework applied to two AI-based use cases (classifying missing data versus missed care; classifying implicit biases) that leverage inpatient nursing and multi-modal data ready for integration with knowledge graphs. The HPM framework moves data science methods beyond transactional data analytics to model clinical knowledge, decision-making, and behavior to classify and make predictions about patients that are consistent with and can enhance the quality of the data captured used to discover previously unknown patterns.
2. Generate and validate a set of applicable knowledge graphs related to HPMs that are generalizable and valuable for the two AI-based use cases that leverage inpatient nursing and multi-modal data.
3. Extend multi-modal approaches to HPM-informed scalable computational processes combined with knowledge graphs across five additional AI-based use cases that leverage inpatient nursing and multi-modal data.
4. Build an open-source pipeline to share and reuse the HPM-informed scalable computational processes combined with knowledge graphs.

Area 2: Accelerate adoption of health IT in behavioral health settings

Awardee: Oregon Health & Science University (OHSU). OHSU, a system of hospitals and clinics across Oregon and southwest Washington, is Oregon’s only public academic health center.

Project: Behavioral Health eCarePlan Collaborative Project

Overview: This project seeks to adapt an open-source SMART on Fast Health Interoperability Resources® (FHIR®) application based on the HL7® Multiple Chronic Condition (MCC) care plan effort for three behavioral health use cases and pilot the application in stand-alone behavioral health clinics with challenges in exchanging health information.

Objectives:

1. Fine tune the MyCarePlanner/eCarePlanner applications to improve the exchange of structured behavioral health data, enabling both standard storage to a supplemental data store and write-back to any electronic health record (EHR) available. The system is built to allow any structured data collection form to be incorporated and translated into FHIR questionnaire queries.
2. Connect and pilot the MyCarePlanner/eCarePlanner applications to a set of behavioral health providers with EHRs with limited health information exchange capabilities.
3. Perform a formal evaluation of the applications’ capabilities for three key behavioral health use cases.
4. The results will be shared not only with the behavioral health sites and their patients, but also with a number of key groups focused on open-source tools, including HL7, behavioral health peer support networks, and the eCarePlan cross-agency management group.

Senate Subcommittee Issues Report on Use of Prior Authorization by MA Plans. On May 17, 2023, the U.S. Senate Permanent Subcommittee on Investigations Majority Staff launched an inquiry into the barriers facing seniors enrolled in Medicare Advantage in accessing care. PSI sought documents and information from the three largest Medicare Advantage insurers who together cover nearly 60 percent of all Medicare Advantage enrollees. The report presents new findings based on the more than 280,000 pages of documents obtained from these three companies to date. The subcommittee’s recommendations included: (i) CMS should begin collecting prior authorization information broken down by service category. The data the agency currently requires insurers to submit leaves it unclear whether insurers are using prior authorization to target specific types of care; (ii) CMS should conduct targeted audits if insurer prior authorization data reveal notable increases in adverse determination rates. Once the agency has service category data, it could more efficiently allocate resources by targeting audits at insurers whose submissions indicate significant increases in denial rates; (iii) CMS should expand regulations for insurers’ utilization management committees to ensure that predictive technologies do not have undue influence on human reviewers. Access the full report here.

New PHTI Study Suggests Future Increase in Digital Health Spending. Health plans, employers, and health systems plan to increase their spending on digital health solutions in the coming year, according to the Peterson Health Technology Institute (PHTI)’s 2024 State of Digital Health Purchasing survey. The survey was conducted in partnership with NORC at the University of Chicago and queried 332 decision-makers responsible for purchasing digital health solutions at health plans, employers, and health systems. The research identifies the purchaser selection process, contracting approach, and future adoption plans in the digital health technology industry.

PHTI found that spending on digital health has increased rapidly over the past two years and the survey suggests that purchasers plan to continue to increase their spending on digital health offerings in the year ahead. According to the survey, 97% of employers, 86% of health systems, and 84% of health plans intend to maintain or increase spending on digital health solutions over the next year. Reasons for increased spending were relatively consistent, with all three purchaser groups reporting increased consumer demand (83%) and improved health outcomes (62%) as primary motivators. Further, three out of five health plans (60%) cite cost savings as a top reason for increased investment in digital health; 49% of health systems and 34% of employers agreed.