HIPAA- The Who, When and What’s its primary purpose?


The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996, it has since created some of the most sweeping changes in healthcare reform at that time and for many years after. HIPAA was designed to eliminate discrimination by protecting and securing patients’ health data. This law has since grown into a government regulation with a much larger scope and focus on information technology as it relates to healthcare. HIPAA’s three primary functions are:

  1. Protect the privacy and provide security for Protected Health Information (PHI).
  2. Increase the efficiency and effectiveness of the healthcare system.
  3. Establish standards for accessing, sharing and transmitting PHI.

HIPAA was originally segmented into 3 primary components: the Privacy Rule, the Security Rule, and the Enforcement Rule. Several years later it was amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule.

The Privacy Rule

The Privacy Rule was designed to protect and keep private all of our Protected Health Information (PHI). PHI includes information such as a patient’s street address, city, birth date, email addresses, social security numbers or any type of identifiable information obtained in the process of receiving care. Individuals may be charged with either civil or criminal penalties for violating HIPAA privacy rules.

The primary goal is to protect individuals’ PHI while promoting an efficient “flow” of information. It applies to covered entities, which are defined as hospitals, doctor’s offices, insurance companies or any organization that accepts health insurance. It also applies to business associates; organizations that create, maintain or transmit PHI on behalf of a covered entity. These entities must protect any PHI transmitted in any form: electronic, oral or written.

The Privacy Rule also allows for an individual’s personal right to access, review and obtain copies of their PHI. In addition, it authorizes the right to amend or request restrictions on the use of their PHI. As a part of the Privacy Rule, covered entities and business associates are required to appoint a privacy officer, complete workforce training on HIPAA compliance and construct business associate agreements with any entity with whom you are disclosing or sharing information.

The Security Rule

The Security Rule sets standards for covered entities and business associates for the security of electronic health information.

The Security Rule has three primary components:

  1. Administrative safeguards– These begin the security management process by identifying a security officer and performing a risk assessment. The goal is to evaluate risk and make sure only authorized personnel can access PHI. Also, contingency and business continuity plans must be addressed and documented in the event of a disaster or disruption of business.
  2. Physical safeguards – These cover facility access controls (badges), alarms and locks. Any PHI data must be encrypted at rest and in motion and have adequate passwords. The use of tablets, phones, etc. must also be considered.
  3. Technical safeguards- These include audit controls (SSAE), which record and monitor transactions, password, pins or biometrics.

All security Information must be documented and accessible on demand. It is required to be updated and archived for 6 years.

The Enforcement Rule

The Enforcement Rule sets the standards for penalties in the event of a HIPAA violation or breach. Initially, there were very little violations reported or penalties assessed. Today, there are still not many penalties compared to the actual violations, which occur frequently.

Most common infractions include:

  • Unauthorized disclosures of PHI
  • Lack of protection of health information
  • Inability of patients to access their health information
  • Disclosing more than the minimum necessary protected health information
  • Absence of safeguards for electronic protected health information

The following are the covered entities required to take corrective action to be in voluntary compliance according to HHS:

  • Private practices
  • Hospitals
  • Outpatient facilities
  • Group plans such as insurance groups
  • Pharmacies

(source: hhs.gov/enforcement, 2013)

HITECH and the Omnibus Rule

In 2009 Congress passed an amendment to HIPAA: the Health Information Technology for Economic and Clinical Health Act (HITECH). This amendment was designed to reduce cost and streamline healthcare through information technology. HITECH expanded HIPAA and implemented new requirements for the protection of PHI in Information Technology.

In 2013 HHS office of civil rights issued “the final rule” or Omnibus as a means of implementing the changes of HITECH. HITECH changes included:

  • It allowed for changes requested to PHI by individuals and required direct approval before the sale of PHI.
  • Business Associates became directly liable and are required to provide items such as workforce training, privacy officer and risk assessment. HITECH also assigned liabilities to subcontractors of business associates.
  • All breaches to HIPAA must be reported to affected individuals as well as the secretary of HHS. An additional risk assessment must then be completed for each breach.
  • HITECH introduced a tiered approach to breach penalties with recurring infractions in the same year totaling up to $1,500,000. It also gave the state Attorney General the power to enforce HIPAA violations.

HIPAA is one of the most sweeping and all-encompassing changes to ever impact the Healthcare industry. It has evolved to regulate the use of Information Technology within the scope of healthcare in addition to protecting the privacy of a patient’s PHI. Unfortunately, like most government regulations, it is vague and very difficult to enforce. In contrast, it has created valuable safeguards for the protection of our personal health records and it has encouraged improvements to the flow and integration of healthcare data.

If you need assistance with any current IT projects (Cincinnati or remote), or risk assessment for your practice please contact us at:

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net



In this time of IT security breaches, businesses of all sizes have become aware of the consequences of not having a solid IT framework and security policy. What previously was a concern for only large enterprises has now become a challenge all businesses share. Government regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), have mandated compliance for the security of Protected Health Information (PHI) for any size of enterprise that stores PHI. A recent trend has been for large enterprise to relay their compliance and security requirements downstream to their suppliers which may be smaller businesses. One of the initial causes for this was the Target breach. Target, who was fully compliant with their regulatory environment,[1] (PCI DSS), was breached through an HVAC vendor. This Target business partner was primarily responsible for compromising credit card information for millions of its customers and causing large scale damage to Target’s finances and reputation. To learn more about the total cost of a data breach please see my previous article: https://twoearsonemouth.net/2017/11/22/preparing-for-the-cost-of-a-data-breach/ .

In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the PCI DSS previously mentioned above in regard to Target. PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance to all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.

Businesses are not completely on their own to navigate through this complex regulatory and IT security environment. There have been a series of IT frameworks developed that an organization can use to reach their goals. These frameworks describe IT “best practices” which are written in general terms. Typically, businesses use them as a reference to achieve regulatory or security compliance. Below are some examples of the most common IT frameworks available today:

  • COBIT– A framework designed by Information Systems Audit and Control Association (ISACA) to provide management and business process owners with an IT governance model that aids in delivering value from IT and understanding the management of risk associated with IT.
  • ISO 27002– An IT security standard originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)
  • ISO 38500– Similar framework to ISO 27002 for IT used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)

IT security best practices at the highest level can be classified in 3 categories; physical safeguards, administrative safeguards and technical safeguards. Below is a brief description of each.

Physical Safeguards are tools such as alarm systems (video), key card systems, secure locks for offices and drawers where laptops and phones are stored, a guard or receptionist always at the front door and a secure IT server room.

Administrative Safeguards are processes that include creating a security officer and/or department, creating training programs to make all employees aware of what data needs to be protected and how it is protected, a company policy for storing and archiving of protected data and business continuity policies.

Technical Safeguards are IT tools such as Unified Threat Management (UTM) and Next-Gen firewalls, malware and virus protection software on servers and workstations, encryption of data in transit and at rest and a strong Business Continuity and Disaster Recovery (BCDR) plan that is tested on a regular basis.

Following these principles and best practices not only help to achieve a business mitigate risk  but also make good business sense.


Contact us so that we may learn more about the IT challenges within your organization. We will provide an initial consult at no cost! We can provide best in class IT Project Management in Cincinnati or remotely.

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

[1] PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS is an industry based regulatory authority for the credit card industry.

above image courtesy of RF IDeas

From Meaningful Use to MACRA or… When the MIPS comes Down?!


Most of us who have been in the business of healthcare for 5 years or more are familiar with the term “Meaningful Use.” For others, let me define “Meaningful Use” at it will serve as the basis for this blog. Meaningful Use was a program implemented by the governmental agency, “Centers for Medicare and Medicaid Services” (CMS) to measure and reward medical practices for the use of Electronic Health Record (EHR) technology. EHR is the software a medical practice uses to manage its business and store all Protected Health Information (PHI). I believe Meaningful Use was a success. It brought a much greater awareness to EHR technologies, and pushed practices small and large to evolve, and store their PHI electronically. Storing information electronically in turn allowed medical practices to provide a better level of service, care coordination and sensitive data security to its patients.

You may have noted I used 3 three letter acronyms (TLAs) in the first paragraph. This comes with working with information technology and is multiplied by government bureaucracy.   There are plenty more to come, so I will document the rest up front, right now! 

1.    MACRA- Medicare Access and Chip Reauthorization Act

2.    QPP- Quality Payment Program

3.    APM- Alternative Payment Model

4.    MIPS- Merit-Based Incentive Payment System

5.    EC- Eligible Clinician

The next year brings the sequel to Meaningful Use, MACRA and the payment system within it: MIPS. The QPP final rules were posted on November 2, 2017 giving participants two months before reporting starts on January 1, 2018. Nearly all healthcare providers, physicians, physician assistants and nurses must participate. The scoring for MIPS will be based on a point system, look for future BLOG’s to take a deeper dive on MIPS including the point system.

A practice that bills Medicare Part B* claims in an amount less than $90,000 or has fewer than 2,000 Medicare claims is not required to participate. The smaller practices that do report receive some breaks; groups from 1-15 clinicians get an automatic 5 points, even if completing the minimum amount of reporting. Groups of 1-10 clinicians can team up with other smaller groups to combine reporting, regardless of location or specialty. This will allow some “rock-star” practices to report with lesser groups allowing all to benefit from the payment program.

MIPS reporting for 2018 will be divided into 4 categories, each of which will have a different weighting. Additionally, the weighting percentages are set to change in years 2019 and 2020. The following are the four reporting categories and their weights:

  1. Quality (60%) – The practice selects at least 6 measurement criteria to report on from a choice of over 300. Some are general categories and some are for specialty practices. For example, a cardiologist may report on measurements for controlling high blood pressure among all their patients. Quality is the only category that must be reported on for the entire year.
  2. Advancing Care Information (25%) – ACI includes all the measurements that were a part of Meaningful Use. It measures how the practice promoted patient engagement (patient portal) and exchanged information using EHR technology.
  3. Improvement Activities (15%) – The primary focus on Improvement Activities will be on care coordination, which is the ability to work seamlessly with other providers. Additionally, providers will have a list of over 900 categories and 9 sub-categories to report on.
  4. Cost (no mandated reporting in 2018) – This information will be based on data from Medicare claims received.

MIPS reporting options for 2018 

  • Option 1 – Submit “some data”- Quality is the only data that must be reported for the entire year. Enough data for 15 points must be reported.
  • Option 2 – Quality full year – Submit Quality full year, Advancing Care Information and Improvement Activities for 90 days.
  • Option 3 – All categories full year- Cost not reported in 2018

A practice can pick any of the options they choose, most likely it will be driven by their understanding of the program and the resources they assign to it.

More will be revealed on MACRA, MIPS and the best practices for reporting in the coming months. Due to the consequences of failing to report, and the urgency of a short preparation period, many healthcare organizations will need assistance with reporting. MIPS has much greater consequences than Meaningful Use.

First, all information submitted for reporting will be public. We will see reported information on CMS websites allowing you to compare providers, like we look at online reviews for traditional business today. Secondly, MIPS does more than just reward compliant practices, it also penalizes non-compliant ones. Meaningful Use was initiated as an experiment to some extent. MIPS seems to be making the transition to a regulation that is here to stay. Healthcare organizations will either need to get on board or face serious consequences.

Given the importance of MIPS to the healthcare industry, and the continued flow of information to this day, we will provide another update to this before year-end. Please look for a deeper dive on MIPS information including components not covered here, like how the points system works and Alternate Payment Methods (APM), that will become more important in the years to come.

*Medicare Part B is the portion of Medicare that pays for ambulatory services such as doctor office visits and prescriptions. Part A applies to hospital stays.


To meet and learn more about how MIPS reporting can affect your organization contact me at
 (513) 227-4131 or jim.conwell@outlook.com.

What’s a Managed Service Provider (MSP)?



Most organizations, big and small, have gone through this exercise with Information Technology, as well as other services. “Should I hire a dedicated person, assign it to someone in the organization as an additional responsibility or outsource”? What’s a Managed Service Provider (MSP)?  When posing this question for IT services; size matters! In this exercise, we will assume there are from between 20 to 100 IT users in the organization considering an MSP.

Size Matters

When a company I consult with is near the lower end of this user count many times they will tell me that an employee’s relative; brother, sister or husband does their IT work. I call this type of IT provider a trunker, as their office and tools are in the trunk of their car. A trunker can be a smart way to go, receiving a prompt and personalized service response. However; it is important the trunker has a way to stay current with technology. Also, at least one employee of the organization be aware of all he or she does and documents all passwords and major tasks.

 I’ve seen the same level of service can be achieved with an IT MSP as the organization outgrows the trunker. The MSP will typically have an upfront cost to inspect and become familiar with the IT infrastructure. Then there will be a recurring charge, monthly or quarterly, for help-desk support that is either handled remotely or on the customers site. With few exceptions, organizations of 100 employees or less, are serviced satisfactorily with a remote agreement. When an issue calls for onsite service they will pay the predetermined labor rate. Another factor that is determined up front are Service Level Agreements (SLA’s). SLA’s will define how quickly the MSP will respond. As it was with the trunker mentioned before it’s up to the organization to keep track of the IT provider and their tasks. This can be made easier by the fact that an MSP, because it will engage multiple technicians for one customer, needs to document everything for their own benefit.

Why Use an MSP for My Business?

The MSP is the system I see work most often. So let me answer my original question. Why outsource my I.T?!

1)   Consistency and predictability of service. Based on the MSP’s reputation and the SLA’s provided most organizations experience responsive and high continuity of service. When the agreement ends, they can expect a smooth transition to the new vendor or person. I have witnessed many times when the trunker provider relationship ends poorly. The organization can be put in a position of having no documentation and not even knowing the passwords to access their systems.

2)   Transparency. Most MSP’s, as a part of their service, offer dashboards showing real-time status of devises on the network. Many even offer your business remote access to monitor your network. This is a major cost reduction based the cost to host or maintain monitoring yourself.

3)   Expertise. There is knowledge in numbers. Although you may only see or speak with one person as the face of your IT partner, you’re working with a team with vast experience and knowledge. The technical staff of an MSP will always have greater level of experience and a better knowledge of the trends in technology. This is particularly true in regulated organizations such as in healthcare and financial businesses.

Contact us for a free analysis of your business and what will serve it best.

Jim Conwell     (513) 227-4131     jim.conwell@twoearsonemouth.net http://www.twoearsonemouth.net