Stanford Hospital & Clinics Pay $4 Million for privacy offense

Practice, clinics an hospital not only have to worry about HIPAA laws at a federal level but they need to take into account the state privacy laws that can cost them as well!

In California, the law requires that medical providers maintain their patients’ medical information confidential and prohibits the disclosure of such information without a patient’s written authorization.

Stanford Hospital and Clinics has had 5 big HIPAA breaches in the last 3 years compromising the protected health information of more than 92,000 patients.  Four of the breaches involved the theft of unencrypted company laptops.   It would have been much better if this was merely property losses as opposed to data losses. They may now be required to pay a $4.1 million class action settlement after violating California’s medical privacy law.

The settlement was given approval last week by Los Angeles County Superior Court Judge Elihu Berle from a 2010 incident when Stanford notified 20,000 of its patients that their protected health information was wrongfully posted to a student website. The information was posted on a public website  for almost a year included medical diagnoses and patient names.

In September 2011, Shana Springer, a patient, filed a $20 million class action lawsuit against Stanford and its business associate Multi-Specialty Collection Services for violating California’s Confidentiality of Medical Information Act.

When Stanford Hospital and Clinics notified patients, it claimed it had sent Multi-Specialty Collections services encrypted patient information for “permissible business purposes,” making the company “responsible by law and contract for protecting all patient information provided to it for its services.”

HIPAA-covered entities and business associates have paid over $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year which does not include the state and private legal settlements.

2014 Hardship Exemptions

The hardship exception rule in the Meaningful EHR Incentive Program has allowed for relief to some providers and hospitals to apply for exceptions to anticipated penalties if their EHR vendor did not obtain EHR certification for 2014.

Since some vendors did not have the time or resources to get their product 2014 certified the additional flexibility has been put in the exception rule i

There are a couple stipulations to this flexibility in the hardship exception rule:

  • The application can only be submitted for 2014.
  • CMS is said you may apply for the exception.  This will not guarantee not that you will get the exception.  CMS will determine if you will receive the exception on a case by case basis.
Providers and hospitals should be encouraged to do everything in their power to get the certified EHR technology implemented and meet meaningful use in 2014.  However, if things are running close I would encourage eligible providers and hospitals to apply for the hardship exemption if it looks like they are going to run into into implementation and workflow issues.

If you have any further questions or need additional help regarding Hardship exemptions, EHR and Practice Management selection, contract negotiations, project management, implementation, EHR training, EHR optimization, EHR template customization, Meaningful Use Gap Analysis, Meaningful Use Attestation, HIPPA Privacy/Security Assessments and Mitigation Plans, EHR Safety, and Meaningful Use Audits please contact Vanessa Bisceglie at 847-322-0139, 1-800-376-0212, or

Vanessa Rose Bisceglie, President, EHR & Practice Management Consultants, Inc.

2015 EHR Certification

The Office of the National Coordinator is looking to create an EHR certification system for 2015 that would be guided by more responses from feedback by stakeholders. The 2015 certification will incorporate “bug fixes” to make 2014 certification rules “clearer and easier to implement,” and “reference newer standards and implementation specifications.”

The end goal of the 2015 certification will be to promote innovation and enhancing interoperability.  The 2015 certification system would be voluntary.

It is not expected a majority of EHR technology developers will seek testing and certification to the 2015 Edition.  However, if the new certification meets its objectives, eligible providers would have additional choices with “updated capabilities, standards, and implementation guides.”

Among some of the proposed changes are the following:

  • Separate EHR “content” and “transport” capabilities,
  • “View, download, transmit to 3rd party” criteria,
  • Expand health information exchange services by making it easier for patients to choose where they want to send their personal health information.
  • Streamlining “bug fixes”

“(W)e have determined that it would best support industry interoperability approaches and provider choices for electronic exchange services if we permitted ‘data content’ capabilities to be tested and certified separately from ‘data transmission’ capabilities,” ONC regulators wrote.

If you have other questions regarding EHRs, Practice Management Systems, Portals, and other related topics please contact EHR & Practice Management Consultants, Inc.( at 800-376-0212 or

EHNAC will accredit Practice Management Systems

Electronic Healthcare Network Accreditation Commission is aligned with the Workgroup for Electronic Data Interchange to create the Practice Management Systems Accreditation Program.

PMSAP is designed as a common baseline for Affordable Care Act requirements, HIPAA, privacy and security, best practices, business processes and performance.

I anticipate that accreditation of these practice management systems will be an invaluable tool that can assist practices in the product selection process, and then in optimizing their solutions to access meaningful data.”

Additionally, there will be an ICD-10 component as well. While the ICD-10 portion won’t involve formal testing, the self-attestation will verify that vendors have plans to upgrade their software for the new code set.

Additionally, if you need a qualified practice management IT consultant to help you further down select which is the best system for your practice, clinic, or billing firm we have a 11 years of experience of helping you select and negotiate the best contract for your practice management system.  Please contact Vanessa Bisceglie at EHR & Practice Management Consultants, Inc. for additional assistance at 800-376-0212 ext. 1, 847-322-0139 or email us at