Cooperating for better care.


Tag Archives

Holding hospital boards accountable for institutional culture


Healthcare analyst and consultant Paul Keckley, Ph.D. has looked at how hospital boards  should be held accountable for their institutions’ culture.

He noted:

“On Wednesday, Oct. 4, the National Association of Corporate Directors released a report from its 34-member commission outlining 10 recommendations that would encourage boards to be more proactive in attending to corporate culture. They include the formal measurement of culture, the inclusion of culture considerations in performance reviews of top managers, changes to incentives in short- and long-term compensation and others. Their bottom line is this: Boards must understand how an organization achieves results, not just the results themselves. ”

He writes about:

“Board education: …. Nonprofit boards underinvest in board education and many are lax in evaluating their boards. Complex issues like private inurement, the False Claims Act, HIPAA and many more require more than casual understanding by trustees.”

“Culture monitoring processes: Hospital boards must create a formal process for monitoring the culture in their hospitals. Most hospitals conduct employee surveys and share the results with the board. Many of these include comparisons to other organizations and best practice recommendations. But in the future, boards must go deeper. The work climate in most hospitals is stressful. The workforce is expected to do more with less and alter work habits as clinical innovations and payment schemes force change. Boards must examine the mechanisms whereby the workforce is managed, promotions awarded, recognition and compensation given.”

To read his whole commentary, please hit this link.



Making the most of boards’ immersion days’




Hospitals & Health Networks looks at how “Immersion Day” gives hospital boards a  very  close-up look at these institutions. This piece focuses on Mission Health, a community hospital system in western North Carolina.

Among the observations:

“Perhaps counter-intuitively, it seems that once board members understand {after participating in Immersion Day} how complicated the delivery of care is today, they come to appreciate even more the skill and expertise of management — and to leave operations to the management team.

“The benefit of immersion for boards seems to be the focus it brings to strategic planning, the experience and authority it gives to board members when they advocate for the system, and the bonding that forms between board and management as both face the stress and rapid change of modern care delivery.’’

“Here are some of the best practices followed by Richard Bock, M.D., of Immersion Advisors in Asheville, N.C., when he conducts an Immersion Day program:

  • “Meets with health system leadership to understand their goals.
  • “Drafts immersion plans tailored to the institution.
  • “Meets with the system’s chief medical officer to refine the plans.
  • “Individualizes standard HIPAA releases and other agreements as needed.
  • “Communicates directly with medical staff and nursing leadership ahead of time.
  • “On Immersion Day, prepares, orients and accompanies participants in all hospital areas.
  • “Conducts debriefings afterward.
  • “Optionally arranges end-of-day discussions with the CEO and other key leaders — particularly valuable for policymaker immersions.”

To read more, please hit this link.



The main facility of Mission Health, in Asheville, N.C.



Onsite HIPPA audits coming


Take cover? The Feds will be doing a “small number” of onsite HIPAA audits in 2017. says an HHS Office for Civil Rights (OCR) official.

OCR senior adviser Linda Sanches, at the Healthcare Information and Management Systems Society Privacy & Security Forum in Boston, explained what healthcare leaders can expect from the process.

She said: “We’re looking for evidence that you are implementing the policies and procedures. Two huge problems we’re seeing are implementation of risk analysis and risk management.”

To read more, please hit this link and this link.

HHS confab looks at HIPAA and cybersecurity


Beast, a Windows-based backdoor Trojan horse.

Maria Hirsch of FierceHealthcare was at last week’s annual meeting on HIPAA and cybersecurity co-hosted by the Health and Human Services Department’s Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST).

Among her observations:

“{A} session on ransomware provided great insight from government experts who discussed the increasing sophistication of this type of malware and what to do to fend off such attacks. They recommended, among other things, that employees be trained to be suspicious of all emails, that providers have responsible backup plans for their data, that they limit access, that they use up-to-date antivirus software and that they prepare for the possibility of attack.”

“Panelists addressed the increased use of connected devices, the unique difficulties of protecting medical devices and the importance of knowing what devices are connected to one’s network.”

An update …brought attendees up to speed regarding the HIPAA audits, which are underway. The government’s line was that the audits are designed to be educational, to identify best practices and get in front of HIPAA problems before they result in breaches.

To read more about the conference, please hit this link.

Hospitals should update Business Associate Agreements

A HIPAA privacy case involving Care New England’s Women & Infants Hospital, in Providence, shows the importance of updating Business Associate Agreements.

Late last month, the U.S. Department of Health and Human Services (HHS) announced that Care New England  had agreed to pay a $400,000 fine, and implement a corrective action plan, to settle HIPAA violations. The investigation by HHS’s Office for Civil Rights (OCR) started back on Nov. 5, 2012.

Physicians Practice reported  that HHS found “unencrypted back-up tapes containing nearly 14,000 patients’ protected health information,”  as well as other  violations.

OCR’s director, Jocelyn Samuels, said: “[t]his case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule.”

Physicians Practice said: “Despite CNE and Woman & Infants Hospital of Rhode Island having a Business Associate Agreement (BAA) in place in March 2005, it had not been updated until Aug. 28, 2015 — nearly two-and-a-half years after the Omnibus Rule was published in the Federal Register.”

To read the Physicians Practice piece, please hit this link,

Medical privacy 20 years after HIPAA was enacted

On the 20 anniversary of HIPAA,  read this review of how medical privacy and medical-data sharing have changed as a result of the landmark legislation.

To read the STAT article, please hit this link.

‘Patient Engagement Playbook’ videos

These “Patient Engagement Playbook” videos are meant to inform consumers of their HIPAA rights.

6 ‘solutions’ to U.S. healthcare problems


Private-sector healthcare leaders have identified six “common-sense solutions” to improve the U.S. healthcare system  that  they say would get support from both major political parties even in an election year. They are, as summarized by FierceHealthcare:

  • “Set a ‘firm date’ — Dec. 31, 2018 — to achieve health-information interoperability everywhere in the U.S., with the private sector leading the way to help healthcare organizations share data.”
  • “Implement reforms to improve the Food and Drug Administration, including easing administrative burdens imposed on the agency and taking steps to more quickly deliver innovative treatments and technologies to patients.”
  • “Implement ‘best practices’for Medicare, insurers and healthcare providers to improve all aspects of care for chronically ill patients. Specifically, the report outlines a set of comprehensive care planning principles using diabetes patients as an example.”
  • “Reform outdated physician self-referral and anti-kickback statutes, and expand Medicare payment waiver policies in order to encourage care coordination while preventing fraud and abuse.”
  • “Standardize … privacy laws on the state and federal levels, and improve access to patient data for research. For example, the report notes that “one particularly burdensome barrier to nationwide health information exchange is the many diverse state laws across the country regulating health information alongside HIPAA.”
  • “Improve the Centers for Medicare & Medicaid Services’ Enhanced Medication Therapy Management (MTM) Model, including allowing participating plans to help develop the quality indicators that comprise the uniform set of MTM data elements, and employing a public comment process that allows a full range of stakeholders to provide input into the final measure set.”


HIPAA privacy rules often misinterpreted


In a very useful story that could save some lives, The New York Times reports on how the use of HIPAA patient-privacy rules to enforce a very cold and sometimes lethal code 0f silence often reflects a gross misinterpretation of the law.

“Intended to keep personal health information private, the law does not {emphasis CMG’s} prohibit healthcare providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if she is not present or is incapacitated, providers may use “professional judgment” to disclose pertinent information to a relative or friend if it’s ‘in the best interests of the individual.”’

Stay out of the cloud and other ways to fight hackers


In the wake of the disastrous hack of Anthem, the insurance giant, Brian Eastwood, writing in Hospital Impact, proposes some things hospitals should do, including:


* “Engage your board of directors with the chief information security officer.”

* “Use as many layers of protection as you can. Yes, this means encryption–of data at rest and of backups….”

* “Make penetration and application vulnerability testing an ongoing priority. You can do this by incorporating them these processes into operational analysis.”

* “Hire third parties to conduct your HIPAA risk assessment.” .

* ”Don’t use the cloud to store data from applications that require strict security standards. Store this data on company-owned storage.”

* “Follow Open Web Application Security Project (OWASP) standards if you develop applications.”

Contact Info

(617) 230-4965

Wellesley, Mass