About John Deutsch

John is the President and CEO of Bridge Patient Portal, the leading 2014 ONC certified solution for patient engagement and improved practice profitability. A vital component in the exponential growth of numerous healthcare IT and Internet companies over the last ten years, John has benefited immensely from a unique mix of professional experiences, boasting a strong background in both marketing and technology.

    Find more about me on:
  • googleplus
  • linkedin

Recent posts:

Author Archives: John Deutsch

John is the President and CEO of Bridge Patient Portal, the leading 2014 ONC certified solution for patient engagement and improved practice profitability. A vital component in the exponential growth of numerous healthcare IT and Internet companies over the last ten years, John has benefited immensely from a unique mix of professional experiences, boasting a strong background in both marketing and technology.

The unexpected benefit a patient portal has on your MIPS / MACRA score

Photo finish

Strategies for MIPS / MACRA attestation, and how patient portals might have a greater impact on your scoring than you might think.

Photo finishA recent survey conducted by the American Medical Association showed that fewer than one in four physicians feel prepared to meet MACRA reporting requirements in 2017. This is an alarming statistic as performance reporting must be conducted in 2017 to avoid a penalty in 2019.

The objective of this article is to provide a detailed explanation of the four categories that make up the Merit-based Incentive Payment System (MIPS) point system that affect an eligible provider’s reimbursement, and how a patient portal helps a provider attest for these four categories. MIPS is one of 2 reimbursement tracks under MACRA. For a primer on MACRA – who qualifies for the program, the reporting/adjustment timeline, the reimbursement/penalty rates, and how MIPS relates to MACRA – please read our earlier post MACRA 101: An explanation by Bridge Patient Portal.

What are the four categories that make up MIPS?

MIPS is made up of four performance categories. It represents several previously existing Medicare reporting programs, renovated and rolled into one. Here, we list the MIPS performance categories in order of potential for patient portal impact (highest to lowest):

  1. Advancing Care Information – Focuses on information exchange and interoperability, replacing the Medicare and Medicaid EHR Incentive Program also known as Meaningful Use (Stages 1 and 2)
  2. Quality – Measures a provider’s delivery of Quality Care, replacing the Physician Quality Reporting System (PQRS) which expired in 2016, and incorporating the Value-Based Payment Modifier system.
  3. Improvement Activities – A new category created to measure a provider’s focus on care coordination, beneficiary engagement, and patient safety.
  4. Cost – Relates to resource use, replacing the Value-Based Payment Modifier. The cost category will be calculated in 2017, but will not be used to determine a provider’s payment adjustment until 2018.

Over the next few years, the weight of each MIPS performance category will change in the calculation of the MIPS composite score – as described in the image below.


Image Source

The 4 categories of MIPS and how a patient portal can directly or indirectly impact scoring:

1. Advancing Care Information

ValuePatient Portal Impact
(Low, Medium, High)
Ease of Implementation
(Easy, Medium, Hard)

ACI is highly dependent on patient portal technology, with about half of its sub-category measures achievable through patient portal features. With the use of
certified patient portal technology, physicians can accumulate MIPS points with relative ease. A full list of the ACI sub-category measures can be found here. Below is a table listing the different measures for the ACI category.
Most everyone is familiar with the recently sunsetted
Meaningful Use Stage 2 program, where incentive payments were paid (or overpaid) to providers with patient portals that provided at least 50% of their patients with access to their medical records online, and at least 1 patient per eligible provider was required to view, transmit and download their health summary. Advancing Care Information (ACI) essentially replaces the Meaningful Use program and raises the bar further.

Base Score
Advancing Care Information Measures and Scores2017 Advancing Care Information Transition Measures and Scores
Required Measures for 50% Base Score% PointsRequired Measures for 50% Base Score% Points
- Security Risk Analysis
- e-Prescribing
- Provide Patient Access*
- Send a Summary of Care*
- Request/Accept Summary Care*
50%- Security Risk Analysis
- e-Prescribing
- Provide Patient Access*
- Health Information Exchange*

NOTE: These measures are also included as performance score measures and will allow a clinician to earn a score that contributes to the performance score category (see the list below).

Measures for Performance Score
Advancing Care Information Measures and Scores2017 Advancing Care Information Transition Measures and Scores
Measures% PointsMeasures% Points
Provide Patient Access*Up to 10%Provide Patient Access*Up to 20%
Send a Summary of Care*Up to 10%Health Information Exchange*Up to 20%
Request/Accept Summary Care*Up to 10%View, Download, or Transmit (VDT)Up to 10%
Patient Specific EducationUp to 10%Patient Specific EducationUp to 10%
View, Download or Transmit (VDT)Up to 10%Secure MessagingUp to 10%
Secure MessagingUp to 10%Medication Reconciliation Up to 10%
Patient-Generated Health DataUp to 10%Immunization Registry ReportingUp to 10%
Clinical Information Reconciliation Up to 10%
Immunization Registry Reporting 0 or 10%

Advancing Care Information Performance Category Fact Sheet provided by CMS provides an excellent detailed explanation on how the ACI category is scored. In summary, providers must demonstrate at least 1 transaction for each of the categories to receive a 50% “Base Score” for the ACI category (NET 12.5% for the entire MIPS program). To score for an additional 50%, the “Performance Score,” providers must demonstrate additional usage in the “Performance” and “Bonus” categories. Scoring for both the “Base Score” and “Performance Score” allows a provider to achieve 100% scoring.

Important Tips and Information

  • October 2nd, 2017 is the last possible start date for 2017 MIPS reporting, including the ACI category.
  • Data submission to CMS for 2017 reporting begins on January 1, 2018 and ends on March 31, 2018.
  • Both 2014 and 2015 Certified technologies can be used for attesting in the 2017 transitional year of MACRA, so long as the technologies support the ACI measures. There are two measure set “options” Advancing Care Information Objectives and Measures or 2017 Advancing Care Information Transition Objectives and Measures, listed above. In 2017, only the latter requires 2015 certified technology. In 2018, however, 2015 certified technology will be required across the board.
  • Some clinicians may not have sufficient ACI measures applicable to them. In such scenarios, the ACI performance category will be reweighted to 0 percent and the 25 percent weight originally allocated to ACI will be redistributed to the Quality performance category. This may be the case for clinicians who are hospital-based or qualify for a hardship exemption.
  • If the minimum required measures (listed in the table above) for the Base Score are not met, the provider will receive a score of 0 for the entire ACI category.

2. Quality

ValuePatient Portal Impact
(Low, Medium, High)
Ease of Implementation
(Easy, Medium, Hard)
60% 2017
50% 2018
30% 2019

MIPS has created the Quality performance measure category by merging the Physician Quality Reporting System (PQRS) and Value Based Modifier (VBM) programs. While the quality category offers the most value opportunity, it can be the most difficult to report on. The reporting period is the entire year, unlike the 90 day period for the ACI category. In most cases, providers must select 6 quality measures to report on from the many available in this

A well implemented patient portal can have a significant impact on a provider’s Quality performance. Much of the Quality category scoring has to do with improved outcomes that in many cases benefit from an engaged patient population. This can be achieved through patient portal functions like patient reminders (appointment, care plan, Rx refill, etc.), notifications, and patient-provider messaging. A provider will also receive points for delivering Consumer Assessment of Healthcare Providers and Systems (CAHPS) surveys, which can be administered electronically. To directly use a patient portal, or Certified EHR Technology (CEHRT), for reporting, the CEHRT must be certified on the measure being reported. Providers can earn additional bonus points by reporting with a CEHRT. The measures must be eligible, and reporting must be done entirely with the CEHRT. The maximum number of CEHRT bonus points is 10% of the maximum score, which would be 6% in 2017 as the value is 60%.

The many different scenarios available to providers for the Quality category further complicate the already complicated scoring system. But essentially, each measure gets a score of 1-10 points (0 points if not reported) compared to historical benchmarks (if available). With a perfect score of 10 in each of six measures, providers receive 60 points, or a full score.

Important Tips and Information

  • Most providers must report up to six Quality measures so long as one measure is an outcome measure (or a high priority measure if no outcome measure applies to the provider). Groups of 25 or more providers may use the CMS Web Interface, in which case they will need to report on 14 different measures. CMS plans to increase the number of measures to report on in future years.
  • Selecting the right measures is of utmost importance. CMS scores a provider in comparison to other providers (benchmarking), making it is easier to score in the top percentile on some measures compared to others. We recommend seeking guidance from a consulting firm or expert on MIPS in order to identify the best categories for your situation.
  • The Quality performance measure category has been sub-categorized into Efficiency, Intermediate Outcome, Outcome, Patient Engagement/Experience, Process and Structure measures.
  • In 2017, the Quality score weight has been set to 60% unless the provider has applied for an ACI exclusion. In this case, the 25% ACI category value will be applied to the Quality category, increasing the quality category value to 85%.
  • Providers qualifying for one of the specialty measure sets may report fewer than six measures (in some cases), or select six measures from the specialty measure set.
  • MIPS essentially adopts the quality measures and reporting methods from the Physician Quality Reporting System and Volume Based Modifier programs. Although there are some changes to the PQRS reporting methods, for the most part the quality reporting methods remain the same.
  • Practices must use the latest annual measure update. For instance, for the 2017 performance period, practices must use the eCQM specifications contained in the 2016 annual update, released in April 2016.

3. Improvement Activities

ValuePatient Portal Impact
(Low, Medium, High)
Ease of Implementation
(Easy, Medium, Hard)
Ease of Implementation
(Easy, Medium, Hard)

The Improvement Activities performance category is significantly simpler than the two aforementioned categories, focusing on care coordination, population health, beneficiary engagement, and patient safety. Providers must select only four measures from this
list of more than 90 options and report on these four measures for a minimum of 90 days.

A well implemented patient portal has a variety of features that can be applied to the Improvement Activities performance category measures. Given the focus of the category on care coordination, patient engagement through a patient portal plays a crucial role. For example, there is a specific, medium-weight activity titled “Engagement of patients through the implementation of improvement in patient portal,” “Proactive management of chronic conditions and prevention care,” and “Engagement of patients, family and caregivers in developing a plan of care,” along with a variety of other activities where a patient portal can directly or indirectly be applied to meet requirements.

The Improvement Activities category has a maximum score of 40, which contributes 15% to the MIPS composite score. Each activity is worth 10 points. Some activities are categorized as “high-weight” (about one fifth of the 90+ activities) whereas the rest are “medium-weight.” High-weight activities are technically worth 20 points, as they hold twice the value of medium-weight activities.

Important Tips and Information

  • Physician groups with fewer than 15 participants or in a rural or health professional shortage area can attest by completing up to two (2) activities for a minimum of 90 days, instead of the minimum four.
  • CMS allows for submission of data for the Improvement Activities performance category using the qualified registry, EHR, QCDR, CMS Web Interface as attestation data submission mechanisms.

4. Cost

ValuePatient Portal Impact
(Low, Medium, High)
Ease of Implementation
(Easy, Medium, Hard)
0% 2017
10% 2018
30% 2019

Various primary care services are used to calculate the total per capita cost measure. Chronic care management (CPT code 99490) is an example of a primary care service that can be facilitated through Chronic Care Management (CCM) Software linked to a patient portal or EHR. Patient portals such as Bridge Patient Portal also have the ability to facilitate annual wellness visits (G0438 and G0439) or welcome to Medicare visits (G0402) through the use of appointment reminders and care plans.

The Cost category, which replaces the Value-Based Payment Modifier, requires no reporting. All its measures are derived from Medicare claims data, therefore participation does not require data submission. Furthermore, the Cost category is not included in the 2017 payment modifier.


The trend we are seeing with CMS programs, like MACRA and its previous iterations, is a greater emphasis on patient engagement and quality of care. It’s hard to imagine a future where patients aren’t able to access their information, manage their care plans and communicate with provider online. We strongly believe that putting a strong emphasis on online patient engagement, leveraging solutions like Bridge Patient Portal, not only has a direct impact on MACRA scoring, but paves the way for a smooth transition from fee-for-service to fee-for-value reimbursement models.

Three Things About HIPAA That You Probably Didn’t Know

HIPAA logo

More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, Patient Portal and mHealth solutions. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.

Here are three things about HIPAA that you probably didn’t know:

1. There is no such thing as HIPAA certified hosting

While HIPAA compliant hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.

The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.

It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance (e.g. a signed Business Associate Agreement)

2. Contact Us and Intake forms are permitted on websites

Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.

Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant, encrypted email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the the healthcare organization from liability for the transmission of PHI through the form.

If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.

3. Emailing patients is okay, even if the email on their end is unencrypted

The first thing that you need to know about HIPAA and email communication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”

Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.

Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.

Recommended reading: 

The Facts about HIPAA and Email/SMS Communication with Patients

Is Skype HIPAA Compliant?

For more information about HIPAA compliance best practices and how a patient portal helps make HIPAA secure messaging easy, contact a Bridge Patient Portal sales representative.


Avoid High Interface Costs & Pushback From EHR Vendors




Interoperability is necessary for the attainment of a more efficient healthcare system and the use of HIEs. It puts important patient data at physicians’ fingertips, allowing for more informed decision-making and better continuity of care. Interoperability is on the rise, spurred by government efforts to increase health information exchange; however, barriers by EHR vendors often make it difficult for organizations to effectively share patient data.

If EHR companies advertising interoperability at HIMSS in recent years is any indication of vendor commitment to the cause, one would think that connecting EHR software to third-party solutions is easy. The reality, however, is altogether different. Despite government efforts (ie. MACRA) to drive changes in the ability of disparate IT systems to connect to one another, exchange data and use the information that has been exchanged, interoperability remains a big challenge for many healthcare organizations. The creation of integration standards such as CCD and FHIR are great concepts, but CCD has been mainstream for many years and still EHR vendors struggle to support a quality CCD file.

Part of the blame for the lack of progress on interoperability can be placed on some of the larger EHR vendors that make it difficult for organizations to integrate third-party software solutions with their EHRs. In most cases, large medical practices can expect to spend anywhere between $5,000 and $20,000 for uni-directional data feed access. These prices increase dramatically as complexity increases and for larger hospitals and health systems. This is not cheap, and it’s not the only obstacle that EHR vendors can legally put in the way.

In addition to charging exorbitant fees for interface development, vendors also create barriers to interoperability in the following ways:

  • They prohibit access to the EHR database outright.
  • They allow read-only access to the data feed.
  • They allow data to be sent, but not received in any way.
  • They delay the process to the point where interest by the physician is lost.

“One reason big EHR companies have this policy where they try to limit data feed access is that they’re afraid of customers getting away from them,” says Kemp Stephens, VP of Sales at PrognoCIS. “The customer might notice deficiencies in the EHR system, or they might find things they like better about the other product and consider using that company for other things as well.” PrognoCIS welcomes third-party integrations with its EHR, working with companies like Bridge Patient Portal whom specialize in hospital, clinic, IDN and HIE patient portals to deliver solutions that truly meet customers’ needs.

Though it is becoming more and more difficult for vendors to place obstacles in the way of interoperability without losing customers to more forward-thinking companies, for now the problem remains; and physicians must find alternative ways to surpass vendor regulations.

“It takes an educated consumer to know how to approach that conversation with their EHR vendor,” says Leana Gorsline, Director of Business Development for X-Link. Similar to other medical software interfacing companies, X-Link educates physicians on the options available to them in terms of finding workarounds for affordable interface development.

So, what exactly are the options for practices that want to integrate a third-party patient portal or practice management system with their EHR?

Choose a vendor that is truly committed to interoperability.

Though connecting to the EHR database may not be a necessity now for all healthcare organizations, it will be at some point in order to achieve a truly interoperable health IT infrastructure. For this reason, it is important for physicians to have a discussion about interoperability with their EHR vendor early on, this way expectations are clear if and when data feed access is needed. The earlier this discussion is carried out the better, as the negotiation process could get drawn out, delaying potentially critical software integrations.

Two things to consider when searching for an EHR vendor that really cares about interoperability and that won’t make it difficult to support an integration:

  • Look for a vendor that has a functioning API with timelines for access to the API and clearly documented pricing schedules.
  • Look for a vendor that has a relationship with a third-party company or interface engine that can facilitate the integration.

Work with a third-party company that can go right to the database.

When an EHR vendor isn’t able bundle their practice management software or patient portal with their EHR, they may look for ways to offset the cost of the solutions that they weren’t able to sell. Charging expensive interface fees is one way to recover lost revenue. Third-party interfacing companies can oftentimes provide the same services, but for a fraction of the cost.

The demand for companies that service the needs of underserved EHR customers is growing faster than ever, and it is being driven by the need for interoperability and the shortcomings of larger EHR vendors. X-Link and MTS Healthcare are two examples of companies that partner with vendors such as Bridge in order to provide valuable third-party interfacing services. Both have developed unique methodologies for navigating vendor policies and keeping costs down for physicians. This is all done with permission from the healthcare organization after verifying that such access is permitted in the end-user license agreement.

Many third-party companies also offer custom integrations as an alternative to the out-of-the-box interface solutions offered by EHR vendors. Interface technology that allows for the selection of data types (e.g. appointments or demographics) to be sent to unconventional places is becoming necessary and at an inexpensive cost. Most vendor-led solutions are either too costly or do not fit the functionality needs of customers. Solutions like X-Link cater to these specific needs and even surpass them by providing a means to customize off-the-shelf interface solutions that can be implemented to each customer’s needs.

Bridge offers an integrated patient portal through interfaces developed into many of the leading EHR vendors, namely NextGen, GE Centricity and Allscripts.

For more information on Bridge’s current interface capabilities please see the following link.

Bridge Patient Portal Announces Security Partnership with AccelOne

Leading patient portal technology company Bridge Patient Portal partners with AccelOne for IT security and cloud scalability services.

Bridge & Accelone partnershipBridge Patient Portal, a leading provider of cloud-based patient engagement and portal software for healthcare practices, hospitals and telemedicine businesses, today announced a partnership with IT security and cloud scalability experts AccelOne. AccelOne will be providing security audit services for Bridge Patient Portal (Bridge) to ensure that Bridge continues to meet the strictest security standards possible in order to safeguard Personal Health Information (PHI) which is contained within the patient portal.

While Bridge maintains ONC-ACB 2014 certification, which inherently has a strong emphasis on security, Bridge also conducts its own internal security audits and utilizes third parties such as AccelOne for ongoing security testing.

“We’re continually looking to ensure the highest level of security in our application,” says Bridge Patient Portal founder and CEO John Deutsch. “As an additional precaution, we work with other experienced companies to ensure our patient portal meets the highest standards for security available in the industry.”

In addition to security testing, AccelOne will also be providing Amazon Web Services (AWS) cloud server scalability solutions and load testing for Bridge to ensure application performance in large implementations such as hospital networks and managed care organizations. As part of the testing process, Bridge will conduct advanced load tests, implement subsequent upgrades to its cloud servers, and enhance performance execution within the application code itself.

“It’s an exciting project to develop a cutting-edge solution where we are working with both an established platform and the requirement to meet stringent HIPAA security guidelines,” says Scott Craig, co-founder and CEO of AccelOne.

About Bridge Patient Portal
Bridge Patient Portal Corporation is a technology company dedicated to changing the provider-patient relationship through software and professional services that help providers engage their patients online. Bridge is committed not only to selling great SaaS software, but also to taking an active role in assisting providers to engage their patients. With a long history in electronic health record software and web development, their extensive experience has enabled them deliver advanced solutions to today’s most complex patient portal implementations. For more information, visit http://www.bridgepatientportal.com.

About AccelOne
AccelOne LLC provides custom software development services to companies worldwide. Its services include system analysis, IT security, technical documentation, training for developed programs, service and support, and the maintenance of existing systems and applications. The company also provides quality assurance services, such as functional, usability, integration, system, sanity, performance, error handling, database, end-to-end, and automated testing. AccelOne believes that attention to communication is paramount to delivering quality software and essential to ensuring successful outcomes for clients. For more information, visit http://accelone.com.

View the original press release here.

Are SaaS Software Applications and Cloud Servers HIPAA Compliant?

cloud securityAs a provider of patient portal, SaaS software and hosting solutions to the medical industry, we get asked this question a lot. Unfortunately, there’s very little information available on the internet that addresses this specific issue – and what does exist is generally false or a part of a sales pitch by a company trying to market “HIPAA-certified hosting solutions” or other HIPAA-compliant health IT solutions.

Before we can answer this question correctly, we must first understand what HIPAA is and how it relates to software, hosting and other healthcare IT solutions.

The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principals of HIPAA.

Here are a few things you should know about HIPAA.

1. HIPAA makes almost zero reference to technical specifications required for hardware, software, security, etc. Even if it did, it would be completely out of date since its publishing in 1996, and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.

2. You cannot be “HIPAA certified.” HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.

3. You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:

a) SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting companies’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.

b) ONC-ATC – A certification for healthcare software companies to certify their software on a variety of security and functional items.

In consideration of the above items, the answer when it comes to considering cloud servers and SaaS applications HIPAA-compliant is that one must consider the use of these technologies as only a part of the big picture on how this is used. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance as there could be faults in the hosting, the computer being used or the user using the software in a public place un-shielded by the public’s eye.

There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other “best practices.”

This article was originally published on the Medical Web Experts blog.

A Definitive Explanation of the HIPAA Omnibus Rule

This article applies to Covered Entities (any health care provider, health plan, or health care clearinghouse) and Business Associates (any person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity).

With new HIPAA regulations and enforcement procedures having taken effect last year, it is important for HIPAA-covered healthcare entities to reexamine their obligations and ensure that the proper safeguards are in place to conserve the privacy of their patients’ protected health information (PHI).

The biggest challenge for organizations is ensuring compliance with the new HIPAA Omnibus Rule, which became effective on March 26, 2013. Though the rule allowed covered entities and business associates (BA) 180 days to adhere to most of its provisions, now, months after the September 23 compliance deadline has passed, the pressure is on to get in compliance.

Below we’ll discuss a few of the main areas that physicians must focus on to comply with the new ruling.

How Does the HIPAA Omnibus Rule Affect Relationships With Business Associates?

Relationships with business associates can be a point of vulnerability for hospitals and physicians if the proper steps aren’t taken to ensure compliance at both ends.

While in the past, liability for data breaches fell on covered entities, with the new HIPAA rule things have changed. The most significant change, as far as business associates (BAs) are concerned, is the fact that the Omnibus Ruling makes BAs and subcontractors of BAs of covered entities directly liable for compliance with certain HIPAA Privacy and Security requirements.

This means that a subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate is also considered a HIPAA business associate and is therefore “on the hook” for compliance with applicable rules (e.g. Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.).

Additionally, business associates are now required to put the necessary safeguards in place and have the proper documentation to ensure HIPAA compliance. This includes providing a Business Associate Agreement to the covered entities they work with, in addition to “satisfactory assurances” that their PHI will be protected as required by HIPAA rules. Business associates must get this same agreement and assurance from subcontractors.

Although contractors and subcontractors have been made directly liable, there has not yet been a lot of enforcement taking place. There has, however, been a significant increase in enforcement over the past year on covered entities. This means that if you are a covered entity and have not yet been contacted, you could be next in line; so it is better to deal with compliance now than to have to scramble at an unexpected time.

Privacy Breaches: Who Is Responsible?

Under the old standard, a reportable privacy breach was one that involved the “unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual.” With the new HIPAA ruling, however, “all unauthorized uses and disclosures of PHI are presumed to be reportable breaches.” That is, unless a risk assessment is conducted and it is determined that there is a low probability that the PHI has been compromised.

While before, covered entities were fully responsible for breaches and expected to watch over their business associates, in the event of a data breach authorities will now go after the source of the violation, be it the covered entity, business associate or subcontractor.

As far as penalties go, the new HIPAA rule has set a formal penalty scheme for breaches and noncompliance. The four categories of violation include:

HIPAA Violation Penalty Tiers


How to Ensure Your Healthcare Organization Is In Compliance

You can achieve compliance with the new HIPAA regulations using only free resources. The Department of Health and Human Resources offers this guide to conducting a risk analysis on your own. There are also affordable solutions from compliance experts who can take care of the process for you and provide a much higher level of assurance than you can get on your own. Prices range from about $500 to $3,000.

Just remember, remaining compliant is an ongoing process – and it is important to work only with business associates that are familiar with HIPAA privacy and security regulations. These contractors will not only have the proper agreements in place, but they will also be less likely to breach HIPAA law since they understand the risks. Many companies, such as web and email hosting vendors, are completely unfamiliar with HIPAA and all it entails; so be sure to ask about their HIPAA compliance policies before entering into any agreements.

This article was originally published on the MWE blog.

Welcome to the Patient Engagement Blog

We’re excited to be launching the Bridge Patient Portal Patient Engagement Blog! The blog will be a useful source of information for physician practices, hospitals, telemedicine businesses and other healthcare organizations regarding patient engagement, patient portal software, other healthcare technologies, and more.

We’ll be updating the blog with articles and news stories frequently, so check back to see what’s new!