* Protecting digital files under HIPAA
* Getting physician buy-in for compliance efforts
* Tips for drafting business associate agreements

Visit Complianceinfo.com

On Complianceinfo.com

Sample compliance policies and procedures. (For subscribers to Strategies for Health Care Compliance only)

The OIG Work Plan for Fiscal Year 2003

Ask the Expert

Tip of the Week

Compliance Hot Topics: Billing and Coding, EMTALA, Stark, HIPAA

Question of the Week

Welcome to Compliance Monitor Q&A!

Our mission is to answer your difficult compliance questions-and your simple ones, too. To submit a question, send it to Compliance Monitor Q & A editor Laura Motta at lmotta@hcpro.com. We hope you enjoy this service and we welcome your feedback.

This week's questions

• Protecting digital files under HIPAA
• Getting physician buy-in for compliance efforts

• Tips for drafting business associate agreements

• How big a challenge is it to effectively and efficiently respond to patient complaints at your facility?

Q: Many of our clients have asked whether zipping or password protecting data or report files is a "reasonable precaution" to safeguard health information under the Health Insurance Portability and Accountability Act (HIPAA). We've heard so many conflicting things. Can you give us some guidance?

A: Your clients are probably confused because zipping and password protecting files may not be necessary. On the other hand, it may not be enough. We do know this: HIPAA requires each covered entity to identify its risks for improper disclosure of protected health information (PHI), and take reasonable safeguards to prevent those improper disclosures from occurring. The government did not define reasonable safeguards.

So when you store PHI, think of your risks as ways someone could gain improper access. For electronic storage, you should consider such issues as

• login and password management
• permissions on files and directories
• network and Internet connections
• firewalls

Encryption of stored files may give an additional level of protection, particularly if other protections are lacking.

When you transmit PHI electronically, you risk that it might fall into the wrong hands. For electronic transmission, you must be aware of sender/receiver validation, tampering in transit, public or private medium, and the transmission mechanism. Encryption is probably a good idea in all but the smallest of networks, or point-to-point (such as modem-to-modem) connections.

Also remember that password-based encryption is only as secure as the password. Encrypting all files or all transmissions with a single password, or sending the password in an unencrypted e-mail concurrent to the encrypted one, gives you little protection.

A note about e-mail: HIPAA's final security rule does not require encryption of PHI transmitted over public networks, such as the Internet. This seems to allow you to use standard, unencrypted e-mail for PHI. We strongly discourage this, though. E-mail messages are stored on servers as they travel and await delivery. Even if you delete an incoming message, a copy probably still exists on a server somewhere. We anticipate that this practice will not meet the "reasonable safeguards" standard.

This question was answered by Marion Neal, President of HIPAASimple.com.

Back to top

Is your Chargemaster up-to-date?

If not, you could be losing thousands of dollars and jeopardizing your compliance standing with the government. Don't take chances! Plan to spend 90 minutes on June 17 for an important audioconference, "Essential Chargemaster Maintenance: Best Practices to Ensure Positive Financial Outcomes and Compliance." It's a small investment compared to what you could be losing.

To learn more or to register, CLICK HERE or call our customer service department at 800/650-6787. Be sure to mention source code EZ0175A.

Go to "Tips for drafting business associate agreements" for the rest of this article. The cost is $10. Subscribers to the online version of Strategies for Health Care Compliance have free access to this article. Subscribers to the print edition can find it in their June issues.

A $30 steal!

You can read this article-and much more-in the June issue of Strategies for Health Care Compliance. Your cost: Four stories for only $30! You'll learn how compliance leaders spoke out about quality of care, and about the criminal responsibility for overutilization of services. Choose between a PDF or HTML version for just $30. Online subscribers have free access to this issue. Print newsletter subscribers can find it in their mailboxes.

Back to top

Avoid FCA prosecution for poor quality of care

Join HCPro for the 90-minute live audioconference, "Quality of Care Meets Corporate Compliance: How to Avoid Prosecution Under the False Claims Act" and learn how to enhance your facility's quality improvement process to comply with all government billing and patient safety regulations.

This program will be presented on Thursday, June 19th, 2003, at 1:00-2:30pm (Eastern). To register or learn more, click here. Or, call 800/650-6787 and mention source code EZ0873A.

A: To read the answer to this question, click here.

Back to top

HCPro is seeking your feedback to ensure that we bring you the most useful information. Please take a moment to complete the following survey on auditing and monitoring your facility's compliance with the HIPAA privacy rule. To show our appreciation for your participation, we will enter your name into a drawing, and one lucky respondent will receive $50. Please click here to begin taking the online survey.

Quick Survey

How big a challenge is it to effectively and efficiently respond to patient complaints at your facility?

To submit your answer, go to the Question of the Week at Complianceinfo.com.

Here are the answers to the last survey:

Do you have a patient complaint procedure?

• Yes: 99%
• No: 1%

Back to top

Share the news!

You've been benefiting from our informative e-mail newsletter, so why not pass on this resource to your peers? Sign up a colleague and get $20 off your next purchase on HCPro's Healthcare Marketplace!

Send your comments and questions about Compliance Monitor Q&A to:

Laura Motta
Editorial Assistant
lmotta@hcpro.com