HCPro.com - HIM-HIPAA Insider

Notice: Final issue of HIPAA Weekly Advisor

Mon, 02 Jul 2012 04:00:00 GMT

HCPro is sorry to report that this is the last issue of HIPAA Weekly Advisor. We thank you for being a loyal subscriber.

To keep you up-to-date on the latest HIPAA news and information, you will soon begin receiving another e-newsletter, HIM and HIPAA Connection.

If you are interested in another e-newsletter topic, there are other options for you. You can sign up for any of our other free e-newsletters. They cover a variety of topics from HIM and privacy and security to coding and revenue cycle information. Click here to sign up for one of our other e-zines.

As always, thank you for reading.

Sincerely,

Andrea Kraynak, CPC

Senior Managing Editor

HCPro

akraynak@hcpro.com

Professor to file complaints against provider for HIPAA violations

Mon, 02 Jul 2012 04:00:00 GMT

A University of Utah health law professor said she is filing complaints with OCR and the Federal Trade Commission in light of the state’s Medicaid breach that saw hackers steal patient information from the Department of Technology Services in March, according to The Salt Lake Tribune.

Utah Department of Public Health (UDOH) officials said hackers stole the Social Security numbers of an estimated 280,000 Medicaid beneficiaries, and made off with less-sensitive personal information of an additional 500,000 individuals. The March 30 breach affected 780,000 people.

Leslie Francis, the professor, told The Tribune that she learned her information was sent to UDOH by a provider inquiring whether she was covered by Medicaid.

She said she is insured through her employer.

Francis claims the company’s privacy notice violates HIPAA because it doesn’t contain “sufficient detail” about its handling of patient data, according to The Tribune.

Get the latest HIPAA news and information on the HIPAA Update blog.

HIPAA Q&A: HIPAA and electronic signatures

Mon, 02 Jul 2012 04:00:00 GMT

Q: Are digital signatures permissible on custodian affidavit/declaration forms? Signing electronically instead of printing, signing, and scanning would streamline our process. We've never seen electronic signatures on these forms. Are they admissible in court? Some jurisdictions require original signatures, but we're uncertain what California requires. Are the federal e-Sign Act or California's e-Sign law applicable? Our organization has locations in 18 states.

A: Digital signatures on custodian affidavit/declaration forms generally are permissible. They meet the more stringent digital signature requirement eliminated when the HIPAA Security Rule was finalized in 2003. Consult legal counsel to determine whether your state allows use of digital signatures on these forms. Some state laws require that certain documents are signed physically, but this is not a HIPAA requirement.

Electronic and digital signatures differ significantly-legally and technically. Federal law and many state laws allow electronic signatures on some documents. Electronic signatures can be a picture of a signature, an agreed-upon string of characters, a symbol, a signature typed into a signature block in an electronic form, and other personal non-encrypted, agreed-upon identifiers.

A digital signature is an encrypted "hash" or tag that is registered to an individual and accompanies transmission of electronic data or forms signed via computer. They are much more reliable than electronic signatures because they allow recipients to validate senders and prevent repudiation at a later date.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

What you might not know about OCR HIPAA audits

Mon, 02 Jul 2012 04:00:00 GMT

Elizabeth H. Johnson, Esq., has been keeping an ear close to the ground with respect to ongoing OCR HIPAA audits.

Healthcare organizations might be surprised by what auditors are requesting and focusing on, says Johnson, a partner at Poyner Spruill, LLP, a North Carolina law firm.

Johnson, whose practice in Raleigh focuses on privacy, information security, and records management law, listens closely to what those in the know are saying about the audit process. Her work with the KPMG audit team on a recent project offered additional insight into the process. KPMG is the company hired by OCR to conduct the HIPAA audits required by the HITECH Act.

KPMG has completed 20 initial trial audits and expects to conduct at least 95 more audits aimed at measuring HIPAA compliance at randomly selected healthcare organizations by the end of 2012. In a second wave of audits since the initial trial, HHS has sent another 25 notification letters to healthcare organizations.

Read more in the July issue of Briefings on HIPAA.

Notice: Second to last issue of HIPAA Weekly Advisor

Mon, 25 Jun 2012 04:00:00 GMT

HCPro is sorry to report that this is the second to last issue of HIPAA Weekly Advisor. We thank you for being a loyal subscriber.

To keep you up-to-date on the latest HIPAA news and information, you will soon begin receiving another e-newsletter, HIM and HIPAA Connection.

As always, thank you for reading.

Sincerely,

Andrea Kraynak, CPC

Senior Managing Editor

HCPro

akraynak@hcpro.com

California releases HIPAA security toolkit

Mon, 25 Jun 2012 04:00:00 GMT

California was long been considered to have one of the most stringent state data privacy and security laws.

Now they’re becoming one of the better trainers.

The California Health and Human Services Agency’s (CHHS) Office of Health Information Integrity (CalOHII) last week announced the release of its HIPAA Security Rule Toolkit. The online toolkit will provide aid to organizations in California to help them better understand the requirements of the HIPAA Security Rule and assist organizations in implementing HIPAA requirements, according to a release from the California Health Information Association. The online toolkit can be accessed on the CalOHII website.

“This new tool will allow organizations to assess their level of compliance with Federal HIPAA requirements, as well as areas where they have opportunities to strengthen their programs,” said Pamela Lane, deputy secretary of the state’s Health Information Exchange. “This represents the first offering of its kind in California, and will serve as a tool in assisting our provider communities in the complex security arena.”

For the latest HIPAA news and information, visit the HIPAA Update blog.

HIPAA Q&A: Sharing patient information with specialists

Mon, 25 Jun 2012 04:00:00 GMT

Q: A patient who presented with an order from the primary care physician for lab work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?

A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.

The ultimate question is whether the specialist needed to see the laboratory results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.

If the specialist should not have received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.

You should investigate this incident. You are not required to notify the patient or OCR if you conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.

You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.

Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."

Begin with code of conduct, policies, and procedures

Mon, 25 Jun 2012 04:00:00 GMT

Healthcare organizations face increasingly complex privacy and security issues as they cope with new technology, but many organizations are still struggling with the basics of establishing a compliance program.

A natural place to begin is a code of conduct, and policies and procedures, says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Ariz.

Compliance officers in small organizations may be responsible for compliance with all regulations. In larger organizations, one or more individuals may be specifically responsible for HIPAA compliance. Regardless of organization structure, basic principles apply.

Read more in the July issue of Briefings on HIPAA.

ONC says HIPAA mega rule out by end of summer

Mon, 18 Jun 2012 04:00:00 GMT

The national coordinator for health information technology says the HIPAA mega rule including modifications to the privacy and security rule, breach notification and enforcement should be published by the end of summer, HealthData Management reported June 6.

Farzad Mostashari made the announcement during the opening keynote of the Health Privacy Summit in Washington, D.C.

OCR made the final step in March before publishing final rules on HIPAA/HITECH, sending its rules to the Office of Management & Budget (OMB) March 24 for a review.

Once OMB completes the review — which can last up to 90 days — the rules will be published. OCR packaged four rules into one under the title, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.” The final rules will include:

Modifications to the HIPAA Privacy and Security Rules (namely making business associates and subcontractors liable and responsible for security-rule compliance and the use and disclosures provision of the privacy rule)
Enforcement (new penalty levels)
Breach notification
Modifications of the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008

Each rule is required by HITECH, signed into law in 2009 and enhancing privacy and security protections and enforcement.

Susan McAndrew, OCR’s deputy director for health information privacy, said at the 20th HIPAA Summit March 26 at the Renaissance Hotel in Washington, DC, that OCR will also publish guidance on business associate contracts, de-identification, and conducting risk assessments to determine breaches.

For the latest HIPAA news and information, visit the HIPAA Update blog.

OCR director releases 'right to access' memo

Mon, 18 Jun 2012 04:00:00 GMT

OCR’s director released a memorandum May 31 highlighting the importance of a patient’s rights to his or her medical record under the “right to access” component of the HIPAA Privacy Rule.

“The right to see and get a copy of your medical records (called the right to access) is fundamental to your ability to participate in our healthcare system,” wrote Leon Rodriguez, OCR’s director. “For this reason, I know how important it is for you to be able to get your medical records. I see the value of access to health information every day as the Office for Civil Rights does its vital work as the primary protector of the privacy and security of that information under the Health Insurance Portability and Accountability Act.”

Rodriguez cited the example when military families need their medical transferred in order to find the very best doctors and specialists or to enroll their children in a new school.

Click here to read more on the HIPAA Update blog.

HIPAA Q&A: Home health patient information books

Mon, 18 Jun 2012 04:00:00 GMT

A: It is not a HIPAA violation. HIPAA addresses protecting the privacy of individuals' individually identifiable health information or PHI. If making certain information available to residents of a long-term care facility such as an assisted living facility is required by state law, the home health agency would be violating state law if the patient notifications are not made available to residents. There is no prohibition related to leaving what amounts to educational material for residents to review.

If the purpose of the patient information book is to market certain services provided by the home health agency, it moves into that gray area in HIPAA regulations called marketing. As long as the same information is available to all residents and is not used for targeted marketing to certain individuals with specific diagnoses, it would not violate the marketing provisions of HIPAA or HITECH.

HIPAA training materials for state attorneys general now available online

Mon, 11 Jun 2012 04:00:00 GMT

The Office for Civil Rights (OCR) has released its HIPAA enforcement training material developed for state attorneys general — and it could be useful for all involved with HIPAA privacy and security compliance.

“Although developed for state AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience,” OCR said on its website.

The training materials now available through the OCR website include videos and slides from in-person training sessions for state AGs that OCR conducted in 2011, as well as computer-based training modules. Topics include:

General introduction to the HIPAA Privacy and Security Rules
Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
Investigative techniques for identifying and prosecuting potential violations
A review of HIPAA and state law
OCR’s role in enforcing the HIPAA Privacy and Security Rules
SAG roles and responsibilities under HIPAA and the HITECH Act
Resources for SAG in pursuing alleged HIPAA violations
HIPAA enforcement support and results

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave state AGs the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

The many days of HIPAA compliance

Mon, 11 Jun 2012 04:00:00 GMT

HIPAA in 2011. Those 365 days were more about bad headlines for organizations:

Cignet Health fined $4.3 million in OCR’s first civil money penalty
UCLA Health System pays $865,000 to settle HIPAA violation claims
Massachusetts General Hospital agrees to pay $1 million for HIPAA breach

The headlines just kept coming.

In 2012, we want to keep the headlines going, but this year, we want to make more positive ones. HCPro, Inc., which publishes HIPAA Weekly Advisor and the 12-page, print newsletter, Briefings on HIPAA, wants to hear the good things that happen in the world of HIPAA compliance in 2012. We want to share your stories.

Have a good headline from your organization? Decreased your HIPAA breaches? Implement a successful training program? Let us know, and you and your organization could possibly be featured in one of our publications.

Please share your stories with Senior Managing Editor Andrea Kraynak at akraynak@hcpro.com.

Get your HIPAA privacy program in compliance

Mon, 11 Jun 2012 04:00:00 GMT

If you are a HIPAA privacy officer, it might be looking pretty scary out there, said Adam Greene, JD, MPH.

"We're really entering into a new era of enforcement," said Greene, a partner at Davis Wright & Tremaine, LLP, in Washington, D.C., and a former regulator at OCR, the government agency that enforces the HIPAA Privacy and Security Rules.

Greene, who until last year was OCR's senior health IT and privacy specialist, spoke at the 20th National HIPAA Summit March 26 in Washington, D.C. "This is the year to take the training wheels off of your HIPAA program," he told the audience. "Many organizations are still not riding that bike particularly well."

So what can organizations do in this era of increased enforcement?

Click here to read more in the June issue of Briefings on HIPAA.

HIPAA Q&A: Level of encryption needed for email

Mon, 11 Jun 2012 04:00:00 GMT

A. All ePHI, including email, is considered secure if it is secured at a level consistent with the National Institute of Standards and Technology (NIST). Most NIST documents are not easily decipherable to nontechnical individuals. Several different standards can be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES). A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting your email with AES or SSL, or another NIST approved standard, is a good place to start.

The next step is determining the strengthof the mathematical algorithm used to protect, or scramble your data. An algorithm less than 128-bit is not secure. The grater the number of bits, the stronger the algorithm is. Many vendors and healthcare entities are transitioning to 256-bit encryption. This exceeds the NIST standard, but is worth considering because it provides better protection to any PHI you transmit via the Internet.

The specific NIST standards that address PHI transmitted via email are NIST 800-52, NIST 800-57, and Federal Information Processing Standards 140-2.

OCR guidance published in an FAQ may be helpful with respect to understanding what is considered “secure” electronic PHI when transmitted via the Internet or email.

Medical center loses laptop containing ICU patient health information

Mon, 04 Jun 2012 04:00:00 GMT

A laptop containing patient information was reported missing from a local physician office in mid-March, Our Lady of the Lake Regional Medical Center in Baton Rouge, La. Reported on May 18 on the Medical Center’s website.

The laptop contained health information (e.g., patient names, ages, dates of admission and discharge, and treatment results) for more than 17,000 patients who visited the adult intensive care unit (ICU) between 2000 and 2008. The laptop has not yet been recovered and the investigation continues, according to the press release.

“We regularly review our physical and electronic safeguards to ensure that personally identifiable information remains private and secure. In light of this incident, we are taking additional, aggressive steps to examine new ways to further secure our data and prevent similar occurrences in the future. The plan includes additional education, greater physical and encryption controls and an organization-wide personal device inventory,” Our Lady of the Lake states in the press release.

Click here to read more on the Medical Center website.

Yes...It's okay to start purging

Mon, 04 Jun 2012 04:00:00 GMT

by Frank Ruelas

For a number of reasons, folks seem to be hesitant to purge hard-copy records that are greater than the six-year retention requirements for HIPAA (Security or Privacy).

Consequently, people are asking if they need to keep the original training sheets on file or can they scan them and get rid of the paper copies?

The answer is that certainly these hard copies can be kept on file indefinitely but there is not a requirement that prevents a covered entity from scanning and filing documents used to substantiate that it has trained its workforce such as class attendance roster sign in sheets.

There are a number of other common questions that are coming up given how long folks are keeping records on file but I wanted to share this one first because it seems to be coming up more and more.

For more tips and the latest news and information on HIPAA, visit the HIPAA Update blog.

Privacy, security concerns high in HIEs

Mon, 04 Jun 2012 04:00:00 GMT

A Boston resident is at a New York Yankees game in the Bronx cheering on his beloved Boston Red Sox. Despite his best efforts to catch a foul ball coming into the stands, he misses, and the ball bounces off his head. He's woozy, and ballpark officials suggest he get to a hospital for precautionary reasons.

At the hospital, instead of filling out multiple forms, the attending physician logs on to a computer in the patient's room and pulls up his medical record and complete history in seconds. That's because the fan's hospital in Massachusetts and the New York facility participate in an interoperable health information exchange (HIE).

HIE advocates use a scenario like this to promote hospitals joining an exchange program, which is defined as the mobilization of healthcare information electronically across organizations within a region, community, or hospital system. But HIE programs do not come concern-free. For HIM professionals whose hospitals have signed on to participate in such a program and for those that are considering it, they must do some due diligence

Click here to read more in the June issue of Medical Records Briefings.

HIPAA Q&A: HIPAA-mandated software?

Mon, 04 Jun 2012 04:00:00 GMT

A: None of the HIPAA regulations require the use of a specific application or specific software. HIPAA spells out privacy, security, and transaction related requirements but is technology neutral. This was not changed by the passage of HITECH. The EHR that will be implemented has been federally certified to meet the meaningful use incentive program requirements. Even the implementation of a federally certified EHR is not a HIPAA or HITECH mandate. It is only required if the physician is interested in taking advantage of the meaningful use incentive program.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

MA hospital to pay $750,000 to settle data breach allegations

Mon, 28 May 2012 04:00:00 GMT

A Massachusetts hospital will pay the state $750,000 in a settlement following a breach of PHI that included missing unencrypted computer backup tapes and affected more than 800,000 patients in 2010, the state attorney general office reported May 24.

South Shore Hospital reported the breach to Attorney General Martha Coakley’s office in July 2010. The information breached included individual’s names, Social Security numbers, financial account numbers and medical diagnoses.

Click here to read more on the HIPAA Update blog.