Archive for June, 2009
On June 16, CMS issued a fact sheet containing information and frequently asked questions about the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Q. The volunteer department of a hospice is interested in purchasing magnetic car signs with the message, “I volunteer at X Hospice.” Another idea under consideration is the purchase of magnetic car signs with the logo and volunteer on the sign. Does using the signs create a patient privacy problem? When the volunteer parks outside the house of a patient, it would reveal the patient was receiving hospice services.
A. Yes, using the signs creates a privacy concern, and likely a HIPAA privacy rule violation. The signs would reveal that a resident at the house or apartment where the vehicle is parked has a terminal health condition. This would be considered PHI, even though the signs do not specifically identify the patient’s medical condition. Also, from an ethical perspective, such signs could very well violate the patient’s right to avoid what can be well-meaning public reactions to the news a patient is terminal, which are often unwanted and adversely affect the patient’s right to die with dignity.
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
A hospital's IT project list is most likely an exponential one: Convert to an EHR, transition to HIPAA 5010, coordinate vendor and health plan testing, train staff members on new technology, prove meaningful use, and qualify for incentive payments under the American Recovery and Reinvestment Act. It's enough to make anyone's head spin.
"Institutions are being forced to downsize and limit their scope in today's economy. Never has so much needed to be done with so few resources," says Dan Rode, MBA, CHPS, FHFMA, vice president of policy and government relations for the American Health Information Management Association in Washington, DC.
Deadline is January 2012
The transition to HIPAA 5010 is perhaps the most pressing issue because its compliance deadline is little more than two years away. Providers must be ready to submit claims electronically using the upgraded HIPAA standards by January 1, 2012—nearly one year prior to the October 1, 2013 ICD-10 deadline.
Read the full report by HealthLeaders Media’s Lisa Eramo.
Since the Health Information Technology for Economic and Clinical Health Act passed Feb. 17, we've heard a lot of banter about business associates (BA).
BAs must comply directly with the HIPAA Security Rule and components of the Privacy Rule by February 18, 2010.
One HIPAA privacy and security officer told us in a focus group she's concerned because it's not clear what a covered entity's role should be as far as educating BAs. (Technically, covered entities have no obligation to train BAs).
That same HIPAA officer is working on the final draft of a BA contract, and her facility is unsure whether it will have one standard contract or individual language for each BA.
It makes sense for a covered entity to develop a template, and then only change some of the details; in particular, the description of what uses and disclosures of PHI the BA is permitted, according to Kate Borten, CISSP, CISM, president of The Marblehead Group and a HIPAA privacy and security expert.
Read the full report by HealthLeaders Media’s Dom Nicastro.
Editor’s note: The following is an excerpt from the soon-to-be published HCPro, Inc., white paper, Business Associates and HIPAA: What BAs need to know to comply with HIPAA Privacy and Security Rules
The Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law February 17, requires that BAs:
- Comply with the use and disclosure requirements of the HIPAA Privacy Rule (Section 13404 of the HITECH Act) and include those terms in the contract with the covered entity
- Notify the covered entity of any individual whose unsecured PHI has been inappropriately released or obtained
- Ensure that the notification meets the following provisions of Section 13402 of the HITECH Act:
- A breach is considered discovered on the first day a covered entity or BA knows or should have known about it
- BAs must notify covered entities of any breaches and provide detailed information about the breach, along with the names and contact information of individuals involved
- Covered entities and BAs must notify individuals about a breach as soon as possible, but no later than 60 days following discovery of the breach
- Delays in notification must include evidence demonstrating the necessity of the delay