Archive for July, 2009
Since HIPAA first took effect in 2003, HCPro, Inc. has been an industry leader in privacy and security training resources. This year, we’ve updated our existing HIPAA books, handbooks, e-learning courses, and newsletters to adapt to the new HIPAA laws.
You will find all these training resources on this blog. You’ll also be able to mingle with your colleagues with comments on blog posts and ask our experts HIPAA questions related to your facility. We hope you find our new Web site useful and a way to strengthen your facility’s HIPAA compliance program and ultimately protect your patients’ privacy.
Now let’s start the conversation!
— Dom Nicastro
Senior managing editor
John C. Parmigiani, HIPAA security and privacy consultant and president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, suggests several steps to help providers become compliant by August 1.
First, conduct an organizational audit. Identify potential problems associated with your unique organization. Be sure to allow sufficient time to conduct a thorough investigation. Then develop a theft prevention program; this is an FTC requirement and necessary to track every account on your books. The amount someone pays is irrelevant—even if it’s only a dollar per week, says Parmigiani.
The written program must:
- Identify potential red flags that exist within your institution
- Help detect red flags when they occur in real time
- Detail how you will respond to incidents of attempted identify theft (i.e., how you can either prevent the incident or how you will mitigate damages if you are unable to do so)
These steps are also important to maintain good business standards, says Parmigiani.
This tip was adapted from the article, “Compliance update: FTC moves Red Flags Rule compliance deadline to August 1,” which appears in the April 2009 issue of HCPro’s monthly newsletter Health Information Compliance Insider. To learn more about this newsletter or to subscribe, visit HCMarketplace.
Q. The Department of Defense allows some active duty members moving to a new base to hand-carry their own original medical record to the next base. Is this a HIPAA violation? This seems to represent a privacy and security concern by risking the loss or theft of the original medical record.
A. It is not a HIPAA violation to allow any patient to transport his or her own original medical record from one location to another.
However, this represents what could be a significant risk. Even allowing the individual to carry a copy of his or her medical record (versus the original) from one location to another represents a privacy risk.
Although HIPAA does not prohibit an individual from carrying his or her own medical record from one location to another, a covered entity should discontinue such practices to better protect the privacy and security of the record. Covered entities are allowed to adopt more stringent privacy and security practices than required by HIPAA. Such practices would be appropriate in this case.
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010.
That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Obama February 17, 2009.
If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is. So where do your BAs begin? Hopefully, they've already started.
Here are two tips you can share with your BAs to get them ahead of the February 2009 HIPAA compliance deadline:
Perform a risk assessment. Determine your primary vulnerabilities. "Find what your biggest threats to the security of your PHI are," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. "You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there."
Make your own way. As a BA, you must understand you are responsible for your own compliance program, regardless of contract terms with a covered entity, says John R. Christiansen, an information technology lawyer at Seattle's Christiansen IT Law.
"You need to be responsible for your own security program with HIPAA," says Christiansen, chair of the newly formed HITECH Business Associates Task Force of the American Bar Association's Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
Do not simply accept what is thrown your way, he says. "Your program should be built based upon your organization's own unique risks," says Herold. "That's what your risk assessment will reveal."
Editor's note: These tips were taken from the HCPro, Inc. white paper, Business Associates and HIPAA: What BAs need to know to comply with HIPAA privacy and security rules. Download a free copy of the full white paper. Sign up for HCPro, Inc.'s July 29 audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law.
These tips also appeared in a HealthLeaders Media article by Dom Nicastro.
HHS, HIPAA Privacy Rule’s enforcer, is hiring two “Health Information Privacy Specialists", it announced Friday.
But does that mean stepped-up enforcement? Maybe not.
According to the job description on www.usajobs.gov, the specialist, working out of the Office for Civil Rights (OCR), will be “responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy
of health information.”
“I'm not sure the addition of these positions will actually strengthen OCR's enforcement activities,” Mary Brandt, MBA, RHIA, CHE, CHPS, president of Bellaire, TX-based Brandt & Associates, LLC, told HIPAA Weekly Advisor. “In reviewing the job duties on the government's Web site, the focus of the new positions appears to be strictly in the policy arena.”
OCR provides the oversight, leadership, and coordination necessary to ensure that individuals have nondiscriminatory access to HHS services or programs and that the privacy of their health information is protected.
The Division of Health Information Privacy enforces the HIPAA Privacy Rule and the confidentiality provisions of the Patient Safety and Quality Improvement Act.