Archive for January, 2010
HIPAA privacy and security officers need not revamp their entire policy and training program because of the “meaningful use” of electronic health records (EHR) guidelines published this month in the Federal Register.
If you’re on the right track toward complying with HIPAA privacy and security requirements and protecting your patient’s information, stay right there.
The EHR standards simply enable you to carry out certain aspects of HIPAA and HITECH better, such as encryption, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC.
CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released the two regulations regarding the definition of “meaningful use” of EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians last month.
EHR compliance does not guarantee HIPAA compliance.
ONC writes in its interim final rule, “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology”:
“While the capabilities provided by Certified EHR Technology may assist … in improving … technical safeguards in order to meet some or all of the HIPAA security rule’s requirements or influence … the use of Certified EHR Technology alone does not equate to compliance with the HIPAA privacy or security rules.”
One security standard ONC does require already in its meaningful use interim final rule is that EHR systems be capable of encryption.
For instance, if you take your laptop out of your facility with personal health information on it, you must have the capability to encrypt it. Or if you are going to send data to a Health Information Exchange (HIE), you can encrypt the transmission. It does not mean you have to encrypt the entire EHR, Amatayakul says.
“We believe a logical and practical next step … is to require Certified EHR Technology to be capable of encryption,” ONC writes. “We hope that by requiring Certified EHR Technology to include this capability, that the use of encryption will become more prevalent.”
Keep in mind the ONC interim final rule and CMS proposed rules are in a public comment stage now, with final rules expected in the spring. However, the interim final rule is in effect today.
Further, ONC says it may add layers of security standards to what’s already established in HIPAA and HITECH.
“We believe that the HIPAA Security Rule serves as an appropriate starting point for establishing the capabilities for Certified EHR Technology,” the ONC writes in the interim final rule. “That being said … we intend to … explore these areas and where possible to adopt new certification criteria and standards in the future to improve the capabilities Certified EHR Technology can provide to protect health information.”
HITECH granted state attorneys general power to seek civil suits on behalf of victims of a protected health information (PHI) breach.
And one state, Connecticut, is already taking action. Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc., January 13 for “failing to secure private patient medical records and financial information” in a case involving 446,000 patients.
Officially, it’s the first action taken by a state attorney general involving violations of HIPAA since HITECH gave state AGs the thumbs up. Naturally, it won’t be the last.
So before state AGs and OCR officials come knocking, ask yourself, “Are we ready?” And remember these seven tips.
Is a covered entity required to have a business associate agreement with a contracted healthcare provider whose scope of service is limited strictly to provision of treatment to the covered entity’s patients?
The crux of the question seems to be whether or not the contractor is providing the treatment ON BEHALF OF the covered entity.
How does one determine that is or is not the case? (Note that the contractor receives AND CREATES PHI in the performance of the contract and therefore the “disclosure … concerning treatment of the individual” exception set forth at 164.502(e)(1)(ii)(A) does not appear to apply.)
Our transcriptionist accidentally faxed a patient letter to the wrong number. The information included patient name, date of birth, family physican name.
This letter only included that the patient had a normal eye exam. Is this a reportable violation of the HITECH policy?
Thank you for your time,
Q. If a patient asks our radiology department for a CD of his study images for his or her use, must the department provide it to him or her?
A. As a covered entity, you must give patients access to their information in the designated record set. Most healthcare providers include radiology images as part of the designated record set. Patients have a right to request copies of their information for their use. You may charge patients a reasonable fee for the cost of preparing the CD.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.