HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for August, 2010

Aug
26

Tip: Notice of Privacy Practices

Posted by: | Comments (0)
Email This Post Print This Post

Got any new privacy officers fresh on the beat? Share this tip with them:

Organizations covered under HIPAA are required to issue a written Notice of Privacy Practices (NPP) to patients outlining their privacy practices and patients’ rights. Changes are coming through HITECH in terms additions to the NPP, but for now covered entities can include the following information in the NPP:

  • Inform patients of their rights and how they can exercise them
  • Disclose the organization’s privacy practices
  • Notify patients about the organization’s responsibilities under the law
  • Inform patients about all of the uses and disclosures of protected health information (PHI) required or allowed by law
  • Explain the process by which patients can access their medical records and amend their information

This week’s tip was adapted from The Compliance Officer’s Handbook. For more information about the book or to order your copy, visit the HCMarketplace.

Categories : HIPAA privacy
Comments (0)

Editor’s note: This is the third in a series of articles breaking down the Department of Health & Human Services (HHS) HIPAA proposed rule published in the Federal Register July 14.

The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will serve as one of the speakers of the HCPro, Inc. audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations,” Tuesday, August 31:

  • No protection of PHI for those who have been deceased for more than 50 years. According to the proposed rule, this change will reduce the burden on both covered entities and on those seeking the protected health information by eliminating the need to search for and find the decedent’s personal representative to authorize the disclosure. HHS believes this change will benefit family members and historians who want access to this medical information for personal and public interest reasons.
  • Required changes to the Notice of Privacy Practices (NPP). This will require changes throughout all the covered entities (CEs), Herold says. “The trick will be how to get the wording to a point where the average patient/consumer can understand what it is saying,” she says. “This has been a problem in the past.” The proposed amendments to the NPP would include:
    • Language about the use and disclosures of PHI that would require an authorization under the proposed rule
    • Changes to language regarding the CE contacting an individual to provide appointment; contacting the individual for fundraising; or to disclose information to the health plan
Comments (0)

Editor’s note: This is the second in a series of articles breaking down the Department of Health & Human Services (HHS) HIPAA proposed rule published in the Federal Register July 14.

The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will serve as one of the speakers of the HCPro, Inc. audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations,” Tuesday, August 31:

  • Subcontractors are now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They [are responsible for] many of the breaches.” It’s also good to see the following entities included under HITECH:
    • Patient safety organizations (PSOs)
    • Health information organizations (HIO)
    • E-Prescribing gateways
    • Other persons who facilitate data transmission
    • Vendors of personal health records
  • Updated definition of “electronic media.” The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”
Comments (0)

Editor’s note: This is the first in a series of items breaking down the HHS HIPAA proposed rule published in the Federal Register July 14.

The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will serve as one of the speakers of the HCPro, Inc. audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations,” Tuesday, August 31:

  • HIPAA and HITECH apply to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I’ve spoken to many BAs who still believe that they only have to have the BA agreement in place, and I’ve had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much more clear that the CEs’ responsibilities must go beyond just having a BA agreement.”
  • New definition of “standard.” Herold says replacing “individually identifiable health information” with “protected health information” in the definition of “standard” is a strong idea. “This has always been a point of confusion for many or most CEs, and then last year for BAs.”
Comments (0)
Cheryl Clark, for HealthLeaders Media, August 18, 2010

The Council of Medical Specialty Societies, which represents some 650,000 U.S. physician specialists in 34 societies, has announced its participation in a lawsuit to exempt doctors from requirements of the “Red Flags Rule” scheduled to take effect by year end.

Groups such as the American Medical Association object to the Federal Trade Commission’s requirement for physicians to verify the true identity of their patients before they agree to treat them if the patients are not paying in full at the time of the visit. The intention of the requirement is to prevent potential cases of identity theft.

If a patient says he or she is someone else, the wrong person or entity would be billed for that individual’s care.  But doctors say that requiring such proof of identity is time-consuming, awkward, and may delay care if the patient didn’t bring proper documents.

The FTC has postponed implementation of the rule five times. It is now scheduled to go into effect Dec. 31.

The AMA, the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit this spring demanding the FTC exempt physicians from the rule. The effect of such identity verification covers the physician-patient relationship with a blanket of suspicion before treatment ever begins, they say. It also may require doctors to set up identity theft prevention and detection programs.

The Council of Medical Specialty Societies is joining in the lawsuit because the FTC “failed to follow the required notice and comment procedures under the Administrative Procedures Act.”  It also said that imposition of the rule on doctors imposes significant burdens, “particularly (on) solo practitioners and those practicing in small groups.”

Norman Kahn, MD, executive vice president and CEO of CMSS, says that if the rule applies to its members, it “would substantially drain the financial resources of physicians, particularly those whose support systems are limited.”

Also, groups opposing the rule claim it is not appropriate for certain practices.

“A plan for a physician who serves in a rural area in which patients are well-known will be different from one for a physician in a large group in an urban area,” the CMSS said in its statement. Time required to comply with the rule will “necessarily detract from the attention physicians are able to give their patients.”

In the latest postponement, the FTC said the delay will allow Congress to consider legislation that would affect the scope of entities covered by the rule.”

In a statement in June, FTC Chairman Jon Leibowitz said, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule—and to fix this problem quickly.” He added, “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

Categories : Red Flags Rule
Comments (0)