Archive for December, 2011
A. Yes. Forwarding addresses provided by the post office are public information that is not protected under HIPAA. You can use this information to update addresses in your patient database.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information management at Scott & White Healthcare in Temple, TX, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations.
The Office for Civil Rights (OCR), which began posting entities reporting breaches of unsecured protected health information affecting 500 or more individuals 22 months ago, lists 380 entities as of Friday, December 9.
In February 2010, OCR launched the website required by the HITECH Act under breach notification. Since then, OCR has received an average of about 17 reports per month, or more than one every other day.
Six entities are in OCR’s million-plus patient record breach club:
- TRICARE Management Activity (TMA): 4,901,432, lost backup tapes
- Health Net, Inc.: 1,900,000, unknown
- New York City Health & Hospitals Corporation’s North Bronx Healthcare Network: 1,700,000, stolen electronic medical record
- AvMed, Inc.: 1,220,000, stolen laptop
- The Nemours Foundation: 1,055,489, lost backup tapes
- Blue Cross Blue Shield of Tennessee: 1,023,209, stolen hard drives
As for rules governing breach notification requirements, more than 16 months have passed since OCR last gave an update on the interim final rule on breach notification. That rule, published in the Federal Register August 24, 2009, is in effect.
OCR developed a final rule and sent it to the Office of Management and Budget for review May 14, 2010. However, on July 28, 2010, OCR withdrew the final rule from OMB for “further review,” according to a notice published on its website.
We all know this has been a difficult year in terms of HIPAA compliance. There have been major breaches at well-known organizations, a lack of HIPAA compliance basics that have lead to millions of dollars in fines, and an overall disregard for working with federal regulators at one institution.
As we wind down the final quarter of 2011, we want to hear from you about the good things that have happened in HIPAA compliance circles.
Does your organization have reason to celebrate? Tell us why, and you may be featured here, on our HIPAA Update blog, or in our 12-page print newsletter, Briefings on HIPAA.
Please share your stories with Dom Nicastro, senior managing editor, at firstname.lastname@example.org.
Q: Is faxing PHI to a long-term care facility that also operates an independent living facility and an assisted living facility permissible?
A: In this case, you may fax PHI to the facility so long as the fax machine you are sending the information to is designated for the long-term facility’s (and thereby covered entity) exclusive use. If the fax machine is in an area accessible to workforce members beyond those who perform covered entity functions, it could result in a breach of PHI.
Editor’s Note: This question first appeared in the December 2011 issue of Briefings on HIPAA.
Most healthcare organizations charged with HIPAA compliance are not fully prepared for a privacy and security audit by federal regulators, a November survey conducted by HCPro, Inc. reveals.
For hospital leaders, already challenged on the technology front to implement ICD-10, electronic medical records systems, and pursue meaningful use certification, that’s not great news. The government has already begun conducting audits.
Earlier this year, the Office for Civil Rights, the enforcers of HIPAA privacy and security, engaged a contractor to audit covered entities and business associates at random. The objective is to audit 150 entities by December 31, 2012.
HCPro’s survey results show that only 17% of responding organizations said they are fully prepared for an OCR privacy and security compliance audit.
“It is very hard to get your staff to understand how important this is,” one compliance officer said. “Each breach we have is due to carelessness and not intentional, for example, not checking a patient name when you mail something out.”
Of the more than 400 respondents, which included HIM directors and compliance officers, 281 (or 70%) said they are “somewhat prepared” for a HIPAA compliance audit conducted by the government.
As part the HITECH Act, OCR hired KPMG, LLP, to conduct the audits starting this fall and lasting through December of next year. The audits—targeted for covered entities and business associates—are expected to produce corrective action plans for facilities regarding HIPAA compliance.
“There needs to be an outside agency coming into the hospital and interviewing the employees on a regular basis,” one respondent said in the survey. “Most organizations say they don’t have the time to implement HIPAA regulations on a regular basis.”
At least one survey respondent indicated a lack of commitment from “senior management.” Said another respondent, “The C-suite understands patient care, but doesn’t understand that system security needs more money to enforce HIPAA.”