HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for June, 2012

Q: A patient who presented with an order from the primary care physician for laboratory work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?

A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.
 
The ultimate question is whether the specialist needed to see the laboratory ­results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.
 
If the specialist should not have ­received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.
 
You should investigate this incident. You are not ­required to notify the patient or OCR if you ­conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.
 
You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.
 
Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."
 
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which also appears in the July Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Categories : Compliance Monitor
Comments (1)

Alaska’s Medicaid program has agreed to pay OCR $1.7 million over potential HIPAA Security Rule violations, OCR announced in a June 26 press release.

The settlement marks the second largest to date for HIPAA violations, behind CVS Caremark’s $2.25 agreement in 2009. It also marks OCR’s first enforcement action against a state agency.

OCR reported that Alaska’s Department of Health and Social Services (DHSS), the state Medicaid agency, did not have adequate policies and procedures in place to safeguard PHI when a USB hard drive was stolen from an employee’s vehicle.

OCR also found in its investigation that Alaska had not:

  • Completed a risk analysis
  • Implemented sufficient risk management measures
  • Completed security training for its workforce members
  • Implemented device and media controls
  • Addressed device and media encryption as required by the HIPAA Security Rule

Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

In the corrective action plan, Alaska DHSS must review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR Director Leon Rodriguez said in a statement. “This is OCR’s first HIPAA enforcement action against a state agency, and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

LARGEST SETTLEMENTS TO DATE

The OCR’s largest settlements for HIPAA violations include:

  1. CVS Caremark Co.: $2.25 million, February 2009
  2. Alaska Medicaid: $1.7 million, June 26, 2012
  3. Blue Cross Blue Shield of Tennessee: $1.5 million, March, 2012
  4. Rite Aid: $1 million, July 2010
  5. Massachusetts General Hospital: $1 million, February 2011
  6. University of California at Los Angeles Health System: $865,500, July 2011

Note that in February of 2011, OCR fined Cignet Health a $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.

Comments (0)
Jun
26

OCR releases audit protocol

Posted by: | Comments (0)
Email This Post Print This Post

Want to know what the OCR audits will look like? OCR has let us know.

The HIPAA privacy and security enforcer has released its audit protocol on its website. OCR breaks down 77 areas for which it will be reviewing during its initial phase of audits. OCR, per HITECH, is required to audit covered entities and business associates for HIPAA compliance. It has audited 20 in its test phase and plans to audit 95 more by the end of 2012.

“OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits,” according to the OCR website. “The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.”

The audit protocol covers:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures
  • Security Rule requirements for administrative, physical, and technical safeguards
  • Breach Notification Rule requirements

OCR is behind on issuing required guidance and implementing required oversight capabilities for Medicare beneficiaries’ prescription drug use information when used for purposes other than direct clinical care, according to a June report issued by an internal government watchdog.

The Government Accountability Office (GAO) reported that OCR, HIPAA privacy and security enforcer, has established a framework in this arena through regulations, outreach and enforcement activities.

However, the privacy and security regulators have not issued required implementation guidance to assist entities in de-identifying personal health information including when it is used for purposes other than directly providing clinical care to an individual.

“This means ensuring that data cannot be linked to a particular individual, either by removing certain unique identifiers or by applying a statistical method to ensure that the risk is very small that an individual could be identified,” according to a GAO report on its website.

OCR officials said the guidance, required by statute to be issued by February 2010, was delayed due to competing priorities for resources and internal reviews, according to the GAO.

“Until the guidance is issued, increased risk exists that covered entities are not properly implementing the standards set forth by federal regulations for de-identifying protected health information,” according to the GAO.

The GAO also criticized OCR in its covered-entity audit process. HITECH required OCR to implement “periodic audits” of covered entities and last fall, OCR initiated a pilot program for conducting such audits.

However, OCR “does not have plans for establishing a sustained audit capability,” according to the GAO.

According to OCR officials, the office has completed 20 audits and plans to complete 95 more by the end of December 2012, but it has not established plans for continuing the audit program after the pilot program is complete.

“Without a plan for establishing an ongoing audit capability, OCR will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals’ personal health information,” according to the GAO.

GAO recommends that OCR issue de-identification guidance and establish a plan for a sustained audit capability. HHS generally agreed with both recommendations but disagreed with GAO’s assessment of the impacts of the missing guidance and lack of an audit capability, according to the GAO.

Healthcare organizations face increasingly complex privacy and security issues as they cope with new technology, but many organizations are still struggling with the basics of establishing a compliance program.

A natural place to begin is a code of conduct, and policies and procedures, says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Ariz.
 
Compliance officers in small organizations may be responsible for compliance with all regulations. In larger organizations, one or more individuals may be specifically responsible for HIPAA compliance. Regardless of organization structure, basic principles apply.

Read more in the July issue of Briefings on HIPAA.       

Comments (1)