Archive for August, 2012
Q. Can you tell me whether the parent of a patient now over 18 years of age may receive information relating to a medical bill for services provided when the patient was still a minor?
A. Because the patient is now of legal age, you should obtain the patient’s written authorization to release this information to the parent. Alternatively, you can release the information directly to the patient, who can decide whether to share it with the parent.
Editor’s note: This answer, provided by Mary Brandt, MBA, RHIA, CHE, CHPS, was published in the August 2012 edition of the HCPro, Inc. newsletter Briefings on HIPAA.
Yet another reason to conduct a security risk analysis and consider encrypting your health information—meaningful use Stage 2 requirements tell you to.
CMS in its final rule governing qualifications for incentives during the second stage of the meaningful use of EHRs program calls for entities to “conduct or review a security risk analysis” in accordance with requirements under the HIPAA Security Rule.
Specifically, the final rule points to the HIPAA Security Rule subpart:
- 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in certified EHR technology (CEHRT) in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)
Further, entities qualifying for incentives in Stage 2 must implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process, according to the final rule.
CMS made a change in the final rule to the language of “data at rest” to specify its intention of data that is stored in CEHRT.
“Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis,” CMS wrote in the final rule. “We agree that this is an area of security that appears to need specific focus.”
CMS reported that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured, CMS added.
“It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure,” according to the final rule. “We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information (ePHI) as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”
CMS and the Office of the National Coordinator for Health IT (ONCHIT) released August 23 the final requirements that hospitals and healthcare providers must meet in order to qualify for incentives during the second stage of the meaningful use program, according to an HHS press release.
The rule also includes criteria that electronic health records (EHRs) must meet to achieve certification.
According to HHS, the requirements for Stage 2:
- Make clear that Stage 2 of the program will begin as early as 2014. No providers will be required to follow the Stage 2 requirements outlined before 2014.
- Outline the certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they use will work, help them meaningfully use health information technology, and qualify for incentive payments
- Modify the certification program to cut red tape and make the certification process more efficient
- Allow current “2011 Edition Certified EHR Technology” to be used until 2014
The CMS final rule also provides a flexible reporting period for 2014 to give providers sufficient time to adopt or upgrade to the latest EHR technology certified for 2014.
View the following related documents:
It’s official. HHS announced that compliance with ICD-10-CM and PCS will be October 1, 2014. This pushes back compliance one year.
A New York medical supplier could go to jail for 10 years for wrongfully disclosing private patient information and submitting fraudulent Medicare claims in order to buy a multi-million dollar home and fund a pension plan and investment brokerage account worth $2 million, according to the U.S. Attorney’s Eastern District New York office.
In all, the woman, Helen Michel of Old Brookville, used the alias Dr. Elene Allonce and schemed Medicare for $10.7 million for four and a half years. Her conviction, announced by federal officials in a release Aug. 15, carries a maximum sentence of 10 years in prison and fines up to $250,000 per count.
Michel stole private patient information from various nursing homes on Long Island and then submitted thousands of fraudulent claims to Medicare, according to officials. The claims sought payment for services and equipment that were never provided by the defendant’s company, Medical Solutions Management, Inc., of Hicksville, New York.
The case represents one of the first criminal prosecutions in the nation for wrongful disclosure of patient information under HIPAA.
“To this defendant, the elderly were not patients to be helped, but pawns to be exploited for personal gain. Invasion of patient privacy and fraud against the health care program that the elderly depend upon are intolerable,” said United States Attorney Loretta E. Lynch. “Let [the] verdict stand as a warning to all that we will tenaciously investigate violators, protect patient rights and vindicate the hard-earned support taxpayers provide the Medicare program.”