Archive for March, 2013
Privacy and security officers got their marching orders when HHS released the long-awaited new HIPAA “Omnibus Rule” in January.
To comply with the final rule, healthcare organizations need to get working on a number of activities. The rule is enforceable 180 days from its publication in the Federal Register January 25, giving organizations until September 23 to get into compliance.
Each healthcare organization will need to determine where its priorities lie, depending on its current HIPAA compliance program.
“There’s work here for probably everyone,” says Phyllis A. Patrick, MBA, FACHE, CHC, president of Phyllis A. Patrick & Associates, LLC, in Purchase, N.Y. “But this is not all new if you have a compliance program. Take it in steps. I think it is all doable.”
So where can you get started with the 563-page final rule? HIPAA consultants and attorneys advised taking the following steps:
1. Conduct a risk analysis. You’ve heard it many times before, but a risk analysis is a good starting place, says Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC, in Portland, Ore. By conducting a risk analysis, you will determine what specific risks your organization faces. From there, you can create your own list of actions you need to take and set priorities. With a risk analysis, you will find out whether you are missing a particular policy or need to update a certain procedure.
Make sure your risk analysis reflects vulnerabilities highlighted in recent HHS guidance, such as the threat to the security of PHI from mobile devices, says Adam H. Greene, JD, MPH, a partner in Davis Wright Tremaine, LLP’s Washington, D.C., office. “HHS has made clear the risk assessment is a high priority,” he says.
Police wanted to find a missing 81-year-old man. But HIPAA wouldn’t let them.
Officials at Salem (Ore.) Hospital wouldn’t confirm the man was a patient when police came originally looking, according to a March 8 Statesman Journal.
“It’s a cumbersome law,” Salem police Lt. Steve Birr said. “When I managed the missing persons caseload, one of the difficult things is that we have people with mental illnesses, and they could end up in a mental health facility and you would never know it and they would never tell you.”
According to the March 8 Journal article, neighbors reported Thomas Dill missing to police after they noticed his absence from their apartment complex. Police weren’t concerned about Dill’s mental health, but they worried that the 81-year-old, who is diabetic, could have experienced a medical emergency that lead to his disappearance.
When police called area hospitals to see whether Dill was a patient, Salem Hospital said they couldn’t answer the question because it was PHI.
Police learned Dill was a patient at Salem Hospital two days later thanks to a tip from an anonymous caller.
He’s since been transferred to an adult care facility.
So how did the audit go? OCR wants to know.
The 115 entities audited in the HITECH-required HIPAA Audit program are taking surveys to help OCR determine the efficacy of the program in assessing the HIPAA compliance efforts of covered entities. As part of that review, the online survey will be used to:
- Measure the effect of the HIPAA Audit program on covered entities
- Gauge their attitudes toward the audit overall and in regard to major audit program features, such as the document request, communications received, the on-site visit, the audit-report findings and recommendations
- Obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests
- Seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations
- Assess whether improvements in HIPAA compliance were achieved as a result of the Audit program
The information, opinions, and comments collected using the online survey will be used to produce recommendations for improving the HIPAA Audit program.
OCR has reported about a breach a day over the first two and a half weeks of March, according to its breach notification website.
OCR, the HIPAA privacy and security enforcer, had reported 543 patient-information breaches affecting 500 or more individuals as of March 1. That number rose to 556 as of March 16. The total number of breach reports of this kind reached 502 as of late October and 525 to start 2013.
OCR began posting the breaches per HITECH in February 2010. In about three years, OCR has reported an average of about 15 breaches per month, or one every other day. The breaches date back to September 2009 but began appearing online in February 2010.
A Massachusetts city’s ambulance service announced March 14 a data beach incident affecting records of a number of ambulance patients.
Advanced Data Processing, Inc./Intermedix, which manages billing for the Gloucester (Mass.) Fire Department Ambulance Service, learned on October 1, 2012, that one of its employees improperly accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed.
The employee was apprehended by authorities, immediately terminated and no longer has access to company systems. The company also thoroughly investigated the matter.
To help minimize the risk of future data breaches, the Company is making its employees aware of this incident and the consequences to the individual involved and reminding its employees of the importance of maintaining the security and confidentiality of individual records.