Archive for March, 2014
Q. I work for a hospital with a geriatric psychiatry unit. Many patients are discharged to nursing homes. Often, nursing homes contact the hospital for patient information, but we have only the patients’ psychiatric records and are hesitant to send them. We usually send a psychiatric discharge summary that includes history and physical notes, any ancillary test results, and a medication list. However, we exclude the psychotherapy notes. Is it permissible under HIPAA to send this information to a nursing home for continued care?
A. You are obligated under HIPAA to send the minimum necessary to accomplish the purpose. In this case, this includes a list of medications and problems, so it makes sense to send the discharge summary. Unless your state has special laws pertaining to mental health records and patient written consent (and many do), your approach sounds reasonable. One note of caution—psychotherapy notes are defined as notes that are kept separate from the medical record and are not used to substantiate billing. Unless your providers maintain separate notes, you are likely referring to progress notes that do not have any special protection under HIPAA (although they may be protected by state law). This doesn’t mean you should send them; it just means that you and your providers should be aware that they are not psychotherapy notes and enjoy no special protection under HIPAA. Also, remember that substance abuse treatment facilities are subject to federal laws that specify when and under which circumstances substance abuse treatment records may be released. Coincidentally, HHS recently released additional guidance for mental health records (http://tinyurl.com/mcpeoay).
Editor’s note: Chris Simons, MS, RHIA, the director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H., answered this question. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Associate Editor Jaclyn Fitzgerald at email@example.com.
NEW DATE AND LOCATION ADDED!
Seattle — May 19–20
Medicare Boot Camp — Utilization Review Version is an intensive two-day boot camp focusing on the new Medicare requirements for patient status and the role of the utilization review (UR) committee.
UR is no longer the responsibility of a few. No matter your role, the Medicare Boot Camp — Utilization Review Version will teach you how to implement the new rules and leverage them for your facility.
- Executives, CMOs, VPMAs: Learn how to build an effective UR committee and ensure physician advisors are ready to implement the new rules
- UR committee members and physician advisors: Get the information you need to make decisions regarding patient status that will be compliant and not leave any money on the table.
- Compliance officers: Get a complete understanding of the UR rules so that you can ensure your facility is in compliance.
- Nurse administrators/case managers: Understand the details of the rules so that you can educate physicians on them.
- Revenue cycle staff: Learn how managing patient status plays a critical role in correct reimbursement, and can stabilize inpatient reimbursement.
Visit http://www.hcprobootcamps.com or call 800-780-0584 for agenda and registration information.
OCR announced in the February 24 Federal Register its plan to survey up to 1,200 covered entities and business associates to determine suitability for its HIPAA audit program.
The survey is intended to provide OCR information that will determine whether a respondent is suitable for an audit. Data collected through the survey will include the number of patient visits or insured lives, use of electronic information, revenue, and business locations.
HHS is seeking comments on aspects of the Information Collection Request and the burden estimate, which is 600 total burden hours. Submit comments by email at Information.CollectionClearance@hhs.gov or by telephone at 202-690-6162.
A: The HIPAA Privacy and Security Rules do not require covered entities or business associates to contract with external vendors to conduct compliance audits. Note that HHS neither mentions nor recognizes “HIPAA certification.” Covered entities and business associates need to periodically examine privacy and security programs to reasonably ensure compliance. As a general rule of thumb, assessments or audits should be conducted at least annually.
There are pros and cons to hiring a third party versus conducting a compliance audit internally. A third-party vendor is not as familiar with your organization as you are, but that vendor will bring a fresh set of eyes and generally view your organization more objectively. Your internal workforce, meanwhile, will be very familiar with your organization and know what questions to ask, but it may overlook activities that have become a daily occurrence yet represent compliance risks or violations. You may elect to compromise by conducting an internal audit and contracting with a third-party vendor to audit your program every second or third year. The key is making sure an audit or assessment is periodically conducted, the audit documented, and the findings mitigated or accepted.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at firstname.lastname@example.org.
The PHI of 168,500 Los Angeles County medical facility patients was stolen during a break-in at Sutherland Healthcare Solutions in Torrance, Calif., the Los Angeles Times has reported.
Sutherland handles billing and collections for the county’s Department of Health Services and Department of Public Health. Computers containing patients’ PHI were stolen from the Sutherland office February 5. PHI stored on the computers includes patient names, Social Security numbers, medical and billing information, and potentially birthdates, addresses, and diagnoses, the newspaper reported.
The county is reviewing its contract with Sutherland to determine whether it enforces breach prevention procedures.