Archive for HIPAA Compliance
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.
In early 2014, HCPro’s Medical Records Briefing (MRB) newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, 2013 implementation date. This year, MRB asked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.
With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% from 2014 to 2015.
However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase. Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.
The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches. The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.
This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Similar to 2014, nearly half of this year’s respondents (49%) serve as the privacy officers for their organizations compared to 50% in 2014, while just 33% reported being privacy officers prior to the Omnibus Rule implementation in early 2013. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the 2015 survey also serve as the privacy officer.
HCPro’s Medical Records Briefing (MRB) is conducting a benchmarking survey on HIPAA compliance, and we would appreciate your input. Please take a few moments to complete this survey.
To show our thanks, we will select one respondent at random to win a complimentary HCPro on-demand webcast of his or her choice. To enter to win, please include your contact information at the end of the survey once you have answered the questions. Entering your contact information will also enable us to email you the results of the survey along with commentary from industry experts. The results will also be featured in the April 2015 issue of MRB.
The link below will take you to the survey’s website; simply click on the link to answer the survey questions online. If the click-through does not work, please cut and paste the URL below into the address bar of your browser.
Here’s the link to the survey: https://www.surveymonkey.com/s/YVXV7M6.
Thank you for your input!
Editor, Medical Records Briefing
The September 22, 2014 deadline to revise business associate agreements (BAA) may have seemed like a date far into the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is just around the corner as we continue to move along the road toward establishing and maintain compliance with the HIPAA privacy and security rules.
This date in September is notable because many organizations—both covered entities (CE) and business associates (BA)—find themselves dealing with the need to update or revise their BAAs. CEs were allowed to use existing BAAs for an additional year following the September 23, 2013 omnibus rule compliance date. Essentially, this meant that BAAs in place prior to January 25, 2013, which were not going to expire prior to September 22, 2013, could continue to be used until September 22, 2014. This gave BAs and CEs 18 months to determine what changes were needed to comply with the omnibus rule and then update or revise their BAAs accordingly. Despite the window of opportunity to address the issue of updating BAAs, it seems from my perspective that the majority of activity related to this task began occurring about a month or so before September 22, 2014.
HHS posted a sample BAA on its website January 25, 2013. In the second paragraph of the introduction, HHS lists 10 items that must be included in the written contract between a CE and its BA. Even though CEs and BAs may have recently updated their BAA in time for the compliance date, I believe it is worth the time to review these updated agreements and ensure they include the requirements identified in the HIPAA omnibus final rule.
Editor’s note: This post is adapted from an article written by Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, for HCPro’s Briefings on HIPAA (BOH). Look for the complete article in an upcoming issue of BOH. Ruelas is a BOH editorial advisory board member.
With HIPAA audits slated to resume and OCR monetary settlements steadily increasing, the threat of ending up on OCR’s “wall of shame” is greater than ever. OCR recently hit two covered entities with the largest HIPAA settlement to date: a combined $4.8 million penalty for alleged violations during a joint arrangement.
The first step to ensuring HIPAA compliance is developing an effective risk analysis and management process that identifies gaps, thereby keeping your organization off the government’s radar. Learn strategies for conducting an internal audit of your organization—before the government audits you.
During this program, HIPAA compliance experts Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, and Kathy Perkins-Smerdel, BS, CHC, will explain how to develop a thorough risk analysis process and implement an internal auditing program, offer tips on how to prepare for an audit, and identify flaws in privacy and information security programs.
At the conclusion of this program, participants will be able to do the following:
- Develop an effective, well-documented risk analysis process
- Prepare for OCR/CMS audits
- Identify privacy and information security program deficiencies
For more information or to place an order, call 800/650-6787 and mention Source Code EZINEAD or visit the HCPro Healthcare Marketplace.