Archive for Policies and Procedures
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.
Q . May organizations include inserts in their current patients’ rights brochures with updated information about their right to receive their medical files electronically, or must they reprint their entire brochures? We have a backstock of brochures and prefer to use them before we reprint them.
A. Reprinting the entire brochure is not required; an insert is permissible as long as it doesn’t contradict information in the actual notice. You should call this a notice of privacy practices (NPP) rather than a patient’s rights brochure because the latter includes rights unrelated to PHI, and there are specific things that must be included in each. Access sample NPPs at www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. Note that the HIPAA Omnibus Rule requires changes beyond the right to receive an electronic copy. Remember that the intent of the NPP is to explain to your patients what you are doing with their information and their rights pertaining to their PHI. Be sure to date your NPP and post the additional information prominently in your facility and on your website.
Editor’s note: This question was answered by Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at firstname.lastname@example.org.
The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) recently teamed up to develop model notices of privacy practices (NPP) for healthcare providers and plans. The models are available on the U.S. Department of Health and Human Services (HHS) website.
The NPP models reflect regulatory changes brought on by the HIPAA Omnibus Rule and should aid covered entities (CE) in complying with the requirements of the rule, according to OCR and ONC. CEs simply enter their information into the models and print or electronically post them.
The complimentary model NPPs are available to plans and providers in the following formats:
- Layered with a page-one summary and full content on subsequent pages
- Full-page presentation with booklet design elements
- Text only
The HHS website also includes questions and instructions for entering your information into each of models.
CMS’ Office of E-Health Standards and Services has posted what serves as an audit checklist on the CMS website. Look for the document entitled “Information Request for Onsite Compliance Reviews,” which highlights areas of vulnerability associated with the security of electronic PHI.
Want a preview of the upcoming November edition of Health Information Compliance Insider, HCPro’s eight-page newsletter? Take a look at this CMS HIPAA compliance review study. We analyze the report and give you tips what to learn from it.
Go here for more information about the newsletter.