Recent Articles
HCPro, Inc. unveils HIPAA/HITECH video
HCPro, Inc. is proud to release the updated version of its best-selling HIPAA training video that covers both privacy and security training -- Privacy, Security and You: Protecting Patient Confidentiality Under HIPAA and HITECH, Second Edition.
One of the best ways to train staff is to show them the right and wrong way to do their job. And that’s what our DVD video does.
Check out this clip from the video.
Training tool: Scripting tool
Check out this scripting tool used by Houston Medical Center’s patient access team in Warner Robins, GA, for collecting copayments in the ED.
Download this document through this blog post.
Digesting HIPAA’s accounting of disclosures proposed rule
Covered entities (CE) and business associates (BA) finally know the details of the accounting of disclosures provision in HITECH now that the Department of Health & Human Services (HHS) released a proposed rule May 27. It was published in the Federal Register May 31.
The following is a breakdown of the central components of the proposed rule:
What: HITECH-required proposed rule, “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act”
The gist: The HITECH Act requires CEs and BAs to provide an accounting of disclosures of PHI through an electronic health record (EHR), for treatment, payment, and healthcare operations (TPO) dating back three years from such a request. The proposed rule implements this requirement through the right to an “access report,” which includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.
Read the full story on HIPAA Update blog.
HHS undertakes massive review of rules, regulations
Under orders from the Obama administration, the Department of Health and Human Services (HHS) is setting out to review and update virtually every one of its rules and regulations.
The effort is part of a government-wide initiative to create a simpler and smarter regulatory system that will annually save, according to government estimates, tens of millions of hours of red tape, and billions of dollars in regulatory costs.
HHS released Thursday, May 26, its 89-page Preliminary Plan for Retrospective Review, which details which regulations will be modified and reviewed.
In the report HHS sets several goals for the review, including making the regulatory process more clear and providing a foundation for future regulatory decisions. HHS plans to increase transparency in its regulatory process by making available, when possible, information that stakeholders might need to understand the basis for a proposed regulation.
Read the full story on HIPAA Update blog.
Comply with this MSP tool
Go to this Patient Access Resource Center blog post to find this form that ensures accuracy in your Medicare Secondary Payer process. It is featured in the HCPro, Inc.’s CD-ROM, Medicare Secondary Payer Questionnaire Training Toolkit.
Hospital fires medical-records snoopers
A Minnesota hospital fired this month 32 employees for inappropriately accessing medical records of patients.
Allina Hospital in Minneapolis terminated employees who peeked at medical records of patients hospitalized in March due to a drug overdose at a party in nearby Blaine, a hospital official said.
David Kanihan, Allina’s director of marketing and communications, told HealthLeaders Media in an e-mail that the employees were terminated for “accessing electronic medical records of patients without a legitimate patient-care reason for doing so.”
HIPAA allows hospital employees to view patient records for reasons of treatment, payment, and healthcare operations.
According to the Minneapolis Star Tribune, 11 teenagers and young adults were hospitalized and one died after they overdosed on a synthetic drug.
“We take our obligation to protect patient privacy very seriously,” Kanihan wrote in the e-mail to HealthLeaders. “Our actions in this matter are completely consistent with how we have always dealt with these cases. Anything short of a zero tolerance approach to this issue would be inadequate.”
Read more on HIPAA Update.
Hospitals that take plastic must comply with PCI
Healthcare privacy and security teams watch closely for new rules and regulations from the government that will modify the HIPAA privacy and security rules.
However, they should also keep an eye on another security standard that last month cost a Boston restaurant chain $110,000. The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft.
In Boston last month, The Briar Group LLC, which runs popular restaurants in the city, agreed to pay $110,000 in a settlement after it was charged with not taking reasonable steps to protect diners' personal information from credit and debit cards.
Healthcare entities must take caution here, too. Those that take plastic, must comply with PCI DSS. And not all entities are aware of the standard, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"I think healthcare organizations - and many others - are still unaware of PCI DSS," Borten says. "They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO (International Organization for Standardization), HIPAA, and other regulations and frameworks, simply good practice."
Read more on HealthLeaders Media.
HIPAA Q&A: Voicemail messages
Q. May ambulatory surgery center (ASC) staff members leave preoperative messages on patients’ voice mail or answering machines that include:
- The caller’s first name
- The name of the ASC
- Instructions to call a certain number
Messages neither identify the procedure nor provide other information about the patient. I believe this practice is acceptable unless patients have specifically requested that we not do this (e.g., cosmetic cases).
What information concerning a scheduled procedure (e.g., arrival time, medication reminder, what to bring) may we leave on a patient’s voicemail or answering machine? What information may we leave in a post-procedure follow-up message?
A. You are correct. The practice you describe is acceptable because the information in the message is limited to the minimum necessary. Voicemail messages left for patients should not reveal anything about the patient’s diagnosis or surgical procedure. They may convey practical information, such as expected arrival time and medications.
Follow-up messages should be general, such as, “Mr. Smith, this is Sally at XYZ Surgery Center. I wanted to see how you’re doing after your procedure. Please call me back at 999-9999.”
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.
Red Flags Rule compliance: Listen to our audio
The Federal Trade Commission (FTC) may have delayed enforcement of the Red Flags Rule several times, but it's on now.
And that’s the gist of our audio conference on the subject: How to comply with the FTC’s rule that says “creditors” must have a program in place to prevent and detect red flags for medical identity theft.
To learn more about our Red Flags Rule show, visit its home page.
OCR breach lists climbs to 265
The number of entities reporting breaches of unsecured PHI affecting at least 500 individuals to the Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, reached 265.
As of Wednesday, March 16, 249 entities had reported breaches, meaning a spike of 16 in the last 45 days, behind the pace since OCR began posting the breaches more than a year ago.
OCR, per a provision in the Health Informational Technology for Economic and Clinical Health (HITECH) Act, began posting the entities and information about their large breaches in February 2010. In 15 months, an average of about 18 reports per month – or a little more than one every other day -- has surfaced on the OCR website.
Health insurance giant Health Net, Inc. earned a spot on the list after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR. On the Health Net report, the "type of breach" is "unknown," and the "location of breached info" is listed as "other."