HIPAA Compliance for Medical Practices
62.2K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Woman accuses Kmart of HIPAA violation

Woman accuses Kmart of HIPAA violation | HIPAA Compliance for Medical Practices | Scoop.it

BECKLEY — A Raleigh County woman is suing over claims Kmart pharmacy employees violated HIPAA by discussing her medical information in the store.

Leslie J. Pettry filed a lawsuit April 14 in Raleigh Circuit Court against Kmart Promotions LLC, citing negligence.

According to the complaint, Pettry was a customer of Kmart’s pharmacy department in their Beckley store on Aug. 5, 2012, when an employee of Kmart openly discussed her medical information in the crowded store. The defendant is accused of violating the Health Insurance Portability and Accountability Act by allowing Pettry’s confidential medical information to be disseminated to the public.

Pettry is seeking damages in an amount to be determined by the court.

She is being represented in the case by attorney Anthony M. Salvatore of Hewitt & Salvatore PLLC. The case has been assigned to Circuit Judge H. L. Kirkpatrick.

Raleigh Circuit Court Case No. 14-C-377-K



more...
No comment yet.
Scoop.it!

New HIPAA settlements show OCR’s focus on encryption | Lexology

New HIPAA settlements show OCR’s focus on encryption | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) reached settlements with two separate entities for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Specifically, Concentra Health Services (“Concentra”) agreed to pay $1,725,220 following the theft of an unencrypted laptop and the discovery of generally insufficient security management.  Additionally, QCA Health Plan, Inc. (“QCA”) agreed to pay $250,000 following the theft of an unencrypted laptop and the discovery of general non-compliance with HIPAA.  Both Concentra and QCA also entered into Corrective Action Plans with OCR.

Concentra is a Texas based company with medical facilities in 38 states.  The company submitted a security breach report to OCR in December 2011 upon discovering the theft of an unencrypted laptop from a physical therapy center in Springfield, Missouri.  OCR then investigated Concentra and learned that, although Concentra had identified lack of encryption as a “critical risk” as part of its risk analysis, it had not taken adequate corrective action measures to address that risk.  OCR also found that Concentra had insufficient security management processes in place to safeguard Protected Health Information (“PHI”).

QCA is a health insurance company based in Little Rock, Arkansas.  In February 2012, QCA submitted a security breach report to OCR upon discovering the theft of an unencrypted laptop from an employee’s car.  Following the breach, QCA encrypted devices within the company containing PHI.  However, upon investigation, OCR found that QCA was not fully HIPAA compliant.

Encryption is not required by HIPAA, but if a Covered Entity or Business Associate opts not to encrypt PHI either at rest or in transmission, the entity must document its rationale and adopt alternative safeguards that achieve a similar level of protection.  Additionally, only the improper use or disclosure of unencrypted PHI constitutes a security breach for purposes of HIPAA.  These settlements illustrate potential consequences of not encrypting PHI, particularly on portable devices.  Susan McAndrew of OCR stated with regard to these settlements: “Our message to these organizations is simple: encryption is your best defense to these incidents.”



more...
No comment yet.
Scoop.it!

Satisfaction Survey Postcard Reminder Violated HIPAA Privacy Rule

Satisfaction Survey Postcard Reminder Violated HIPAA Privacy Rule | HIPAA Compliance for Medical Practices | Scoop.it

BALTIMORE, May 2 -- The Maryland Department of Health and Mental Hygiene issued the following news release:

The Developmental Disabilities Administration (DDA) contracts with a vendor, Inclusion Research Institute, whose subcontractor is M. Davis and Company, to conduct Quality of Life surveys for individuals receiving services. These satisfaction surveys are sent out on an annual basis to individuals.

In February 2014, the subcontractor mailed postcards to approximately 2200 individuals reminding them to fill out the survey and return the results. The postcards were addressed to individuals and indicated that they were receiving the notification because they receive services from DDA. As the postcard was not enclosed in an envelope, the fact that the individual was receiving DDA services, which is protected health information, was publicly viewable. This is a breach of the 1996 Health Insurance Portability and Accountability Act (HIPAA).

DDA was notified on March 3, 2014 of this concern and promptly contacted the vendor. The vendor is in the process of notifying the affected individuals and will correct this deficiency for future mailings.



more...
No comment yet.
Scoop.it!

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

One of the most controversial parts of meaningful use is the requirement that a certain percentage of patients engage with the office. The argument goes that the doctor shouldn’t be rewarded or punished based on the actions of someone (the patients) they don’t control. Regardless of the controversy, the requirement remains that doctors have to engage with a certain number of patients if they want to get the meaningful use money.

I’m personally a fan of patient engagement and think there’s a lot of value that will come from more engagement with patients. This reminds me of Dr. CT Lin’s presentation and research on patient engagement. We need to find more ways to make patient engagement an easy reality in healthcare.

The problem I keep running into with the meaningful use patient engagement requirement is that meaningful use requires a certified EHR to meet that requirement. There are a whole suite of patient engagement apps that provide a useful and logical engagement between doctor and patient. However, none of them can be used to meet the meaningful use patient engagement criteria. Yes, I know the patient engagement app could become modularly certified, but that’s really overkill for many of these apps. It really doesn’t make any sense for them to be certified. The software doesn’t get better (and an argument can be made that the software becomes worse) if they become modularly certified as an EHR.

Because of this issue, the requirement basically relegates EHR vendors to implement some sort of after thought (usually) patient portal. Then, the doctors have to try and force patients to use a patient portal just to meet a requirement. Plus, many are “gaming” this patient engagement number in the way a patient signs up and engages in the portal.

Wouldn’t it be so much better to allow the patient engagement to happen on a non-certified EHR? Why does this need to happen on a certified EHR? EHR vendors aren’t focused on patient engagement, and so it shouldn’t be a surprise that they’re not creating amazing patient engagement tools. Think about how much more effective the patient engagement would be if it happened on a software that was working and thinking every day about how they can make that engagement work for the patient and the provider.

I’d love to see ONC make an exception on this requirement that would allow patient engagement to occur on something other than the certified EHR. I imagine if they did this, they could even raise the bar when it comes to what percentage of patients they should engage with electronically. If they don’t, we’ll have a bunch of lame duck patient portals that are really only used to meet the MU requirement. What a terrible missed opportunity that would be.



more...
No comment yet.
Scoop.it!

What Is The Cost Of Fraud Prevention In Healthcare? | EMR and HIPAA

What Is The Cost Of Fraud Prevention In Healthcare? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Among other things, credit card companies prevent enormous volumes of fraud. In exchange for their services, credit card companies typically charge about 2.5% of merchant revenue. The cost of fraud prevention for most merchants is no more than 2.5% of revenues.

But healthcare is rarely paid for by credit card. The vast majority of payments are directly transferred from payers to providers.

So what is the cost of fraud prevention in healthcare?

If providers were angels and never frauded payers, then the entire claims system would have no reason to exist. In this utopian world, providers would simply bill payers accurately and payers would gladly pay knowing that the claims were honest.

But that’s unrealistic. Payers are extremely skeptical of providers. There is an enormous amount of friction between payers and providers to ensure that providers aren’t overpaid: the technology vendors at every layer of the stack (provider, clearing house, payer), the billers, coders, claims departments, prior authorization departments, insurance agents, AR departments, etc. All of these people, processes, and technologies exist to ensure that providers aren’t overpaid.

Although I cannot find any explicit numbers, it’s not unreasonable that the sheer administrative costs of the claim system is greater than 10% of all healthcare costs.

In addition to compliance costs, actual Medicare Fraud is estimated at about $50B, which is about 9% of all Medicare payments.

The takeaway of the story is that providers can’t seem to stop frauding Medicare. The irony is that physicians – who are generally respected by the public – are those whom the system works most diligently to ensure aren’t overpaid.



more...
No comment yet.
Scoop.it!

Population Health Management (PHM) – The New Health IT Buzzword | EMR and HIPAA

Population Health Management (PHM) – The New Health IT Buzzword | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

For some reason in healthcare IT we like to go through a series of buzzwords. They rotate through the years, but usually have a very similar meaning. The best example is EMR and EHR. You could nuance a difference between the two terms, but in practice they both are used interchangeably and we all know what it means.

With this in mind, I was intrigued by an excerpt from Cora Sharma’s post on Financial Analytics Bleeding into Population Health Management:

It appears that “population health management” (PHM) just has a better ring to it than “accountable care” or “HMO 2.0”. Increasingly, PHM is becoming an umbrella term for all of the operational and analytical HIT tools needed for the transition to value-based reimbursement (VBR), including EHR, HIE, Analytics, Care Management, revenue cycle management (RCM), Supply Chain, Cost Accounting, … .

On the other hand, HIT vendors continue to define PHM according to their core competencies: claims-based analytics vendors see PHM in terms of risk management; care management vendors are assuming that PHM is their next re-branded marketing term; clinical enterprise data warehouse (EDW) and business intelligence (BI) vendors argue that a single source of truth is needed for PHM; HIE and EHR vendors talk about PHM in the same breath as care coordination, leakage alerts and clinical quality measures (CQM); and so on.

Cora is right. Population Health Management does seem to be the latest buzzword and for some reason feels better to people than accountable care. I guess it makes sense. People don’t want to be held accountable for anything. However, they love to help a population be healthy.

Coming out of 30+ meetings with vendors at HIMSS this year I was asking myself a similar question. What’s the difference between an HIE, healthcare analytics, business intelligence, data warehouses (EDW) and even many of the financial RCM products? I see them all coming together into one platform. I guess it will be called population health management.

To Cora’s broader point in the post, there is a real coming together that’s happening between clinical and financial data in healthcare. All I can think is that it’s about time. The division of the data never really made sense to me. The data should be one and available to whatever system needs the data. ACOs are going to drive this to become a reality.



more...
No comment yet.
Scoop.it!

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I first started working with the New York eHealth Collaborative (NYeC) many years ago when they first organized the Digital Health Conference many years ago. Hopefully they’ll have me back again this year since I’ve really enjoyed our ongoing partnership. Plus, it’s a great way for me to get a deeper look into the New York Health IT landscape.

While NYeC organizes this conference, has an accelerator, and is (is this a was yet?) even a REC, the core of everything they do is around their HIE called the SHIN-NY. Unlike some states who don’t have any HIE or RHIO, New York has 10 regional health information exchanges (formerly and for some people still called RHIOs). The SHIN-NY is the platform which connects all of the state’s RHIOs into one connected health network. Plus, I know they’re working on some other more general initiatives that share and get data from organizations outside of New York as well.

While the SHIN-NY has been worked on and sending data for a number of years, the news just came out that Governor Cuomo included $55 million in state funding for the SHIN-NY HIE. This is a unique funding model and it makes me wonder how many other states will follow their lead. Plus, you have to juxtapose this funding with my own state of Nevada’s decision to stop funding the state HIE that was supported with a lot of federal government funds as well.

In my HIE experience, I’ve found that every state is unique in how they fund and grow their HIE. Much of it often has to do with the cultural norms of the state. For example, New York is use to high state taxes that support a number of government programs. Nevada on the other hand is use to no state tax and government funding largely coming from the hospital and gaming sectors. Plus, this doesn’t even take into account the local healthcare bureaucracies and idiosyncrasies that exist.

What do you think of this type of HIE funding model? Do you wish your state would do something similar? Will we see other states follow New York’s example?

I’m excited to see how NY, NYeC and the SHIN-NY do with this HIE funding. Knowing many of the leaders in that organization, I think they’re going to be a great success and have a real impact for good on healthcare in NY.



more...
No comment yet.
Scoop.it!

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively,document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.

  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.

  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.



more...
No comment yet.
Scoop.it!

More practical, relevant, and actionable health IT advice to be doled out at HealthIMPACT East in NYC on Wednesday

More practical, relevant, and actionable health IT advice to be doled out at HealthIMPACT East in NYC on Wednesday | HIPAA Compliance for Medical Practices | Scoop.it

Our vision of providing a packed one day event focused on practical, relevant, and actionable health IT advice was very well received in Houston earlier this month. We wanted to focus not on canned PowerPoint decks and promotion of tech hype but specific advice on how and where to apply IT in healthcare settings. Based on some of the feedback we got, it looks like we struck a chord:

“I did enjoy the HealthIMPACT Forum in Houston and will definitely recommend attending. The information was of great value and it was enjoyable to meet and network with others. I look forward to next year!” – Barbara Presley, Clinical Documentation Improvement Program, University Medical Center Brackenridge

“HealthIMPACT seemed more focused with only high quality contributors and content. HealthIMPACT was collaborative with fewer ‘talking heads’ and more open and honest dialog. I truly felt that it was a more intimate environment for sharing.” – Zachery Jiwa, Innovation FellowUS Department of Health and Human Services

“[The open format] allows for valuable exchange between participants. The forum consists of important topics and fluid discussions going where the audience wants to take it.” – George Conklin, Senior Vice President and CIOChristus Health

I’m often asked why, as a health IT blogger, I wanted to lead HealthIMPACT. Here’s a three minute video overview:


Based on the feedback from the Houston event and what we’ve heard from our surveys, below are some of the topics we’ve heard the audience wants covered during the day at HealthIMPACT East on Wednesday and future events coming up in Santa Monica, Nashville, and Chicago. Of course, not everything can be covered in one day but because we run a non traditional format we’ll cover a lot more ground because the audience decides where to take us.

Meaningful Use

  • Assuring on-time and on-budget completion of projects (principally MU2), in the face of reduced reimbursement and personnel resources.
  • Implementation of MU 2
  • Meeting MU2 and CMS rules w/minimal impact on physician workflow/productivity
  • Transition of Care (TOC) measure and use of CCDA & DIRECT Messaging
  • Developing solutions that will satisfy conflicting requirements between CMS sections, without requiring staff to do multiplicative documentation.
  • Effective Clinical Integration Ideas EHR (Epic Implementation)
  • Epic implementation
  • Interoperability legacy systems and modern systems
  • Keeping track of rapid changes in software in the electronic health record
  • Keeping track of changes from CMS
  • Staying current of IT information that comes so fast
  • Meaningful Use Audits
  • Implementing electronic medical record
  • Successfully attestation for Stage 2 Phase 1 MU
  • Maintaining metrics in the face of ever changing regulatory requirements
  • Transition of the traditional quality core measures to the electronic clinical quality measures
  • Managing changes in workflows as new components in the EHR are implemented to meet meaningful use requirements

Patient Engagement

  • How will involvement of patients in their own care change the way healthcare is practiced? Will it really?
  • What efforts are being made to reach out to the average patient in the population so they can access and use the health care system the same way that the average person is able to use the banking or retail system?

Data Governance

  • Ensuring data accuracy
  • Control data output to ensure it is of highest quality and provides consistent outcomes.
  • Data governance, measure burden, data analysis
  • Strategies for accurate and reliable data entry
  • Ensuring the quality of information within your EMR
  • Use of computerized assisted clinical documentation or coding to improve clinical outcomes
  • CAC, Computer Assisted Physician Documentation (CAPD)
  • Master Data Management
  • Reconciliation of data between systems

Clinical Informatics

  • Use of analytics/data to coordinate care and cut costs
  • Developing Heath Care Data and Analytics division
  • Knowledge of successful strategies to move forward clinical informatics agenda
  • Population Heath and Data Mining
  • Not seeing nursing informatics (N I) working in our healthcare facilities
  • Seeing NI as a leaders in the field.
  • Job availability for NI
  • Ways in which nursing informatics is impacting healthcare
  • The integration of Nursing informatics as a part of IT in healthcare
  • Focus on nursing informatics and their role in healthcare
  • cost big data interoperability

Clinical Decision Support

  • Enabling more robust clinical decision support
  • Exploring, and successfully implementing alternate delivery methods of care

Interoperability

  • Information exchange between hospital and outside groups/providers
  • Mobile interoperability of Patient Data
  • Interoperability strategies to ensure exchange of quality information
  • HIE Connectivity, Direct Trust Testing/Connectivity
  • Improved communication between providers

Mobility

  • How to get the most out of mobile platforms.
  • Role of mobile devices in Health IT.
  • Telehealth
  • Clinical solutions and patient engagement solutions
  • How to be successful with cloud strategies

Cost & Resources

  • Ensuring that using IT in care delivery actually helps in reducing cost of healthcare Cutting cost of the contracted services
  • Supporting the education efforts of various departments, without having to assume responsibility for conducting the actual education
  • Prioritizing to corporate strategic direction.
  • Workflow of IT operations area – more efficient
  • How to evaluate new technoloty
  • global sense of what the most useful cutting edge technologies are
  • Resources Money changes in government regulations
  • Project management C-suite expectations Talent acquisition
  • Money to implement, train, maintain. Trained technical people. Affordable bandwidth.
  • Funding; dealing with increasing integration requirements; need for speed in an increasing complicated environment.
  • Budgets Finding qualified staff to fill positions GRC culture change to make the business more responsible for their applications
  • Change management in general

Innovations

  • What start-up technologies are larger institutions potentially looking at?
  • What apps should patients be “prescribed”?
  • Trends, direction in technologies for new technologies like wearable technology etc.

Security

  • System implementation Security
  • Authentication, electronic signature
  • Medical & Personal Device Security
  • Security and Privacy Mobility
more...
No comment yet.
Scoop.it!

Six Reality Checks of HIPAA Compliance | EMR and HIPAA

Six Reality Checks of HIPAA Compliance | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Between Windows XP causing HIPAA compliance issues and the risk associated with the risk assessment required by meaningful use, many in healthcare are really waking up to the HIPAA compliance requirements. Certainly there’s always been an overtone of HIPAA compliance in the industry, but it’s one thing to think about HIPAA compliance and another to be HIPAA compliant.

 

This whitepaper called HIPAA Compliance: 6 Reality Checks is a great wake up call to those that feel they have nothing to worry about when it comes to HIPAA. While many are getting ready, there are still plenty that need a reality check when it comes to HIPAA compliance.

 

Here’s a look at why everyone could likely benefit from a HIPAA reality check:

(1) Data breaches are a constant threat

(2) OCR audits reveal health care providers are not in compliance

(3) Workforce members pose a significant risk for HIPAA liability

(4) Patients are aware of their right to file a complaint

(5) OCR is increasing its focus on HIPAA enforcement

(6) HIPAA Compliance is not an option, it’s LAW

 

Obviously, the whitepaper goes into a lot more detail on each of these areas. As I look through the list, what seems clear to me is that HIPAA compliance is a problem. Every organization should ask themselves the following questions:

 

Are we HIPAA compliant?

 

What are you doing to mitigate the risk of a breach or HIPAA violation?

 

When I look at the 6 Reality Checks details in the whitepaper, I realize that everyone could benefit from a harder look at their HIPAA compliance. A little bit of investment now, could save a lot of heartache later.

Technical Dr. Inc.'s insight:

Does your practice need a HIPAA Risk Assessment?  We can help!  Contact us at inquiry@technicaldr.com or call 877-910-0004 x3 today!


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Audit Tips – Sort out your Business Associate status before OCR does!

HIPAA Audit Tips –  Sort out your Business Associate status before OCR does! | HIPAA Compliance for Medical Practices | Scoop.it

There was an interesting discussion at the recent OCR/NIST 6th Annual Conference on Safeguarding Health Information.  Several of the conference attendees were seeking clarification from the OCR on the categorization of an entity which stores encrypted PHI on behalf of a covered entity, but does not possess the encryption keys nor have any mechanism to decrypt, or otherwise access, the plaintext data. They did not appear happy with the response they received.

Much of the confusion stems from the concept of “conduits”, a term which was introduced in the preamble of the Privacy Rule in 2000. The initial language characterized a conduit as an entity that…

“…transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.”

The classic example used is the U.S. Postal service (and its electronic equivalents) who act as couriers of data sent from Point A to Point B.

The 2013 Omnibus Final Rule provides significantly more detail on conduits, but this additional detail still leaves the question posed by the conference attendees unresolved.

The preamble of the Omnibus Rule states that the conduit exception is intended to be a narrow one that is limited to transmission services where the PHI data is transient, not persistent.

The Omnibus Rule goes on to say…

“To help clarify this point, we have modified the definition of ‘‘business associate’’ to generally provide that a business associate includes a person who ‘‘creates, receives, maintains, or transmits’’ (emphasis added) protected health information on behalf of a covered entity.”

David Holtzman, Sr. Health Information Technology and Privacy Specialist for the OCR, attempted to provide some clarification by stating that one test to determine if a Business Associate agreement is required, is persistence of custody rather than ability to access.  Holtzman acknowledged that this topic is being discussed internally at the OCR and said they are working to provide clarification on the issue.

So, it would seem that, barring any reversal in direction from the OCR, entities which store ePHI on behalf of a Covered Entity or a Business Associate, will indeed be required to comply with the regulations and complete a Business Associate agreement, regardless of their ability to decrypt or access the data in their custody.

There is an interesting parallel in the Payment Card Industry, which has attempted to avoid federal regulation by implementing the PCI Data Security Standard (PCI-DSS) for all organizations which store, process, or transmit credit card data.  The PCI Security Standards Council, the consortium that establishes the compliance standards for the PCI program, evaluated this same topic of entities which store encrypted data but have no ability to decrypt or access it.  In August 2012 the Standards Council issued clarification in the form of a FAQ article (Article Number: 1233) which states:

“…if a merchant stores media containing only encrypted data at a third-party back-up storage facility, and the third-party provider has no access to decryption keys and no ability to decrypt the data, then the presence of encrypted data alone would not bring the third-party provider into scope for PCI DSS”

So I suppose it stands to reason that since we’re comparing two different industries (Health Care & Electronic Payments) and two different governance models (Federal Regulation vs. Industry Self-regulation) that we have two different answers to the same question. In the meantime, we will all be anxiously awaiting the formal clarification from the OCR.

The standard disclaimers hold here; the opinions contained herein are those of the author, who is not an attorney and is not offering legal advice. Determining if a Business Associate agreement is required in a particular situation is best decided by working in conjunction with your Legal Counsel.

more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

What Happened?

On August 28, 2013, UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, announced that an unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a UT Physicians orthopedic clinic.

 

What Was the Nature of the Information and How Many Individuals Were Affected?

UT Physicians reported that 596 individuals’ information was stored on the laptop. The specialized laptop computer attached to an electromyography machine included hand and arm image data from February 2010 to July 13. Patient information stored on the computer included names, birth dates and medical record numbers. There were no addresses, social security numbers, or insurance or other financial information stored on the laptop.

What Was Done to Mitigate / Remediate?

  • UT Physicians began mailing letters today to 596 patients whose information was stored on the laptop on August 28th. 
  • Reportedly, encryption of all laptops has been the policy at UT Physicians and UTHealth for the last two years and all known laptops – more than 5,000 – have been encrypted. 
  • The medical group and UTHealth have taken steps to ensure that the missing laptop in the orthopedic clinic is an isolated incident.
  • UT Physicians and UTHealth officials continue to work with law enforcement in their investigation.
  • UT Physicians and UTHealth are conducting a physical search of all clinics and offices to ensure that there are no other unencrypted laptops or storage devices attached to medical equipment. 
  • They are tightening the processes for the purchase of medical equipment.
  • UT Physicians and UTHealth have initiated additional review processes and inventories and invested in hardware, software and personnel to ensure that all personal information on UT Physicians’ and UTHealth’s computers and hard drives is encrypted.

 

What Should Organizations Do Next?

  • Make sure all mobile devices containing PII and PHI (laptops, smartphones, portable USB drives, thumb drives, etc.) are encrypted
  • Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
  • Implement a regular sampling audit of devices to ensure encryption is installed and operational.
  • Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities and controls have been considered.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

more...
No comment yet.
Scoop.it!

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In one of my recent conversations with Dr. Andy Litt, Chief Medical Officer at Dell, he made a really interesting but possibly counter intuitive observation. While maybe not a direct quote from him, I took away this observation from Dr. Litt:

Security and privacy drives people to the cloud.

Talk about an ironic statement. I imagine if I were to talk to a dozen CIOs, they would be more concerned about the security and privacy implications of the cloud. I don’t imagine most would look at the cloud as the solution to some of their security and privacy problems.

However, Dr. Litt is right. Many times a cloud based EHR or other software is much more secure than a server hosted in a doctors office. The reality is that many healthcare organizations large or small just can’t invest the same money in securing their data as compared with a cloud provider.

It’s not for lack of desire to make sure the data is secure and private. However, if you’re a small doctor’s office, you can only apply so many resources to the problem. Even a small EHR vendor with a few hundred doctors can invest more money in the security and privacy of their data than a solo practice. Although, this is true for even very large practices and even many hospitals.

One reason why I think many will disagree with this notion is because there’s a difference between a cloud provider who can be more secure and private and one who actually executes on that possibility. It’s a fair question that everyone should ask. Although, this can be verified. You can audit your cloud provider and see that they’re indeed putting in security and privacy capabilities that are beyond what you’d be able to do on your own.

more...
No comment yet.
Scoop.it!

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA

Did We Miss the Patient Engagement Opportunity with Meaningful Use? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

One of the most controversial parts of meaningful use is the requirement that a certain percentage of patients engage with the office. The argument goes that the doctor shouldn’t be rewarded or punished based on the actions of someone (the patients) they don’t control. Regardless of the controversy, the requirement remains that doctors have to engage with a certain number of patients if they want to get the meaningful use money.

 

I’m personally a fan of patient engagement and think there’s a lot of value that will come from more engagement with patients. This reminds me of Dr. CT Lin’s presentation and research on patient engagement. We need to find more ways to make patient engagement an easy reality in healthcare.

 

The problem I keep running into with the meaningful use patient engagement requirement is that meaningful use requires a certified EHR to meet that requirement. There are a whole suite of patient engagement apps that provide a useful and logical engagement between doctor and patient. However, none of them can be used to meet the meaningful use patient engagement criteria. Yes, I know the patient engagement app could become modularly certified, but that’s really overkill for many of these apps. It really doesn’t make any sense for them to be certified. The software doesn’t get better (and an argument can be made that the software becomes worse) if they become modularly certified as an EHR.

 

Because of this issue, the requirement basically relegates EHR vendors to implement some sort of afterthought (usually) patient portal. Then, the doctors have to try and force patients to use a patient portal just to meet a requirement. Plus, many are “gaming” this patient engagement number in the way a patient signs up and engages in the portal.

 

Wouldn’t it be so much better to allow the patient engagement to happen on a non-certified EHR? Why does this need to happen on a certified EHR? EHR vendors aren’t focused on patient engagement, and so it shouldn’t be a surprise that they’re not creating amazing patient engagement tools. Think about how much more effective the patient engagement would be if it happened on a software that was working and thinking every day about how they can make that engagement work for the patient and the provider.

 

I’d love to see ONC make an exception on this requirement that would allow patient engagement to occur on something other than the certified EHR. I imagine if they did this, they could even raise the bar when it comes to what percentage of patients they should engage with electronically. If they don’t, we’ll have a bunch of lame duck patient portals that are really only used to meet the MU requirement. What a terrible missed opportunity that would be.

Technical Dr. Inc.'s insight:

Do you have a website that engages  your patients?  If not, contact Technical Doctor at inquiry@technicaldr.com today to learn how we can help!


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Can Google Glass Get Any HIPAA?

Can Google Glass Get Any HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it
Google Glass is a hip new accessory gaining acceptance in clinical settings, but before widespread adoption can take place, organizations must ensure that the wearable device is HIPAA-compliant.

Imagine being able to find and view a patient's electronic health record with a simple nod of the head, or being able to maintain eye contact with patients while reviewing their records, or being able to check in on a patient from a remote location as if you were both in the same room.

This technology is already in use by healthcare providers and may be more widespread than you think. If it hasn't already made a debut in an emergency department near you, it will soon. Boston's Beth Israel Deaconess Medical Center and Brigham and Women's Hospital, Rhode Island Hospital, UC Irvine Medical Center, and Indiana State University Hospital are just a few of the organizations that are using Google Glass at least an experimental basis.

"From the patient perspective, there's nothing worse than watching a doctor sit down and type at a computer screen. Glass enables you to meet a patient at eye level," says Paul Porter, MD, a physician at Rhode Island Hospital's department of emergency medicine. "This is a starting point toward a complete telemedicine program," he continued.



more...
No comment yet.
Scoop.it!

Cloud HIPAA BAA considerations for healthcare providers | HealthITSecurity.com

Most healthcare cloud security discussions these days usually involve a cloud provider’s willingness (or perhaps lack thereof) to sign a HIPAA business associate agreement (BAA). What was once considered an agreement that vendors didn’t have much reason to sign, the HIPAA Omnibus Rule put teeth into regulatory responsibility among BAs, helping the BAA evolve into a bare minimum to do business with many healthcare organizations.

Google and Microsoft have been at the forefront of this movement, as Microsoft has been offering HIPAA BAAs for about a year now and Google finally gave in to healthcare organizations on the BAA front last September when it included Google Apps. However, because not all BAAs may be created equal based on size, need and circumstances, there are instances where an organization and cloud vendor may not be able to come to terms on a BAA. For instance, the Wall Street Journal recently reported on why the pace of cloud adoption has slowed and referenced how some healthcare organizations are still wary of storing data outside of the organization.

Specifically, even after looking into using Microsoft’s Office 365 in 2013 with a HIPAA BAA available, Molina Healthcare Inc. of Calif. chose to just stick with its on-premises storage product. Molina Healthcare CIO Rick Hopfer told the Journal that his organization could not come to an agreement with Microsoft on the specifics of the BAA. While Hopfer didn’t explain exactly what the issue was within the BAA that prevented Molina from using Microsoft 365, the decision illustrates an important point: While cloud vendors offering BAAs is an important step to cloud adoption in healthcare, some organizations may have precise needs that they don’t believe are covered in a BAA. Hopfer made it clear that this didn’t mean that Molina had no interest in a Microsoft, or even Google, BAA down the line, but keeping its on-premises made sense for now. “I do believe this will evolve in a positive way for health-care companies in the next couple of years,” he said.



more...
No comment yet.
Scoop.it!

Secure Text Messaging is Univerally Needed in Healthcare | EMR and HIPAA

Secure Text Messaging is Univerally Needed in Healthcare | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I’ve written regularly about the need for secure text messaging in healthcare. I can’t believe that it was two years ago that I wrote that Texting is Not HIPAA Secure. Traditional SMS texting on your cell phone is not HIPAA secure, but there are a whole lot of alternatives. In fact, in January I made the case for why even without HIPAA Secure Text Messaging was a much better alternative to SMS.

Those that know me (or read my byline at the end of each article) know that I’m totally bias on this front since I’m an adviser to secure text message company, docBeat. With that disclaimer, I encourage all of you to take a frank and objective look at the potential for HIPAA violations and the potential benefits of secure text over SMS and decide for yourself if there is value in these secure messaging services. This amazing potential is why I chose to support docBeat in the first place.

While I’ve found the secure messaging space really interesting, what I didn’t realize when I started helping docBeat was how many parts of the healthcare system could benefit from something as simple as a secure text message. When we first started talking about the secure text, we were completely focused on providers texting in ambulatory practices and hospitals. We quickly realized the value of secure texting with other members of the clinic or hospital organization like nurses, front desk staff, HIM, etc.

What’s been interesting in the evolution of docBeat was how many other parts of the healthcare system could benefit from a simple secure text message solution. Some of these areas include things like: long term care facilities, skilled nursing facilities, Quick Care, EDs, Radiology, Labs, rehabilitation centers, surgery centers, and more. This shouldn’t have been a surprise since the need to communicate healthcare information that includes PHI is universal and a simple text message is often the best way to do it.

The natural next extension for secure messaging is to connect it to patients. The beautiful part of secure text messaging apps like docBeat is that patients aren’t intimidated by a the messages they receive from docBeat. The same can’t be said for most patient portals which require all sorts of registration, logins, forms, etc. Every patient I know is happy to read a secure text message. I don’t know many that want to login to a portal.

Over the past couple years the secure text messaging tide has absolutely shifted and there’s now a land grab for organizations looking to implement some form of secure text messaging. In some ways it reminds me of the way organizations were adopting EHR software a few years back. However, we won’t need $36 billion to incentivize the adoption of secure text message. Instead, market pressures will make it happen naturally. Plus, with ICD-10 delayed another year, hopefully organizations will have time to focus on small but valuable projects like secure text messaging.



more...
No comment yet.
Scoop.it!

The Feds Are Supporting Telemedicine | EMR and HIPAA

The Feds Are Supporting Telemedicine | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Federation of State Medical Boards (FSMB) recently passed a model telehealth policy that promotes virtual visits for first-time encounter. This is notable for 2 reasons: first, many state medical boards liberally borrow from the federal boards, and second, this marks a shift from the old model in which patients were encouraged to see providers in person before engaging in telemedicine consults.

It’s encouraging to see the old, arbitrarily restrictive model fade, in favor of one where patients can begin building a relationship with their physician without travel. Indeed, people meet on the internet all the time; why can’t patients meet their care providers the same way?

The old model was arbitrarily limiting access to care, and thus driving up costs and driving down quality. Under the new model, patients should finally be able to login to a web service and be connected directly to a qualified physician that payers will cover. For telemedicine companies like American Well, Doctor on Demand, and others, this is a major coup.

This combination of technology and new guidelines will reduce ER visits, improve access, and ultimately reduce costs. Once it’s easy to get access to preventative medicine, patients will actually partake in preventative care. As a simple example to illustrate this, let’s examine my wellness check up habits.

I’m a healthy young male. I haven’t been to the doctor for a check up in close to a decade and have no intention of going. The process of booking an appointment, leaving my job that I love, and sitting in a waiting room are enough to deter me from ever going to the doctor. But if I could step into a private space and consult with a physician via a video consult for 15 minutes, I might actually get an annual check up. If the physician discovered something concerning and asked me to come, I would actually come in. But I would never come in for an in person visit without an explicit reason to. It’s not worth the pain and headache of going into the doctor’s office unless I have a reason to; the only way to achieve preventive medicine at scale is to make it easy for patients and providers alike.

Ambulances, ERs, and urgent care centers should expect a similar change in their operations. In these environments, specialists can now be reimbursed for first time consults with patients across a range of devices – iPhones, iPads, Androids, Macs, PCs, and even Google Glass. Neurologists can beam into ambulances for strokes, cardiologists for cardiac resuscitations, and trauma specialists for trauma cases. The opportunities are really endless, and my company, Pristine, is proud to lead the way in these new hyper-mobile telemedicine environments.

On the other hand, the new guidelines set forth by the FSMB aren’t all positive. Perhaps most perplexing, the FSMB did  not classify messaging and audio-only phone calls as telemedicine. They didn’t strictly forbid either activity, but they made it clear to payers and providers that live, synchronous video is necessary for reimbursement. In light of the shift to ACOs and value based models, this is perplexing. It’s been suggested that Kaiser Permanente and Group Health physicians reportedly spend up to 2 hours per day interacting with patients through asynchronous messaging.

Despite some setbacks in the new standards set forth by the FSMB, I’m incredibly excited about the future of telehealth across the continuum of care. The new model put forth by the FSMB is just the first of many steps toward a healthcare delivery system in which telemedicine powers the majority of care delivery across the country.



more...
No comment yet.
Scoop.it!

CMS issues 2015 proposed IPPS rule

CMS issues 2015 proposed IPPS rule | HIPAA Compliance for Medical Practices | Scoop.it

The Centers for Medicare & Medicaid Services late Wednesday issued a proposed rule for 2015 that reduces payment for readmissions and hospital-acquired conditions, but provides no changes to the controversial two-midnight rule.

UPDATE: Industry leader disappointed IPPS proposed rule doesn't address two-midnight rule

The agency proposes to increase the payment rate for inpatient stays at general acute care hospitals by 1.3 percent in fiscal year 2015, but only 0.8 percent for long-term care hospitals.


CMS Administrator Marilyn Tavenner said in an announcement that the aim of the proposed rule is to improve hospital performance while "creating an environment for improved Medicare beneficiary care and satisfaction."

The proposed rule includes the following changes:

Readmission reductions: CMS proposes to increase the maximum reduction in payments under the Hospital Readmissions Reduction Program from 2 percent to 3 percent in fiscal year 2015. The agency also plans to assess hospital penalties using five readmissions measures endorsed by the National Quality forum.

Value-based purchasing: The agency will increase incentive payments to 1.5 percent of the base operating diagnosis-related group payment amounts to all participating hospitals. The total amount available for value-based incentives will be $1.4 billion, CMS estimated in the annoucnement.

Hospital-acquired conditions: The proposed rule calls for a 1 percent reduction in Medicare inpatient payments for hospitals that score in the top quartile for the rate of these preventable conditions. CMS projects that so far the HAC program has saved $25 million by reducing Medicare payments for these conditions.

Look for additional updates about the proposed rule at FierceHealthcare.

To learn more:
- read the announcement
- here's the rule (.pdf)


Read more: CMS issues 2015 proposed IPPS rule - FierceHealthcare http://www.fiercehealthcare.com/story/breaking-news-cms-issues-2015-proposed-ipps-rule/2014-05-01#ixzz30ZuodGAA
Subscribe at FierceHealthcare

The Centers for Medicare & Medicaid Services late Wednesday issued a proposed rule for 2015 that reduces payment for readmissions and hospital-acquired conditions, but provides no changes to the controversial two-midnight rule.

more...
No comment yet.
Scoop.it!

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

more...
No comment yet.
Scoop.it!

HHS announces HIPAA settlements for stolen laptops | Lexology

HHS announces HIPAA settlements for stolen laptops | Lexology | HIPAA Compliance for Medical Practices | Scoop.it
  • USA
  • April 25 2014

On April 22, 2014, the Department of Health and Human Services ("HHS") announced that it reached settlements with two covered entities arising from alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules.  Both settlements involve the theft of unencrypted laptops and follow investigations in which the Office for Civil Rights ("OCR") found ongoing deficiencies in HIPAA compliance.  These cases mark the 19th and 20th HIPAA enforcement actions taken by HHS since 2008 and the 2nd and 3rd this year.  OCR representatives have stated that there are several more cases in the pipeline.

In the press release announcing the settlements, the OCR Deputy Director for Health Information Privacy, Susan McAndrew, noted that "[o]ur message...is simple:  encryption is your best defense against these incidents."

The Settlements

The first settlement involves a national provider of occupational medicine, urgent care, physical therapy and wellness services that is headquartered in Texas.  OCR Region X began an investigation of the provider when it received a breach report that an unencrypted laptop was stolen from one of its Missouri facilities in December 2011, affecting 870 individuals.  OCR's investigation found that the provider previously had conducted risk analyses that identified the absence of encryption on portable devices as a critical risk but had been inconsistent in its steps to remediate that risk, which were not yet complete.  OCR's investigation also found that the provider's security management processes were insufficient and did not adequately safeguard patient information.

HHS and the provider entered into a Resolution Agreement under which the provider agrees to pay $1,725,220 and comply with a Corrective Action Plan.

The second settlement involves an Arkansas health plan.  In February 2012, the health plan reported to OCR that an unencrypted laptop computer containing the electronic protected health information ("ePHI") of 148 individuals was stolen from a workforce member's car.  OCR Region VII's investigation found that over a period of time the health plan did not implement policies and procedures to prevent, detect, contain and correct security violations.  Specifically, the OCR found that the health plan had not conducted an accurate and thorough assessment and did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI, which are HIPAA Security Rule requirements.  OCR also found that the health plan did not implement physical safeguards for all workstations to restrict access to authorized users.

HHS and the health plan also entered into a Resolution Agreement under which the health plan agrees to pay $250,000 and comply with a Corrective Action Plan.

In both cases, the Corrective Action Plan requires the covered entities to implement and report on a number of HIPAA compliance activities, including:

  • Providing HHS with a risk analysis of all potential risks and vulnerabilities to all of the provider's ePHI;
  • Providing HHS a risk management plan that describes all evidence of implemented and planned remediation actions and, for all planned remediation actions, timelines for expected completion;
  • Conducting security awareness training for workforce members; and
  • Submitting annual reports of compliance to OCR for two years.

Practical Takeaways

In light of these HIPAA enforcement actions, covered entities and business associates should continue to take the necessary steps to safeguard their ePHI, including:

  • Addressing the HIPAA Security Rule encryption standard, which requires that encryption be implemented unless it is not reasonable and appropriate, in which case an alternative measure must be implemented and documented;
  • Determining which devices and equipment contain or have access to ePHI and apply the encryption standard to all such devices, such as portable devices, desktop computers and medical equipment;
  • Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for ePHI;
  • Creating a detailed remediation plan for any vulnerabilities identified by the risk analysis and taking swift and consistent action to complete remediation activities according to their level of criticality;
  • Updating privacy and security polices regularly;
  • Updating and providing privacy and security training for workforce members periodically;
  • Investigating and sanctioning workforce members promptly and appropriately for violations of HIPAA policies and procedures; and
  • Conducting an independent HIPAA compliance assessment utilizing the OCR HIPAA Audit Protocol.



more...
No comment yet.
Scoop.it!

ACO’s and the Tech Needed to Be Ready | EMR and HIPAA

ACO’s and the Tech Needed to Be Ready | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.

For those not familiar with ACOs (Accountable Care Organizations), I want to provide some insight into ACOs and how a medical practice can better prepare themselves for the coming shift in reimbursement, which is epitomized by the ACO. This is a challenging subject since the ACO is a somewhat nebulous idea that’s rapidly changing, but hopefully I can provide you some strategies that will help you be prepared for the coming changes.

You may remember when we talked in a previous post about the Value Based Payment Modifier and its impact on healthcare reimbursement. As we talked about in that post, healthcare reimbursement is changing and CMS is looking to only pay those providers who are providing quality care. As part of this movement, an ACO is an organization that works on behalf of a community of patients to ensure quality care.

The metrics of how they’ll measure what they reimburse and what they consider quality care are likely to rapidly change over the next few years while CMS figures out how to measure this. However, one key to being ready for this shift is that you’ll need to be part of an organization or group of providers that will take accountability for a patient population.

In some areas of the country, the hospitals are leading these organizations, but in other areas groups of physicians are coming together to form an ACO of just physicians. Either way can work. The key is that the members of these groups are going to each share in the reimbursement the group receives for improving the quality of healthcare patients in the community receive.

Also worth noting is that membership in an ACO isn’t necessarily a prerequisite for value based reimbursement. Whether you choose to be a member of an ACO or not, you’re going to be impacted by value based reimbursement and will need to be ready for the change. Not being ready could lead to lower reimbursement for the services you provide.

While it’s great that organizations of doctors are coming together to meet the need for ACOs, much more is going to be needed to do well in an ACO reimbursement world. The reality is that an ACO can’t exist without technology. Don’t even think about trying to meet the ACO requirements without the use of technology. ACOs will base their reimbursement on trackable data that can be aggregated across a community of providers that are likely on hundreds of different systems. Try doing that on paper. It just won’t happen.

In fact, many people probably think that their EHR software will be enough to meet the needs of the ACO as well. I believe this to be a myth. Without a doubt, the EHR will play a major role in the gathering and distribution of the EHR data. However, unless you’re a homogeneous ACO with providers that are all on the same single instance of an EHR, you’re going to need a whole suite of services that connect, aggregate, and interpret the EHR data for the community of patients. Add on top of that the communication needs of an ACO and the care manager style tracking that will need to occur and it’s unlike your EHR is going to be up to the task of an ACO. They’ll be too busy dealing with meaningful use and EHR certification.

Let me highlight three places where an ACO will need technology:

Communication
One of the key needs in an ACO is quality communication. This communication will happen provider to provider, provider to care manager, provider to patient, and care manager to patient and vice versa. You can expect that this communication will be a mix of secure text messaging and secure emails. In some cases it will be facilitated by a patient portal, but most of the secure messaging platforms for healthcare are much slicker and more effective than a patient portal that so far patients have rarely used.

Are you using a next generation secure messaging system to communicate with other providers, your staff, and the patient? You’ll likely need to use one in an ACO.

Provider Data Aggregation
Much like paper charts won’t be enough in an ACO world, faxed documents won’t be enough either. Providers in an ACO will need to have patient data from across the entire community of ACO providers. At a minimum providers in an ACO will need to have their EHRs connected with Direct, but most will need to have some sort of outside HIE that helps transfer, aggregate and track all the data that’s available for a patient in the ACO.

The ACO and doctor will really benefit from all the patient data being available at the click of the button. Without it, I’m not sure that ACOs will be able to meet the required quality measures.

Patient Data Aggregation
While all of the providers will need to be sharing their patient data, I think most ACOs will benefit from aggregating patient data as well. At first the ACO won’t be aggregating all of the patient generated data that’s available. Instead, they’ll find a slice of their patient community where they can have the most impact. Then, they’ll work with those patients to improve the care they receive. This is going to require ACOs to receive and track patient generated data. Without it, the ACO won’t have any idea how it’s doing. With so many patients on mobile devices or with access to the internet, what an amazing opportunity we have to really engage with patients.

Those are just a few of the ways technology is going to be needed for the coming changes in healthcare reimbursement and the shift towards value based care in things we call ACOs. Far too many providers are sitting on the sidelines while they let ACOs settle into place. What a missed opportunity. The fact that the ACOs are rapidly changing means that if you participate and make your voice heard, you can help to shape the direction of them going forward. We definitely need more doctors involved in these conversations.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.



more...
No comment yet.
Scoop.it!

The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh? Just what does the HIPAA Security Final Rule and/or The HITECH Act and/or Meaningful Use Final Rule require?


THE CHALLENGE:

The HITECH Act was a “game changer” when it comes to HIPAA Security Rule Compliance.

1)      Mandatory audits (Subtitle D, Part 1, Section 13411) have begun

2)      HHS non-compliance fines returning to HHS’ coffers will be reinvested in more enforcement

3)      State Attorneys General can now bring civil actions and have already started doing so

4)      Business Associates (BAs) are now statutorily obligated to comply with the law

5)      Subcontractors are minimally contractually obligated and may be designated as BAs

6)      Data Breach Notification requirements are stringent

7)      The OCR recently published the Audit Protocols it is using for both the mandated audits as well as for any investigations related to claims

Numerous experts has advised that the best way to get started with your compliance program is to take stock of where you are today.  Unfortunately, the advice includes many terms used interchangeably to complete a:  Compliance Assessment! Security Evaluation! Risk Assessment! Risk Analysis! Compliance Analysis!

This webinar ends the confusion, identifies the types of evaluations required by the HIPAA Security Final Rule (and Meaningful Use Stage I Requirements) and explains the differences.

Complying with the HIPAA Security Final Rule itself and as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009 involves many steps and considerations.  What’s most important is starting on the right foot.

We focus on the two evaluations you must complete, by law. Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 22 Standards and 53 Implementation Specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule. Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is:

45 C.F.R. § 164.308(a)(8): Evaluation.

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of evaluation is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program or maintaining an existing program. The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board. Think FOREST view.

A HIPAA Security Risk Analysis is also required by law to be performed by every Covered Entity and Business Associate. Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives. The HIPAA Security Final Rule states:

45 C.F.R. § 164.308(a)(1)(ii)(A) RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are required by law and are equally important and necessary steps on your HIPAA-HITECH Security compliance journey.

Knowing what evaluation to complete when is a challenging decision even for the largest and most sophisticated organizations.


THE SOLUTION

If your organization creates, receives, maintains or transmits ePHI, you should attend this webinar and learn the difference between these two types of evaluations.

This webinar briefly reviews the HIPAA-HITECH regulatory requirements for both types of evaluations, discusses the essential objectives and requirements of both, explains the differences and provides tangible, actionable approaches to complete each one.

The concepts of the importance of both evaluations to any compliance program, the different types of assessments one can complete, the explicit legal requirements, the penalties of failure to comply with the laws and many other key compliance process steps will be discussed.


The evaluation approaches presented in the webinar have been used by organizations of all sizes and are purposefully designed to be used by the largest CEs and BAs (e.g., hospitals, insurors, care management firms, etc) to the smallest CEs, BAs and subcontractors (e.g., small medical practices, clinics, dental offices, medical billing companies etc.).

No matter where you are in your HIPAA-HITECH compliance journey, you will benefit from learning about:

  • The requirements of the HIPAA Security Final Rule for evaluations and assessments
  • The difference between a compliance evaluation and a risk analysis
  • The HIPAA Security Final Rule civil and criminal penalties
  • Practical, actionable steps to complete the evaluations required by law
  • Available software and tools to jump-start your evaluation processes and overall compliance program

Becoming HIPAA-HITECH Security Rule compliant is an important and large project for any organization.  Taking stock of where you are today is a great way to jump-start or revitalize your compliance programs and be prepared for compliance audits and investigations that are being conducted by the OCR and those audits that have been announced will be conducted randomly for eligible providers that certified for EHR incentives under the American Recovery and Reinvestment Act of 2009 (ARRA).

more...
No comment yet.
Scoop.it!

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners | HIPAA Compliance for Medical Practices | Scoop.it
HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

Affinity Health Plan (AHP) is a not-for-profit managed care plan serving the New York metropolitan area.  Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the electronic protected health information (ePHI) of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on their copier hard drives.

The Problem

According the the AHP Settlement Agreement / Corrective Action Plan, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

  1. AHP impermissibly disclosed the ePHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
  2. AHP failed to assess and identify the potential security risks and vulnerabilities of ePHI stored in the photocopier hard drives.
  3. AHP failed to implement its policies for the disposal of ePHI with respect to the aforementioned photocopier hard drives.

Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.  Here’s a link to the 60 Minutes video story Digital Photocopiers Loaded With Secrets.

The Solution

HIPAA Covered Entities and Business Associates are statutorily obligated to fully comply with all standards and implementation specifications in the HIPAA Security Rule.  The Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) requires that organizations identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.

When conducting the Risk Analysis, an organization must consider exposures to all information assets that create, receive, maintain or transmit ePHI.  Copiers, scanners and printers that contain ePHI must me included in this analysis.

As with any other information asset and/or underlying media type, one needs to carefully consider the threats and vulnerabilities related to hard drives stored in copiers, scanners and printers.  For example, the absence of controls to prevent the “improper destruction, disposal or reuse of copier hard drives” could allow, as it did on the case of AHP, unauthorized access to ePHI.  Such access compromises the confidentiality of that ePHI; in this case, of roughly 345,000 health plan members.

Controls that might have been implemented had AHP completed a bona fide risk analysis might include, but not be limited to: encryption of the copier hard drives, media re-use and disposal policy and procedures, security/privacy awareness and training and change control processes.

The Results of Doing a Bona Fide Risk Analysis

According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments , a Risk Analysis is “the process of identifying, prioritizing, and estimating risks to organizational operations”.  Done properly, all risks to all information assets and underlying media are identified so that an organization can make informed decisions about how to treat their risks.  I am sure the people at AHP are competent professionals who simply didn’t have the benefit of knowing about this specific exposure related to copier hard drives.  Don’t get caught in the same place — complete a robust, bona fide HIPAA Risk Analysis ASAP and update it on an annual basis.



more...
No comment yet.
Scoop.it!

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

more...
No comment yet.