HIPAA Compliance for Medical Practices
76.3K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Regulations for Radiologists 101

HIPAA Regulations for Radiologists 101 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a complex set of rules and regulations that are designed to promote a more patient oriented medical system that enhances patient care. HIPAA regulations that promote the accessibility of medical records to patients and increase the security of electronic patient health information are also included in the HIPAA Omnibus Rule. Radiologists often receive patients through a referral system or send patient files to another medical doctor or facility after x-rays and other scans are interpreted. This constant sharing of sensitive patient information makes learning what are HIPAA regulations and how do they affect radiologists an important task for any radiologist.

 

HIPAA Omnibus Rule

The HIPAA Omnibus Rule has changed the way that patient information is collected, stored, transmitted and created in response to the HITECH Act. The HITECH Act offers organizations incentives for using electronic patient health information while improving the security of that data. When asking what are HIPAA regulations one of the most important things to consider is your organization’s privacy policy. New HIPAA regulations state that organizations and entities must update their privacy policies and business agreements to comply with the current standards.

 

Current HIPAA standards require that all businesses sharing patient information must be HIPAA compliant. For instance, if a radiologist receives referrals or bills insurance companies on behalf of clients, the insurance company and the organization referring clients should both be HIPAA compliant. Current business associate agreements will be allowed until late September of 2014, but after that date all business associates will need to comply with the HIPAA Security Rule to avoid penalties or fines.

 

What is Affected by HIPAA?

Nearly every aspect of creating, sharing and transmitting electronic patient health information has been affected by new HIPAA regulations. In addition to revising and updating your organization’s privacy policies and business agreements, you will also need to look at your internal records storage and the accessibility of patient records. For instance, your internal computer systems must be secure and protected from data loss or third-party access. Data encryption is required anytime that you transmit electronic patient information. If your organization is using a third-party storage system for patient health information, the company providing web-based storage services will also need to be HIPAA compliant.

 

One of the areas that will be most affected for radiologists is how patient information is disclosed. Since radiology is a field where referrals are very common, care must be taken to ensure formal, written consent is provided each time you share patient health information. For example, a radiologist sending the results of an x-ray to a general practitioner will need to have written consent by the patient to do so. In order to understand and comply with current HIPAA regulations, it is best to use a HIPAA compliance checklist and HIPAA compliance software. HIPAA compliance software will walk you through the process of meeting current HIPAA regulations and help you avoid the confusion of updating and revising your current policies and practices on your own.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You | HIPAA Compliance for Medical Practices | Scoop.it

Does your healthcare organization develop and implement policies and procedures that are appropriate and reflect your organization’s business practices?

Under the HIPAA Minimum Necessary Standard, all covered entities must have policies and procedures that identify who needs access to Protected Health Information (PHI) to perform their job duties, the categories of PHI required, and the conditions where access is justified.

 

For instance, as a hospital, you can allow doctors, surgeons, or others to access a patient’s medical records if they’re involved in the treatment of that patient. If the entire medical history is required, your organization’s policies and procedures must explicitly state so and include a justified reason.

 

As a provider, you also need to take reasonable steps to make sure that no PHI is accidentally available for access. For example, if you’ll be hosting a meeting in your office, then you must ensure that no one from the meeting can access PHI documents accidentally.

How Does The Minimum  Necessary Requirement Work?

As the name implies, under the HIPAA Minimum Necessary Standard, it’s mandatory for covered entities to take reasonable measures to limit the use or disclosure of PHI and requests for PHI, to the minimum necessary needed to achieve the intended goal.

However, it’s important to note that the minimum necessary standard does not apply to:

  • Requests for disclosure by a healthcare provider for treatment purposes  
  • Disclosing information to the patient in question   
  • Uses or disclosures after a patient’s authorization  
  • Uses or disclosures needed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules  
  • Disclosing PHI to the Department of Health and Human Services (HHS) under the Privacy Rule for reasons of enforcement  
  • Disclosing PHI for use under other laws

The Minimum Necessary Standard of the HIPAA Privacy Rule requires that your covered entity develops and implements policies and procedures that are appropriate for your organization and that reflect your business’ practices and workforce. Only those who need access to PHI should receive access, and even then, the PHI should be restricted to the minimum necessary information needed to perform the job.

Why Does It Matter?

Did you know the healthcare industry is one of the most vulnerable sectors when it comes to cyber-attacks and data theft? If your organization fails to meet the minimum necessary standard, you could face fines of $50,000 or more.     

 

In fact, penalties for HIPAA violations can reach $1,500,000 annually per violation based on the type of breach.  

The largest American health data breach to ever occur took place in January 2015. It exposed the electronic PHI of nearly 79 million people and resulted in Anthem Insurance paying OCR $16 Million!  

The investigation found that Anthem did not perform

enterprise-wide risk analysis and the organization’s procedures did not regularly review information system activity. Anthem also failed to identify and respond to security incidents, and they did not implement proper minimum access controls to prevent the risk of cyber-attacks from stealing sensitive ePHI.

 

Complying with HIPAA’s minimum necessary standard matters if you want to avoid the risk of an expensive fine.

How Can You Comply?

Under HIPAA’s minimum necessary standard, the terms ‘reasonable’ and ‘necessary’ are open to interpretation and left up to the judgment of the covered entity. It’s up to your organization to determine what information should be disclosed and what information needs restricted access.

 

However, to make sure that you’re complying with this requirement, there are some basic steps you should follow:

  1. Prepare a list of all systems that contain PHI and what types of PHI they include.
  2. Establish role-based permissions that restrict access to certain kinds of PHI. All information systems should limit access to certain types of information. For instance, you can limit access to health insurance numbers, Social Security numbers, and medical histories if it’s not necessary for everyone to see that PHI.
  3. Design and implement a policy for sanctions if violations of the minimum necessary standard occur.
  4. Provide proper employee training about the types of information they’re permitted to access and what information is off limits. Be clear about the consequences of obtaining information when not authorized.
  5. Create alerts when possible that notify the compliance team if there’s an unauthorized attempt to access PHI.
  6. Ensure that the minimum necessary rule is being applied to all information shared externally, with third parties and subcontractors. It’s mandatory for covered entities to limit how much PHI is disclosed based on the job duties and the nature of the third party’s business.
  7. Perform annual reviews and periodic audits of permissions and review logs to determine if anyone has knowingly or unknowingly accessed restricted information. Such reviews may also be required when a major incident takes place, such as the treatment of a celebrity in your organization, or if a shooting or newsworthy accident takes place and your organization is involved.
  8. Document all actions taken to address cases of unauthorized access or accessing more information than is necessary and the sanctions that took place as a result.

Adhering to the HIPAA Minimum Necessary Standard is important to protect your organization and your patient relationships. When you take the appropriate steps to comply with HIPAA, you’ll not only have a much better chance of avoiding the risk of a costly data breach, but you’ll also build trust with your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Police –Are They Coming For You?

HIPAA Police –Are They Coming For You? | HIPAA Compliance for Medical Practices | Scoop.it

As reported by Health and Human Services (HHS) HIPAA fines and audits are significantly on the rise. 5% of practices are being audited against the HITECH Act and Omnibus Rule. Are you compliant?

 

“How do all these regulations affect me as a Healthcare Covered Entity or Business Associate?”

To answer that question, let’s first look at what the regulations are and get a brief description. Once we read and understand what we are facing, the steps to complying with the rules should be attainable. I would love to say attaining compliance is easy, but with anything in life, if you want success you will have to work for it.

 

HITECH ACT

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

 

The HITECH act specified that by the beginning of 2011, healthcare providers would be given monetary incentives for being able to demonstrate Meaningful Use (MU) of electronic health records (EHR). These monetary incentives, up to $44,000 per doctor, will be offered until 2016, after which time penalties will be levied for failing to demonstrate such use.

 

FYI, the main failure that the centers for Medicare and Medicaid have discovered when auditing providers who have implemented an EHR system is their failure to perform a proper Risk Analysis.

 

OMNIBUS RULE

The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long-awaited HIPAA Omnibus Rule http://compliancy-group.com/hipaa-omnibus-rule

The Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register.

 

The rule effectively merges four separate rulemakings, which are as follows:

  • Amendments to HIPAA Privacy and Security rules requirements;
  • HIPAA and HIPAA HITECH under one rule now
  • Further requirements for data breach notifications and penalty enforcements
  • Approving the regulations in regards to the HITECH Act’s breach notification rule

 

It is apparent for this new rule that the health care industry will need to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining to privacy violations. Health Care providers should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.

 

In addition, the Omnibus Rule includes provisions that would govern the use of patient information in marketing; eliminates and modifies the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensures that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA for the first time since HIPAA was first introduced. The rule also requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

 

So, what does compliance with these rules look like? Is it a 3-ring binder on a shelf with some policies, is it an online training course, or is it my IT person telling me I am protected? Actually, it is a little of all three.

  1. RISK ANALYSIS– A true risk analysis covering Administrative, (Policies and Procedures), Technical, (How are your Network, Computers, Routers, protected), Physical, What safeguards have you put into place at your location? (Alarms, Shredding, Screen Protectors).
  2. RISK MANAGEMENT- The risk analysis is going to identify deficiencies. Risk Management is then put in place to track how your remediation plan will work to fix the deficiencies that were found during the Risk Analysis.
  3. VENDOR MANAGEMENT– Vendor Management tracks the companies and people that access your site where PHI or ePHI is stored and keeps track of who you share PHI or ePHI with. Depending on the relationship, you will want to have either a Business Associate Agreement (if they meet the requirements for being labeled a Business Associate) or a Confidentiality Agreement. Remember, for Business Associates, an agreement alone is not enough; you also need assurances that they are complying with the HIPAA Security Rule before you share or continue to share PHI or ePHI with them.
  4. DOCUMENT MANAGEMENT– It is hard to imagine compliance without a place to store policies, procedures, business associate agreements, or any other compliance documents. Why you ask? Because the rule specifically states that you must retain all compliance documents for a min of 6 years (depending on the state your business is in these rules may be more stringent).

5. TRAINING OF YOUR STAFF– One of the most important aspects of compliance is the tracking of not only HIPAA 101 training for your staff but also of your staff’s acknowledgment that they understand the HIPAA Privacy and Security Policies that you

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.