HIPAA Compliance for Medical Practices
84.5K views | +19 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

Current HIPAA Requirements Sufficient, AHA Tells ONC

Current HIPAA Requirements Sufficient, AHA Tells ONC | HIPAA Compliance for Medical Practices | Scoop.it
The current HIPAA requirements are enough to support the improvement of the healthcare infrastructure to better support secure data sharing in support of clinical care, according to the American Hospital Association (AHA).

In a letter to the Office of the National Coordinator (ONC) Secretary Karen DeSalvo, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman wrote that overall, the AHA agrees with the ONC Interoperability Roadmap. However, the AHA worries “that the roadmap is not sufficiently grounded in an assessment of present realities or focused enough on the steps that will enable public and private stakeholders to travel from the present regulatory, clinical and technology environment to the future state envisioned.”aha_logo

Fishman explained that the roadmap needs to be more specific in the immediate steps and resources necessary to improve nationwide interoperability. Moreover, a more clear outline is needed to highlight the short-term, intermediate-term, and long-term timeframes in terms of interoperability.

“Given the significant investments already made, the AHA urges ONC to adopt the current requirements of the meaningful use program and the capabilities of the 2014 Edition certified EHRs as the starting point for the nationwide interoperability roadmap,” Fishman wrote.

In terms of privacy and security, the AHA does not agree with the roadmap in its suggestions for change. For example, the roadmap states that “current government and private sector programs provide insufficient incentives for interoperability across the care continuum.” The AHA disagrees, and Fishman wrote that the current HIPAA requirements are sufficient for improving the infrastructure for better data sharing.

“The proper focus should be on making these requirements the prevailing standard nationwide if it is essential to address access to health information within the interoperability context,” the AHA explained. “The roadmap proposals could exacerbate the existing conflict among federal, state and local laws, rather than working to limit them.”

It is also necessary for the ONC to work with the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to see where additional guidance might be required in terms of HIPAA requirements. Specifically, stakeholders might need assistance in understanding how privacy and security rules apply in ACOs and other multi-stakeholder alternative delivery system organizations.

“Under the current HIPAA privacy rule, the use and/or disclosure of protected health information between covered entities for health care operations that expressly qualify as quality assessment and improvement activities is permissible only when both the disclosing and receiving covered entity have or had a relationship with the patient about whom the information pertains. Achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

The AHA also recommended that ONC continue to work within the broader framework of the existing cybersecurity policy. Cybersecurity activities need to “align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations.” The NIST Cybersecurity Framework must also be kept in mind because it is the “overarching federal approach to cybersecurity.”

It is important to find the right balance when it comes to information sharing, as the data must also be kept secure. However, the current policy frameworks already address this issue, according to the AHA, and it is necessary for the ONC to work within those policies to improve interoperability.
No comment yet.