HIPAA Audits: Documentation Is Key

Evidence of Compliance Efforts is Critical, Expert Stresses

August 24, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.com

Having complete documentation of every aspect of your privacy and security strategy is the best way to prepare for a HIPAA audit, says consultant Cliff Baker.

If HIPAA compliance auditors discover an organization cannot produce adequate documentation, they'll suspect its compliance efforts are subpar, Baker says.

In an interview, Baker recommends that healthcare organizations have a long list of documents ready. Among those are:

• Security and privacy policies and procedures;
• A risk assessment and corrective action plan;
• An organizational chart outlining privacy and security responsibilities;
• A technology inventory, including all security tools used;
• Business associate agreements;
• An incident response plan; and
• HIPAA compliance training materials.

The Department of Health and Human Services' Office for Civil Rights has hired KPMG to launch HIPAA privacy and security rule compliance audits in the months ahead (see: McAndrew Explains HIPAA Audits).

[Continue Reading]

HITECH Rule Called 'Unreasonable' by Some, 'Overdue' by Others

June 2, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.com

A provision in the proposed Accounting of Disclosures Rule mandated under the HITECH Act that calls for providing patients with an "access report" listing everyone who's electronically accessed their records is stirring up debate.

Many predict regulators will receive an overwhelming number of comments in the coming two months before work begins on a final version of the proposal to modify the HIPAA Privacy Rule, which was unveiled May 27. That's because some observers contend that creating access reports as envisioned under the proposal will prove cumbersome and impractical.

But others say the reports offer a valuable way to identify records snoops and provide patients with a method to monitor who has accessed their information.
Access Reports

Under the proposed rule, drafted by the Department of Health and Human Services' Office for Civil Rights, patients could request an access report that lists the names of those who have electronically accessed a "designated record set" for many purposes, including treatment, payment and healthcare operations. These reports would only include the names of those who accessed the information, as well as the date and time of the access, says Adam Greene, a former OCR official who was primary author of the proposal (see Author Describes Disclosures Rule).

The reports would account for electronic access to information by a wide variety of individuals, including those employed by a hospital or clinic, independent physicians with hospital admitting privileges or business associates.


The reports also could include what kind of information was accessed, and whether the user modified the record, but only if the organization has a newer information system that can readily provide that information, says Greene, who's now a partner with the Washington law firm Davis Wright Tremaine LLP.

A designated record set includes medical records, billing records "and other information that may have been used to make decisions about treatment or payment," Greene explains.

The proposed rule contains a second provision on "accounting of disclosures," streamlining what's already required under HIPAA. That provision goes beyond addressing "who" accessed a record to spell out "why" it was disclosed to an outside party for certain limited purposes, such as law enforcement, judicial proceedings and public health.

Greene says it could take OCR six months to a year to complete a final version of the rule after the 60-day comment period ends August 1.

Continue Reading the Rest of the Article

HIPAA changes announced by HHS

A Notice of Proposed Rulemaking concerning the accounting of disclosures requirement under the Health Insurance Portability and Accountability (HIPAA) Act Privacy Rule, is available for public comment. The proposed rule would give people the right to get a report on who has electronically accessed their protected health information.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to Privacy Rule, pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is part of the American Recovery and Reinvestment Act of 2009.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said OCR Director Georgina Verdugo. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

People may now read the proposed rule at: http://www.federalregister.gov/.

People who believe a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule, may file a complaint with OCR athttp://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr.

Note: All HHS press releases, fact sheets and other press materials are available athttp://www.hhs.gov/news.

Riding the HIPAA Wave

Posted on ACROSEAS.com by Dr.Charu A Chitalia

Every act or a statute conveys an objective to be achieved. The objective of HIPAA, which stands for Health Insurance Portability and Accountability Act, is to protect patient security and privacy. An act introduced by the U.S Congress in 1996, and augmented April of 2003, HIPAA was predominantly focused on easy portability of patient health information (PHI) for easy health insurance coverage in spite of shifting jobs and locations.

The concept of “portability” brings an increasing thrust on “accountability.” The portability of health information is beneficial to the patient, the physicians who record and refer back to the patient’s history and the insurance companies  which settle the medical claims of the patient. Because HIPAA is used as a resource by three different parties, the risk of information breach is very high. It is a practice-driven policy where extra care needs to be taken during the transfer and storage of information. It is to be noted that for any kind of transfer, the form of the record is vital. The implementation of HIPAA paved the way for electronic versions of the patient health records (PHRs), which required an urgent enforcement of technology based regulations.

Come 2009, the heat was felt and the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the America Recovery and Reinvestment Act (ARRA), was signed in the month of February by President Obama and was to come into affect by 2010. This emphasized the need and importance of going paperless when it came to PHRs. This brought in a practical way of implementation of HIPAA and gave it more importance to take affect.

All the three acts — HIPAA, HITECH and ARRA — collaboratively focus on tightening the healthcare screws when it comes to patient information, use of technology and its benefits, and the penalties in cases of non-compliance. It is to be noted that prior to the enactment of HITECH, HIPAA was looked at as a mere set of rules and regulations on paper. The proposed requirements under the HIPAA were so stringent that it wasn’t practical enough to implement. For example, HIPAA requires the exchange of information through a secured encrypted email carrier. However, in reality, the healthcare professionals typically preferred the convenience of the act, rather than the security it provided. The professionals were known to use cell phones and personal laptops, which would not only overlook a secured network, but also force other issues like loss of data, attacks and malicious activities by the hackers and other third-party intruders. Previously, saying that one’s record-keeping method was “HIPAA compliant” may not have been strictly true, even though it’s clear that being so is only good option.

As we are into another decade and the legions of law are looming over the healthcare industry, it is only advisable to stay put to non-fraudulent practices and monitor every move. Because the eyes of the healthcare police are on us and they wouldn’t blink in today’s age.

Security Spending Up at Rural Hospital

Ron Kloewer

Breach Prevention, Compliance Lead to Investments

December 20, 2010 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com


[Original Article at Healthinfosecurity.com]
Ron Kloewer, CIO at 25-bed Montgomery County Memorial Hospital, explains why the critical access facility's spending on information security will grow in 2011.

The rural Iowa hospital will spend more on information security because of its efforts to prevent health information breaches and comply with HIPAA and the HITECH Act, Kloewer says.

In an interview, Kloewer describes:

• Top security projects for 2010, including network infrastructure upgrades, encryption of backup media and continuation of business continuity and disaster recovery improvements;
• How plans to apply for HITECH electronic health record incentive payments are influencing security strategies, including plans for a gap analysis;
• Why the hospital does not allow patient information to be stored on desktops, mobile devices or thumb drives;
• Why the hospital won't hire more IT staff next year, instead focusing on providing technical training to staff members in various departments.

Kloewer wears many hats in his executive role at Montgomery County Memorial Hospital, a critical access facility in Red Oak, Iowa. He serves as CIO, risk manager, privacy and security officer and director of planning and development.

President Obama to Sign ARRA’s HITECH provisions

From HIPAA.com
Ed Jones, Author & Healthcare Authority

The Senate joined the House on Friday evening, February 13, 2009, in passing the American Recovery and Reinvestment Act, which includes provisions relating to Health Information Technology. Title XIII of Division A and Title IV of Division B together are known as the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.” We will be highlighting attributes of the HITECH Act through the end of February. READ MORE>>

American Recovery and Reinvestment Act

Today Ed Jones writes on HIPAA home site about the new American Recovery and Reinvestment Act (ARRA).

Tuesday afternoon the Senate passed the American Recovery and Reinvestment Act, the so-called Economic Stimulus bill. Previously, the House of Representatives passed its version, H.R. 1. Now, the joint House-Senate conference committee will resolve funding and language differences in the House and Senate versions of ARRA. As we have noted earlier, each of these versions contains incentives for adoption of health information technologies, which are described in the so-called HITECH provisions of the House and Senate versions. President Obama is expected to sign a reconciled bill in the near future, assuming that the Democrats in the Senate can achieve at least 60 votes in a procedural motion to move the bill to the floor of the Senate for a vote. Once signed into law, HIPAA.com will provide a detailed analysis of funding, language, and timeframe provisions of the reconciled HITECH provisions.

READ MORE>>>

A more strict HIPAA?

The HIPAA regulations are pretty strict and there is a rumble that HIPAA slows down research and gets in the way of standard medical practice. But should there be concern with making regulations tighter when no one enforces it as it is? Check out this recently posted is this article by Anne Zieger, editor of FierceHealthIT.

Why toughen HIPAA when nobody enforces it? January 25, 2009 — 7:25pm ET | By Anne Zieger
This week, House Ways and Means Committee members should be considering an economic stimulus package that includes provisions to beef up HIPAA. Yes, you heard me right--they're thinking about adding more stringent protections to a law that virtually never gets enforced anyway. READ MORE>>