Category: HIPAA

Our company, Synergistic Office Solutions, was founded in 1985, 31 years ago. In those early years, writing practice management software was the easy part of the job. The challenging bit was creating custom claim forms for payers upon whom there were, at that time, no requirements for consistency. While electronic claim filing was possible, our customers who were willing to pursue that option were intrepid explorers. Not many went that far into the wilderness.

Then, in 1996, Congress passed a bipartisan bill aimed at allowing continuity of health insurance coverage for workers moving from one job to the next. That same bill adopted standards for claims and other electronic transactions and began the move toward a single paper claim form, the HCFA 1500 . . . with the huge goal of ‘Administrative Simplification.’

Twenty years ago, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to adopt national standards to improve the electronic exchange of health care data. This national standards mandate falls under a part of HIPAA called Administrative Simplification.

As noted in a recent blog post, in 1996 a considerable portion of every health care dollar was spent on administrative overhead for processes that involved:

• Numerous paper forms
• Telephone calls
• Nonstandard electronic commerce
• Many delays in communicating information among different locations

Since the 1996 passage of HIPAA, HHS has released numerous regulations to adopt required standards. Today 93.8% of all health care claims transactions are conducted in standard form. The standards have helped pave the way for the interoperability of health data to enhance the patient and provider experience.

For details about Administrative Simplification laws and regulations, view the CMS timeline.

For most of us today, HIPAA is likely to conjure up thoughts of protecting patient privacy and the security of patient data, PHI . . . what is often viewed as an increase in administrative responsibility rather than a simplification. But for those of us who have been around long enough to remember some of those unique paper forms, and the totally different claim file structures required by various clearinghouse companies and hundreds of payers, state and government entities, HIPAA has simplified our work. Even so, we do still have a long way to go before we can claim to have achieved anything like ‘administrative simplification.’

For those of you who have been in behavioral health practice or administration longer than twenty years, what are your memories of pre-HIPAA practice? Do you think the law has improved things for patients? What about for you?

Please share your comments below.

I know I often talk here about HIPAA requirements, HIPAA breaches, and HIPAA fines. That is because I believe this to be a very important issue . . . one that small and mid-sized behavioral health organizations do not seem to concern themselves with very much. The matter of doing a practice becomes the driving factor, and regulatory requirements get glossed over.

I wanted to be sure you have the information from a recent notice from the Office for Civil Rights (OCR). In an email to the OS OCR Privacy List, OCR announced an initiative to more widely investigate smaller breaches.

Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.  Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.  Among the factors Regional Offices will consider include:

*   The size of the breach;
*   Theft  of or improper disposal of unencrypted PHI;
*   Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
*   The amount, nature and sensitivity of the PHI involved;  or
*   Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

Let me explain the thinking behind this initiative. OCR believes that breaches of PHI occur because of certain root causes. They have largely focused on large breaches in order to determine the root causes of such events because they affect so many people.

The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.

Focusing on smaller breaches will allow OCR to begin to determine if root causes in smaller events are the same as or different from those in larger events. This will hopefully result is recommendations about how smaller organizations can remedy any problem situations.

Remember, if the PHI you maintain is located on computers, removable drives, or cloud storage that is fully encrypted (while in motion and while at rest), it is considered a safe harbor. The obvious simplest solution for everyone is to encrypt every place in which the PHI for which you are responsible resides electronically . . . your computers, your storage, your emails . . . and to be sure your file cabinets are locked!

A couple of times this year, we have written about “ransomware” and the threats it poses to all healthcare providers. Some of the behavioral health providers we serve do not realize that this trend is a threat to them and their patients and the Protected Health Information (PHI) they house on behalf of those patients.

Apparently, the Office of the National Coordinator for Health IT (ONC), the Office for Civil Rights (OCR), and the Department of Health and Human Services are also concerned about this new trend.

On July 11, 2016 OCR published a Fact Sheet on Ransomware and HIPAA. If you have computers in your office that are connected to the Internet, we strongly recommend that you take a look at this Guidance. OCR did a thorough job of discussing “ransomware” and its implications for you.

Don’t bury your head in the sand about these threats. You need to understand how they pertain to you, what you should be doing on a regular basis to prevent such intrusions, and whether your current HIPAA procedures are enough.

Anyone willing to share an experience with “ransomware”? Please share your comments below.