Tag: ARRA

Ongoing HIPAA Care: What is your plan?

Posted on | by SOS Blog | 2 Comments on Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.

 

ARRA’s New Privacy and Security Requirements

Posted on | by SOS Blog | 2 Comments on ARRA’s New Privacy and Security Requirements

I was all set to write an article Monday morning on the expanded privacy and security requirements in the American Recovery & Reinvestment Act of 2009 (ARRA) when I remembered that I was registered for a webinar presented by FairWarning (a privacy surveillance company) Monday afternoon on just that subject. I am really glad I waited to write, because this webinar provided a wealth of information on the new requirements. [By the way, you will also see this section of ARRA (Title XIII) referred to as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Subtitle D contains the Privacy provisions.]

Many people and organizations have opined that EHRs will not take hold in general medical settings or in behavioral healthcare until consumers and providers trust that the EHR products and the means of transferring data are truly secure and protect the privacy of the patient. Webinar presenter Deven McGraw, of the Center for Democracy & Technology, most articulately presented the aspects of ARRA that will increase the privacy and security requirements that healthcare providers must follow. She indicated changes in four broad areas including substantive modifications to HIPAA statutory requirements, increased enforcement of HIPAA, provisions to address health information held by entitites not covered by HIPAA, and a variety of administrative changes.

The new law incorporates and expands upon the HIPAA requirements.

  • There has been an attempt to more clearly define certain terms, like just what a “breach” of privacy is.
  • Previously, covered entities where the only ones required to report breaches of privacy; now the same requirement is placed upon Business Associates.
  • HITECH strengthens the individual’s right to restrict disclosures of health information to their insurance plan and even allows the individual to “opt out” of electronic recording and sharing of their information if they pay for their services privately and in advance. Mental health services are frequently cited as  sensitive content that an individual may want left out of their electronic record.
  • The HIPAA mandate requiring that a provider not release psychotherapy notes to the insurer has been included in this act, and the Secretary of Health and Human Services (HHS) has been ordered to study whether psychological test data should be included in this exception.
  • ARRA improves upon the HIPAA “minimum necessary” standard requiring that only the minimum amount of patient information should be disclosed depending upon the specific request for information.
  • The legislation places requirements upon companies that provide Personal Health Records (PHR) for the security of the data in those records, and prohibits the sale of protected health information.
  • Most importantly, the law provides an ongoing process for setting privacy and security standards and evaluating their effectiveness. 

brief summary of these changes written by the American Psychological Association was published by Behavioral Healthcare magazine in February.

Perhaps the most important thing behavioral health providers need to realize is that the move toward mental health EHRs is happening. How exactly those records will interface with the rest of the National Health Information Network and exactly what information will be shared with other healthcare providers remains to be seen, but this endeavor is irrevocably marching forward. Where will you be in this process?

To comment on this article, click on the title and insert your comment in the box at the bottom of the page.