Tag: HITECH

Ongoing HIPAA Care: What is your plan?

Posted on | by SOS Blog | 2 Comments on Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.

 

UCLA and WellPoint Fined for Data Breaches

Posted on | by SOS Blog | Leave a Comment on UCLA and WellPoint Fined for Data Breaches

I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

  • OCR is serious about data breaches and safeguarding patient protected health information (PHI).
  • State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
  • The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

Social Media, Data Breaches and Behavioral Health PHI

Posted on | by SOS Blog | Leave a Comment on Social Media, Data Breaches and Behavioral Health PHI

I am not sure why I continue to attend free webinars about data breaches. They mostly serve to make me extremely anxious for our customers. . . especially for those who have not created a data security plan or have thought minimally about their responsibilities for protecting the privacy of their patients’ Protected Health Information (PHI).

You all certainly know about the requirements that HIPAA and the HITECH portion of ARRA placed upon healthcare providers. You must protect the privacy and security of PHI. You must have assessed the risks to the security of your data and have a plan in place for mitigating any potential consequences of security breach.

The problem is that new potential complications arise all the time. This morning’s webinar was about social media and the potential security risks added by use of those media. It was presented by ID Experts, a company that specializes in an online tool that guides you through handling a data breach when it occurs. They believe that one must assume that such breaches will occur. . . and be ready to react at a moment’s notice.

Do you have a social media policy at work? Are you allowed to use Facebook or Twitter from your work computer? What about from your smart phone paid for by your employer? Are you allowed to access your personal email account from the same computer on which PHI are stored? Today’s presenters talked about all the potential downfalls of such capabilities since most social media sites are not encrypted and have marginally protected security.

I left the webinar feeling anxious for our customers who do not pay attention to these matters. What will they do when they have a data breach? What will you do?

Please share your comments…

HIPAA Privacy Requirements: Serious business

Posted on | by SOS Blog | 1 Comment on HIPAA Privacy Requirements: Serious business

In the past year, the Office for Civil Rights, the federal office responsible for enforcing HIPAA privacy requirements, has finalized the rule by which all covered entities and their business associates are required to protect the personal and health information of patients they serve. The rule details the actions a breach of the privacy rule requires including notification of patients. In the past month, OCR has begun to publish significant fines to organizations who have been found responsible for a breach of that privacy rule.

Lots of folks have been waiting to see what kind of fines the OCR would impose upon organizations found responsible for breaches. We are beginning to find out.

On February 14, 2011, HHS entered into an agreement with Massachusetts General Hospital in which the hospital organization agreed to pay $1 million because of the loss of data of 192 patients of one of its outpatient practices. The information lost was on paper and was lost on a subway train. The hospital also agreed to enter into a Corrective Action Plan (CAP) including the implementation of policies and procedures to protect the PHI of its patients.

For those of you who thought these requirements do not affect you if you do not keep any patient information in an electronic form, it is clear that is not how OCR views it. Paper is also vulnerable and OCR is determined to protect that PHI.

The second announced fine was placed on Cignet Health of Prince George’s County Maryland. They were fined $4.3 million. They were accused of denying 42 patients access to their medical records, failed to cooperate with OCR in their investigation of the complaints, indeed failed to reply to OCR’s notifications. OCR determined that “the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.”

For those of you who have thought that not keeping records of treatment might be the safest course of action, please think again. If you cannot provide the record when a patient requests it, they have every right to complain and to seek a judgement against you.

Of course, your organizations all have Privacy Policies. Do you know what they are? Do you follow the Procedures that your organization has developed? Does everyone? Part of the requirement is that employees be properly trained in what the policies and procedures are and that their training is regularly refreshed. Oh, and yes, part of the requirement is that the Privacy Officer makes sure the owners of the practice or the Executive Director or Board of Directors is well-informed about how the policies are implemented.

How is your organization doing with the stricter Privacy Rule requirements imposed by the HITECH Act? Please share your thoughts, fears and struggles with these requirements and how they affect your organization. Just enter your comments below.

HITECH Act, Psychotherapy Notes and Test Results

Posted on | by SOS Blog | Leave a Comment on HITECH Act, Psychotherapy Notes and Test Results

I am sure some of you remember that the HITECH portion of the stimulus bill (ARRA) included attempts to strengthen the protection of psychotherapy notes in the new Electronic Medical Records (EMRs). In fact, the Secretary of HHS was instructed by Congress to study whether the protections for psychotherapy notes granted by HIPAA should be extended to psychological testing.

HHS is finally gearing up to begin this study and the Substance Abuse Mental Health Services Administration (SAMHSA) has been tasked with organizing and conducting the study.

September 7, 2010
 
 The Substance Abuse Mental Health Services Administration (SAMHSA) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study, in close cooperation with the Office for Civil Rights (OCR) pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5). This study is addressing whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”
 
As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the U.S. Department of Health and Human Services Region 5 office in Chicago, Illinois, on October 7, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure…. 

 

Some of the issues that will be addressed are included on page two of the brochure.

  • What  activities  and  information  are  considered  the  “test  data”  that  is  part  of  a  mental health evaluation?  What are the relevant distinctions among test materials, raw data, and reports  or  assessments  with  respect  to  the  level  of  protection  currently  afforded  and/or otherwise necessary?
  • Are  there  circumstances  under  which  test  data  should  be  disclosed  to  third  parties?  Should  the  individual’s  authorization  be  required  prior  to  such  a  disclosure?  To  whom should test data be released?
  • How  would  affording  mental  health  test  data  a  higher  level  of  protection  affect  the workflow  in  medical,  behavioral  health,  or  psychological  practices?  Are  there  any additional  implications  with  respect  to  clinical  integration  efforts  and  the  increasing
    availability of mental health services in general health care settings?

Another regional meeting is planned for Los Angeles in November or December. SAMHSA does not indicate whether others will be held. This is certainly an important opportunity to have your voice heard if you are a practitioner whose primary work is psychological testing, if you are a consumer of services who might want or not want raw test data to be shared among treating professionals without your specific authorization, or if you are a potential recipient of such data.

Is the protection of psychotherapy notes and psychological test data an issue for your practice or organization? What guidelines do you currently follow in determining how such data are released? How would new rules affect you?

Please share your comments below.