Vendor guarantees HIPAA compliance. (HIPAA Update).(Blue Ridge Networks)(Brief Article) - Health Management Technology

Healthcare providers who seek HIPAA help from their IT vendors as compliance dates draw near might check out Blue Ridge Networks' HIPAAGUARD. The provider of virtual private network (VPN) solutions guarantees HIPAA compliance when transmitting protected health information over their networks-including the pledge to pay penalties or fines that result from the failure of their secure transaction network.

Syracuse businesses adjust to HIPAA regulations - The Business Journal - Central New York

LIVERPOOL - Privacy regulations that are part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 went into effect April 14. While HIPAA mostly affects healthcare providers and healthcare 'clearinghouses' that manage billing services for health plans, employers need to comply with the regulations as well.

Jeff Andrews, vice president of Aon Consulting and manager of the company's upstate New York office in Liverpool, has been working with local businesses to ensure HIPAA compliance. According to Aon, there are 23 companies (employing more than 23,000 people) in Syracuse that must comply with the new privacy requirements.

'In this day of electronic information, there's a substantial amount of information floating around ... the Internet - [from] credit-card companies and everywhere... on individuals,' Andrews says. 'It's important that it should be private information; therefore, health plans need to take steps to protect [that] information.'

Andrews urges every employee to look for a privacy statement from his employer-that shows the organization is in compliance with HIPAA.

'The most important thing is for the employer, as sponsor of a health plan, to sit down - it does not take a lot of time - and examine the issues and take an organizational approach to compliance and implement that approach,' he says. 'There are a lot of tools out there that make it a pretty easy process.'

Health-care companies with annual receipts of more than $5 million were required to comply with HIPAA on April 14 of this year. Companies with receipts less than $5 million need to comply by April 14, 2004.

One of the main focuses of HIPAA is the privacy of 'protected health information'. or PHI. The United States Department of Health and Human Services defines PHI as 'individually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate.'

According to Andrews, a health plan cannot use or disclose PHI other than for treatment of a medical condition or payment of a claim through the operation of the health plan.

'You could have a very small employer or a very large employer, [but the focus is on] how the health plan is financed and how it is administered,' Andrews says. 'That will determine how they comply.'

Andrews says that employers are going to have different compliance strategies depending on AC what kind of health plan they use. Fully insured plans, where the employer only needs to send information to the insurance company about who is covered and the employee's eligibility, have a very different strategy than self-insured plans - where the employer is involved in the day-to-day administration of the plan, Andrews says.

'What employer[s] need to do is to look at how they use PHI and how they interact with the [health-plan] administrator, so that they minimize the use of protected health information,' Andrews says. 'They need to understand PHI and have the documents in place, but the reality is that they're probably not in a position where they could be in violation [of the HIPAA regulations].'

Andrews has outlined a nine-step program for compliance: designate a privacy officer and make sure the information is protected; establish a compliance team to implement the procedures; inventory and identify how and where PHI resides in the organization; work to limit access and disclosure; adopt privacy policy and procedures; identify business associates who might have access to PHI; train staff who might be working with PHI; talk to your health-care provider that deals with PHI and confirm compliance; and develop an employeecommunication program that lets the employees knows that you're taking steps to protect the information.

Additionally, Aon has created an online assessment that companies can use to ensure compliance. It is located at www.aon-hipaa.com. Aon also has a Power Point presentation that is designed to educate senior management about HIPAA, a do-it-yourself privacy kit that addresses all of the key issues and comes with a compact disk full of the required documents, and a module that helps companies train their employees about the regulations.

New HIPAA And HITECH Regulations Are Coming.(Health Insurance Portability and Accountability Act)(Health Information Technology for Economic and Clinical Health Act)(Brief article) - Mondaq Business Briefing

Staff at the U.S. Department of Health and Human Services' ('HHS') Office of Civil Rights, Health Information Privacy Division, stated to Duane Morris that 'comprehensive HITECH regulations' will be published in the next several weeks, following final agency approval. The Health Information Technology for Economic and Clinical Health Act (the 'HITECH Act,' Title XIII of the American Recovery and Reinvestment Act of 2009) amended the Health Insurance Portability and Accountability Act ('HIPAA') to improve and expand current federal privacy and security protections for protected health information ('PHI'). The HITECH Act requires the Secretary of HHS to interpret key provisions through regulations. Since most of the HITECH Act's HIPAA amendments are effective on February 17, 2010, providers, group health plans, business associates and others have been awaiting these regulations in order to make any necessary changes to their HIPAA programs by the compliance deadline. Based on the act, the regulations are likely to address:

The expansion of the definition of business associates and the extension of HIPAA's Security Rule and parts of the Privacy Rule to business associates;

New definitions of the 'minimum necessary' amount of PHI that may be used or disclosed;

Disclosure requirements for electronic health records;

Limitations and exceptions to the prohibition on the sale of PHI;

The definition of 'reasonable in amount' with regard to restrictions on marketing of PHI; and

The modification of HIPAA Privacy Rule's provisions regarding fundraising.

The HITECH Act also creates an infrastructure for the development of a national electronic health records ('EHR') system by the end of 2014. The act sets forth requirements for EHRs, provides funding under Medicare and other programs to help providers pay for EHRs, and requires the Secretary of HHS to issue regulations on EHRs by the end of 2009. The upcoming HITECH Act regulations are expected to include:

Specific standards and requirements for 'meaningful users' of EHRs (only meaningful users qualify for EHR funding under the HITECH Act);

Specific standards and requirements for 'certified EHR technology'; and

Technologies that protect privacy and promote security in a qualified EHR.

These regulations are likely to be significant for providers and other entities that are developing EHRs, particularly if they intend to seek assistance funding.

Duane Morris will continue to monitor developments under the HITECH Act.

If you have any questions regarding this Alert or would like more information on the anticipated changes to HIPAA or the new EHR requirements, please contact Lisa W. Clark, Erin M. Duffy, any member of the Healthcare Information Technology Practice Group, or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets.

Ms Lisa Clark

Duane Morris LLP

30 South 17th Street

Philadelphia

19103-4196

UNITED STATES

Tel: 2159791000

Fax: 2159791020

E-mail: solutions@duanemorris.com

URL: www.duanemorris.com

Click Here for related articles

HIPAA-cracy.(at law)(Health Insurance Portability and Accountability) - The Hastings Center Report

The Department of Health and Human Services has recently been exercising its authority under the (wittily named) 'administrative simplification' part of the Health Insurance Portability and Accountability Act to regulate the confidentiality of medical records. I love the goal; I loathe the means. The benefits are obscure; the costs are onerous. Putatively, the regulations protect my autonomy; practically, they ensnarl me in red tape and hijack my money for services I dislike.

HIPAA (a misnomer--HIPAA is the statute, not the regulations) is too lengthy, labile, complex, confused, unfinished, and unclear to be summarized intelligibly or reliably. (Brevis esse laboro, obscurus fio.) However, a covered entity is any health plan or 'health care provider' that 'transmits any health information in electronic form.' If HIPAA has a general rule, it is that (1) a 'covered entity may not use or disclose protected health information except as permitted,' (2) the entity must 'make reasonable efforts to limit protected health information to the minimum necessary,' and (3) the covered entity must require its 'business associates' to 'appropriately safeguard the information.' With plentiful exceptions and restrictions, entities may use or disclose information 'for treatment, payment, or health care operations.'

There is much more. For instance: (1) Information may usually be disclosed for 'marketing' only with the patient's elaborately detailed authorization. (2) An entity may reveal a patient's name, room, and general condition to 'persons who ask for the individual by name' but 'must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information ... and provide the individual with the opportunity to restrict' the disclosures. (3) Entities may release information with the patient's consent. If a patient cannot give consent, the 'entity may, in the exercise of its professional judgment, determine whether ... disclosure [to a person taking care of the patient] is in the best interests of the individual and, if so, disclose only the ... information that is directly relevant to the person's involvement with the individual's health care.'

Almost every part of HIPAA instructs the entity to loose rivers of information upon the patient. Entities may do many things without consent, but they must specify these things at punishing length. One example: the notice must describe each purpose 'for which the covered entity is permitted or required ... to use or disclose protected health information without the individual's written authorization.' This 'description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.' Entities may do many things only with consent, which must be solicited through another grueling barrage of disclosures.

Why HIPAA? Medical privacy was multiply protected--by ethical codes, state and federal statutes and administrative regulations, tort law (which, unlike HIPAA, give patients remedies), accrediting organizations, hospital policies, even the market--long before HIPAA gleamed in a bureaucrat's eye. As Richard Epstein notes, before HIPAA we saw no 'explosion of improper disclosures of sensitive information, and no systematic unwillingness to deal with the problems that do arise by private organizations or even by more limited and focused regulatory responses.'

So why HIPAA? HHS presented and justified its basic rules in 400 large pages of small print. First: 'Privacy is a fundamental right.... [I]t speaks to our individual and collective freedom.' This makes me reach for my Burke. He could not praise 'anything which relates to human actions ... on a simple view of the object ... in all the nakedness and solitude of metaphysical abstraction. Circumstances (which with some gentlemen pass for nothing) give in reality to every political principle its distinguishing color and discriminating effect.'

'Privacy' means everything and nothing. In law, 'privacy' is so protean that it is meaningless without modification. Privacy as 'fundamental right' is an idea from constitutional law, but it refers to freedom of choice, not confidentiality of information. The Constitution protects physical privacy only sporadically; for example, only some searches are prohibited. More broadly, I doubt that the interests protected by 'privacy' are distinctive or illuminating enough to make up an independent moral category.

And fundamental? Complete privacy is impossible even for a hermit and unhealthy for anyone. Every day we trade privacy for the many things we value more. Privacy itself has costs for individuals and society, as when it makes illness embarrassing. Finally, many invasions of medical privacy are unfortunate and wrong but not greatly damaging. When they are damaging, it is often the misuse of the information by a third party, not the breach of privacy itself, that causes the harm.

HHS's rationale for HIPAA quickly descends from the loftily vague to the absurdly narrow: 'The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center....' 'An employee of the Tampa, Florida health department took a computer disk containing the names of 4,000 people who had tested positive for HIV....' Sad stories, but HIPAA cannot prevent winds from blowing nor employees from stealing, and state law already provides sanctions for negligence and theft.

HHS concedes that the 'costs and benefits of a regulation must, of course, be considered as a means of identifying and weighing options.' Does HHS believe this? In the same paragraph it warns cryptically that because privacy is a 'fundamental right ... it must be viewed differently from any ordinary economic good.'

However 'fundamental' privacy may be, HIPAA is otiose if it promotes it ineffectively. Some privacy is unattainable; HIPAA can do little to reduce the number of people who need to see medical records. Other kinds of privacy cannot be achieved with HIPAA's tools. Consider HIPAA's incessant disclosure requirements. My hospital distributes seven pages of disclosures in print so small I can't read them with my glasses on. One analysis placed these forms at a college reading level. Like this:</p> <pre> Examples of these activities include obtaining accreditation from independent organizations like the Joint Commission for the Accreditation of Healthcare Organizations, the National Committee for Quality Assurance and others, outcomes evaluation and development of clinical guidelines, operation of preventive

health, early detection and disease management programs, case

management and care coordination, contacting of health care providers

and patients with information about treatment alternatives, and

related functions; evaluations of health care providers (credentialing

and peer review activities) and health plans; operation of educational

programs; underwriting, premium rating and other activities relating

to the creation, renewal or replacement of health benefits contracts;

obtaining reinsurance, stop-loss and excess loss insurance; conducting

or arranging for medical review, legal services, and auditing

functions, including fraud and abuse detection and compliance

programs; business planning and development; and business management

and general administrative activities, including data and information

systems management, customer service, resolution of internal

grievances, and sales, mergers, transfers, or consolidations with other providers or health plans or prospective providers or health plans. </pre> <p>But what does the language matter, since no one reads the forms? One 'covered entity' told me that in three years I was the second patient to ask for a copy of his HIPAA disclosure form.

Nor is any benefit to confidentiality worth any cost. Consider HIPAA's record-keeping requirements. One compels entities to offer patients 'an accounting of disclosures of protected health information made ... in the six years prior' to the request. The accounting must include the disclosure's date, the disclosee's name and address, a description of information disclosed, and the reason for the disclosure. The cost of keeping so many records in such detail for so long cannot be small; the people who will request, receive, and benefit from the information must be few. Have we no better uses for resources?

Not only does HIPAA impose extravagant costs for exiguous benefits. HIPAA's sour assumptions about human nature work positive harm. For instance, HIPAA assumes people (1) want to keep information from their families and (2) do not want to participate in research, even medical records research whose benefits can be great and whose threat to privacy tiny. HIPAA's rules are structured to serve patients who fit those assumptions.

HIPAA's assumptions are wrong. Most people want their families involved in their medical care. And in one study, 96 percent of the Mayo Clinic patients approached consented to medical records research. Instead of having the few patients who fit HIPAA's assumptions opt in to restrictive privacy rules, HHS requires the huge majority of patients who don't fit the assumptions to opt out of them. This burdens patients. Worse, most patients won't realize they need to act, and few will get around to it.

Most patients, then, will at least be harassed, and their preferences will regularly be thwarted. Patients who would cheerfully have acceded to medical records research may not suffer, but a crucial kind of research will (to say nothing of HIPAA's effect on research generally, a disturbing problem I lack space to consider). Patients who want families involved in their care may directly be harmed, for families are often denied information patients want them to have. Thus prudent patients are saddled with one more chore--having a lawyer draft a HIPAA release form.

The best defense of HIPAA I hear is that, favorably interpreted, it might not require entities to make overlong disclosures, deny families information, or thwart research. But pity the entities. HIPAA speaks in sweeping, vague, and menacing language. Terms like 'reasonable,' 'minimum necessary,' 'professional judgment,' and 'best interest' litter it. It deploys civil and criminal penalties. Recall the unspeakable sentence I quoted. You might speak unspeakably too in order to provide descriptions with 'sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.' Surely cautious entities will tell patients too much, and everyone else too little.

Looking ahead by looking back: healthcare organizations can partially assess where their future HIPAA efforts lie by evaluating how they handled HIPAA requirements and mandates of the past year.(HIPAA)(Health Insurance Portability and Accountability Act of 1996) - Health Management Technology

The first two weeks of April 2003 will be remembered by many in healthcare as the last days of a mad dash toward compliance with HIPAA's privacy regulations. Copiers churned out Notices of Privacy Practices. Privacy policies and procedures were drafted and edited at a furious pace. Business associate agreements were negotiated and signed in droves. And April 14, 2003, came and went.

But unlike Y2K, HIPAA privacy is here to stay. Consequently, now is a good time to take stock of HIPAA privacy implementation efforts to date and to analyze issues and problems that are common among covered entities.

HIPAA Paralysis

There are plenty of recent examples in which covered entities have been slow to disclose or refused to disclose protected health information (PHI) even though disclosure may be permissible under HIPAA. The initial reaction of many covered entities to a request for PHI is, 'Sorry, I can't give it to you.'

Unfortunately, this approach can lead to frustrated customers, unflattering media coverage or, worst of all, injury to a patient. There have been well-publicized incidents of covered entities failing to disclose for purposes of treating a patient (when such disclosure is expressly permitted under HIPAA). For example, some 911 dispatchers refused to give emergency personnel the name of an individual in need of treatment, when the name would have helped the emergency personnel locate the individual.

HIPAA decision-makers must fight the initial urge to refuse to disclose PHI and examine the facts, considering both the practical and the HIPAA implications. HIPAA's privacy regulations allow for use or disclosure of PHI without an individual's authorization in a number of circumstances, including for treatment, payment and 'health care operations' purposes.

Common sense should play a role in the decision-making process for at least three reasons. First, although voluminous, the privacy regulations do not cover every situation, and common sense is a good guide for making determinations in the 'gray areas.' Secondly, part of the common-sense analysis should be the risk that the individual would object to the use or disclosure of his/her PHI, which may even impact disclosures that are permitted under HIPAA. For instance, it may be permissible under HIPAA for a hospital to disclose PHI to an unrelated counselor for follow-up treatment, but if it is treatment of a sensitive nature (e.g., family planning, venereal disease), an individual may be upset that a disclosure of PHI was made even though permitted under HIPAA.

Finally, the Office for Civil Rights of the Department of Health and Human Services (OCR) has indicated that its enforcement approach is largely complaint-driven and that it would rather help a covered entity become compliant through outreach and education than to levy fines. In this type of enforcement climate, covered entities (with their counsel, as necessary) can use common sense and reasonable judgment in interpreting the privacy regulations. As long as the covered entity takes a reasonable position and contemporaneously documents its reasoning, it seems unlikely that the OCR would be interested in pursuing fines and penalties, at least at this point in time.

Deceased Individuals' Records

The privacy regulations clearly state that a deceased person's PHI must he given the same level of protection as a living person's PHI. The tricky part of handling a deceased person's PHI is determining who will control the use and disclosure of the deceased person's PHI. The privacy regulations give an individual's 'personal representative' the same power over the use and disclosure that the individual would have. The privacy regulations state that if, under state law, an executor, administrator or other person has the power to act on behalf of the deceased's estate, the covered entity should treat that person as the deceased's personal representative.

If the deceased were alive, a covered entity could disclose PHI to a family member if the covered entity determined that it was in the best interest of the individual to do so. This flexibility is not available for a deceased individual. This dichotomy can put a covered entity in a difficult situation. For example, if an adult child is involved in the healthcare of his/her parent, a covered entity could disclose PHI to the child while the patient is living, but cannot disclose the same PHI to the child if that child is not the executor (or otherwise determined to be personal representative) for the deceased.

Handling PHI of deceased persons is best addressed through policies and procedures that require the person claiming to be a personal representative of the deceased to provide proof that he/she is legally entitled to control the use and disclosure of the deceased's PHI. Also, proper communication with the person who requests PHI is critical, especially in an emotionally charged atmosphere such as the recent death of a family member.

Business Associate Agreements

One of the most burdensome requirements of HIPAA's privacy regulations is the requirement that covered entities have written contracts with all of their business associates. These written contracts must have specific contractual obligations related to the handling of PHI. At great effort and expense, most covered entities have undertaken a campaign to enter into contracts with their business associates. Often, however, in the quest to obtain business associate agreements (or to include business-associate language in post-April 14 agreements), covered entities have lost sight of the nuances of a business associate relationship.

In some cases, covered entities have entered into business associate contracts with all vendors. While this practice is not necessarily harmful, it is important to note that requiring compliance with the business associate standards does not permit the disclosure of PHI unless that disclosure is otherwise permitted by HIPAA. For example, if a covered entity has a contract with a consultant, it cannot disclose PHI to that consultant simply because there are HIPAA-compliant business associate provisions in the contract. The covered entity must analyze whether the services provided by the consultant are 'business associate-type' services and the consultant needs PHI to provide the services.

A covered entity cannot simply rely upon the business associate provisions to allow a haphazard approach to disclosures to the business associate agreement. Disclosure to business associates must meet the minimum necessary standard of the privacy regulations. For example, if a covered entity uses a collection agency, it is appropriate for the covered entity to give information necessary to identify the claim (e.g., name and address of the patient, dates of service), but not other portions of PHI in the covered entity's possession (e.g., diagnosis, treatment).

How IT Can Help

Information technology can and should be part of the HIPAA privacy compliance solution. For example, technology can be applied to training and compliance monitoring.

IT can assist in training, not only by providing traditional online HIPAA programs describing HIPAA's privacy regulations and quizzes that test employees' knowledge of the covered entity's privacy policies and procedures but also through HIPAA informational e-mails, bulletin boards and FAQ pages. Consistent reinforcement of privacy obligations will help keep the issue of protecting PHI in the forefront of the minds of covered entities' employees.

Many covered entities that operate on a large scale have found that similar HIPAA privacy compliance questions arise across their enterprise. By creating and, more importantly, maintaining a readily accessible FAQ page, personnel can save time and resources by not requiring that every HIPAA privacy question be directed to the privacy officer or the legal department. In this time of shrinking HIPAA budgets and personnel resources, wisely applied information technology can he used to stretch thinning HIPAA resources.

Many covered entities have successfully applied information technology to assist them in complying with specific requirements under HIPAA's privacy regulations. For example, HIPAA's privacy rule requires that covered entities provide individuals with an accounting of certain disclosures of the individual's PHI. Many entities have automated the process of accounting.

IT can also be used to monitor and track compliance. Compliance monitoring and tracking can take the form of electronic monitoring of access to and disclosures of medical records, establishing a method for anonymously reporting suspected HIPAA violations, tracking and documenting training efforts, and monitoring vendor contracts to ensure business associate agreements are in place.

Covered entities can use IT to document their commitments to HIPAA compliance efforts. The OCR has indicated it will look for bad actors when bringing enforcement actions. Therefore, if a covered entity can respond to an OCR inquiry with specific information about how a particular disclosure was handled, and provide evidence of its training efforts, handling of prior complaints and mitigation efforts, that covered entity will be in a better position to deal with the OCR. By showing its good-faith compliance effort, a covered entity can paint a more favorable and accurate picture of its commitment to protecting the PHI of its patients or enrollees.

Since April 14, 2003, covered entities have learned that although the focus on HIPAA privacy compliance may have diminished, HIPAA privacy will not go away. That has been a lesson for all of us.

Providers rush to lock patient records as HIPAA deadlines loom - Northeast Pennsylvania Business Journal

With less than a year remaining until the first in a series of new federal healthcare information standards takes effect, a survey of healthcare professionals nationwide shows that only about half of those affected will be ready.

The survey, taken in the first weeks of 2002 by Phoenix Health Systems, a healthcare information technology and outsourcing firm, polled the industry on its readiness to conform to new industry-wide standards for the protection of confidentiality and security of personal healthcare information and for the improved efficiency of healthcare information exchange via electronic data interchange (EDI) mandated under the Health Insurance Portability and Accountability Act (HIPAA).

Darlene Kauffman, associate director of medical economics for the Pennsylvania Medical Association and dubbed the 'HIPAA guru' by her colleagues, says the compliance readiness numbers are probably about the same locally as nationally.

Before HIPAA, healthcare providers protected patients' confidentiality following a patchwork of state laws that often left gaps in the protection of patients' privacy and confidentiality.

Personal health information could be distributed - without either notice or consent - for reasons having nothing to do with the patient's medical treatment or healthcare reimbursement, according to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR).

Currently, patient information held by a health plan may be passed on to a lender who may use it to deny the patient's application for a home mortgage or credit card, or to an employer who may use it in personnel decisions.

The HIPAA Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will take precedence over the new federal standards.

Pennsylvania has strong privacy laws in place, according to Kauffman. Determining which law to follow is under study by a task force of the E-PA Alliance, a nonprofit volunteer organization of technology users which is involved in improving Pennsylvania's economic competitiveness and quality of life.

'We are determining, almost phrase by phrase, where state law will pre-empt HIPAA laws,' explains Kauffman, who co-chairs the E-PA Alliance Education and Communications Working Committee. The DHHS, which drafted the new regulations, is in the process of tweaking the new standards based on public input after the final law was published in April of 2001.

Kauffman warns that waiting for possible changes or clarifications to begin working on compliance is not a good strategy.

'To implement this 1,500 page law, everyone is going to need a lot of education,' Kauffman says.

To meet the April 2003 privacy standards implementation deadline, healthcare providers should be in the process of, or have completed, an analysis of their current privacy policies, Kauffman adds.

'They need to go through every procedure in their practice, everything that involves patient information, document how they do it now, evaluate how it has to change, and how they're going to make that change,' Kauffman explains.

Each organization is required to appoint a privacy officer. In smaller organizations, these duties may be assigned to an existing employee, such as office manager. Larger and more complex organizations may need to establish a new position with support staff to ensure compliance.

Necessary changes may be as simple as keeping patient sign-in sheets out of view from the general public. Front-desk personnel will need to watch that discussions of patients' private information can't be overheard by others.

Richard English, M.D., director of the Family Practice Residency Program for the Wyoming Valley Health Care System (WVHCS), says his office will be moving computer screens away from the public eye, eliminating such simple things as sign-in sheets and protecting fax machines from casual observers.

In general, English says physicians usually have policies on privacy and disclosure for their employees in place, so not much will change.

'This whole issue is not new,' explains James Rakshys, director of advanced technology and newly appointed chief of privacy and security for WVHCS,' but the intensity is going to change.'

While hospitals won't be required to provide each patient with a privateroom, doctors and nurses will be expected to do what they can to keep bedside consultations private.

Conversations at the nurses' station will need to be kept as private as possible. Michelle Cibio, administrator of Health South Diagnostic Center, Camp Hill, expects very few changes at her facility.

'We're accredited by the joint Commission on Accreditation of Health Care Organizations

(JCAHO) so we already have a written policy in place,' Cibio explains. Cibio points out that the new law requires that 'reasonable' changes be made to protect patients' privacy. For example, the Center will not be required to put privacy glass around the receptionist's desk to protect information at the desk, but they will be expected to take common sense steps to keep information private.

They will eliminate the sign-in sheet that was left on the desk and included a patient's name, the referring doctor, and reason for the diagnostic study.

HealthSouth has also written a policy that determines who has access to patient information, that person's job description, and what information they need to complete their job. Only the minimum amount of healthcare information necessary to perform a task may be disclosed from a patient's file.

Employees must be educated about the company's privacy policy. This may be as simple as providing each employee with a copy of the privacy policy, or may include extensive training seminars. The size and complexity of an organization will most likely determine the method of education.

A patient must be provided with an organization's privacy policy up front, and told how their information can be used.

A record of who has received patient information must be kept in writing and available to the patient.

Adherence to the new privacy standards will be backed up with severe civil and criminal penalties for non-compliance.

The fines go as high as $25,000 for multiple violations of the same standard in a calendar year, and fines of up to $250,000 and/or imprisonment for up to 10 years for knowing misuse of individually identifiable health information. DHHS has delegated enforcement responsibilities to the DHHS Office for Civil Rights.

The cost of implementing the new privacy standards is difficult to determine, according to Kauffman. An organization's size and the amount of change necessary to become compliant will determine how much they spend.

Respondents to the Phoenix Health System survey, which included hospitals, physician practices of varying size, insurance companies and vendors, estimated that their organizations will spend upwards of $1 million to become compliant, however, most will spend less than $100,000.

Much of this funding will go to meeting the new electronic requirements of HIPAA, Originally scheduled to go into effect in October of 2002, the healthcare industry now has until October of 2003 to conform to the new electronic health transaction standards. A plan for attaining these standards must still be in place by October of this year.

The new standards are designed to establish one national electronic format for processing health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.

Up until now, health providers and plans have used many different electronic formats, each requiring its own software. Kauffman says this software was often quite expensive. The various formats were also unable to communicate with each other, slowing down the healthcare claims process.

The new rules require the use of specific electronic formats developed by the American National Standards Institute (ANSI) for most transactions.

Virtually all health plans will have to adopt these standards, even if a transaction is on paper or by phone or fax.

Standard code sets will be developed to be used in all transactions. For example, the coding systems that describe diseases, injuries and other health problems, as welt as their causes, symptoms and actions taken must become uniform. An parties to a particular transaction will have to use and accept the same coding,

These standards are intended to reduce mistakes, duplication of effort and costs.

What frontline staff need to know about HIPAA: a "plain English" version of some of the highlights. (Cover Story).(Health Insurance Portability and Accountability Act) - Behavioral Health Management

The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) goes into effect on April 14, 2003. One of its many stipulations is that all staff in a 'covered healthcare entity' must receive training on HIPAA. Do frontline workers need to know all the legal aspects of HIPAA? No, they do not. Do they need to know the intent of HIPAA? Yes, they do.

Why? On one hand, the maintenance of privacy and security of patient/client/consumer data is one of the primary ways that we, in healthcare, build a relationship of trust with our clients. On the other hand, the failure to adhere to HIPAA requirements carries the possibility of both civil fines ($100 fine for each violation up to $25,000 a calendar year) and criminal prosecution, with a possible prison sentence of up to 10 years and a $250,000 fine--good reasons for frontline staff to understand, with as much clarity as possible, just what they're getting into with HIPAA. This is a complex law, with many ramifications, and you should by all means seek professional counsel to guide your organization's particular response to it. The basic requirements, though, can be expressed in fairly straightforward language--my intent with this article.

It's conceivable that you've already engaged in some HIPAA-related activity pertaining to the Privacy Rule. Someone in your organization has probably already determined by now that your agency/practice is a covered entity. Someone has probably already been named as your organization's HIPAA privacy officer. Someone has probably analyzed your agency's policies and practices regarding HIPAA and has revised existing or written new required policies. Someone has probably written the privacy notices that must be clearly displayed in your practice by April 14, 2003, and given to all patients/clients/consumers.

Furthermore, someone has probably written and/or obtained business associate agreements with any other businesses your agency/practice has relationships with, as appropriate. Someone has probably created a mechanism to track information releases that do not require authorization (e.g., coroner's requests). Someone has probably modified or created a HIPAA-compliant authorization (the HIPAA term for the signatory form that allows the release of protected health information [PHI]).

What exactly is PHI? It is denoted by a specific set of personal identifiers that any healthcare operation has or will ever have on a patient/client/ consumer, for example: name, address, names of relatives, name of employer(s), birth date, telephone or fax number, e-mail address, Social Security number, health plan beneficiary number, vehicle or other device serial number, finger--or voice prints, photographs, and any other unique identifying number, characteristic, or code.

If PHI is requested by the individual receiving treatment (and the right of the individual to his or her own treatment information is acknowledged by HIPAA) or by those involved in that treatment or related operations, an authorization is not required. For other releases of PHI, a signed authorization is required. This is really nothing new for frontline staff in behavioral healthcare organizations--state laws have long required this. Moreover, a stricter state rule always takes precedence over the HIPAA rules. Authorizations, however, might be unfamiliar territory for new employees just entering the field, and they must be brought up to speed quickly. The following example may help new staffers to understand the concept:

If Mary Jones calls the practice, clinic, or hospital to inquire about her neighbor Sally Smith's diagnosis, it is reasonable to expect that a receptionist, secretary, or healthcare professional would not release the information without an authorization. HIPAA, however, takes this further: If Mary Jones calls the practice to inquire if her neighbor, Sally Smith, is present at the office, this information also could not be given without ensuring that Sally Smith has signed an authorization for release of PHI to Mary Jones. Or, a more likely scenario: If a pharmaceutical company requests names and addresses of everyone receiving a certain prescription, authorizations for the release of these names and addresses would have to be obtained beforehand.

If, on the other hand, a radiologist's office calls and seeks Mary Jones's address for billing purposes after her x-ray has been read, an authorization is not required. Similarly, if the radiologist calls and wants to discuss the reading of the x-ray with Mary Jones's personal physician, an authorization is not required, nor is it required if the practice calls the radiologist to schedule an appointment for Mary Jones. However, if the radiologist's office calls a behavioral healthcare practice and wants to discuss Mary Jones's prognosis, state laws (which, as mentioned, tend to be stricter than HIPAA) will most likely require an authorization.

It is important to note that educational records and student health records are excluded as PHI.

Reception staff and telephone operators, as well as practitioners, must be very careful to ensure that authorizations have been completed before any information is released, other than for treatment or treatment-related purposes. Neglecting to do so is to truck with the possibility of fines and imprisonment.

Who Are 'Personal Representatives'?

Of particular interest to many behavioral healthcare providers might be the fact that HIPAA has a special set of regulations that relates to parents, referred to in HIPAA language as 'personal representatives.' (This term also applies to other adults who might have a caretaker relationship with a client/patient/consumer, and includes consumers who are developmentally disabled or otherwise incapacitated.) Generally, parents do have the right to receive PHI regarding their children, but there are exceptions, e.g., to prevent serious harm or threats to a child. Furthermore, professional staff may elect not to treat a parent (or spouse) as a personal representative if there is a reasonable belief that abuse, domestic violence, or neglect is taking place and might ensue with release of PHI. Again, as with a system for authorizations, some mechanism should be developed whereby frontline reception staff is quickly notified if any of these hazardous situations exist so they can respond appropriately and quickly to requests for PHI.

Emergencies and 'Accidents'

HIPAA continues to permit the release of PHI during emergencies or in cases of imminent threat to a person or to the public at large.

What about 'accidental sightings' of PHI on case records, physician's notes, etc.? Would these be considered violations of the HIPAA Privacy Rule? Although this is not explained in HIPAA regulations as clearly as one might like, we should consider it a best practice, in any event, to prevent this kind of accidental disclosure to the extent possible. Many practices are adopting the 'facing the wall/face down on the desk' rule to avoid this type of accidental disclosure. Simply put, any notes, bills, or other papers containing PHI should be left face down on the desk. All charts, if left in door or hallway containers, should face the wall. In this manner, one adheres to the spirit, if not necessarily the letter, of the law.

This gets back to the initial point made in this article: Adhering to the spirit of HIPAA is of overriding concern.

HHS issues new HIPAA rule.(HEALTH RECORDS) - Information Management Journal

The Department of Health and Human Services (HHS) recently issued a proposed rule that modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's standard for the accounting of disclosures of protected health information (PHI).

This proposed rule addresses changes mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requires HIPAA-covered entities and business associates to account for PHI disclosures made through an electronic health record for the purpose of treatment, payment, and healthcare operations.

[ILLUSTRATION OMITTED]

The proposed rule divides the accounting rights into two distinct individual rights. The first follows the long-standing accounting of disclosure rules, modifying the existing rule to require an accounting for three years before an individual's request instead of the current six years. The second offers individuals a new right to receive a written 'access report' that describes uses and disclosures of their PHI made through an 'electronic designated record set.'

This report would include information on a covered entity's workforce members who have accessed information and would apply to information in an electronic designated record set, not only information in an electronic health record, as required by HITECH.

HIPAA Notice of Health Information Breaches Must be Submitted by February 29, 2012.(Health Insurance Portability and Accountability Act of 1996)(Brief article) - Mondaq Business Briefing

Healthcare providers and other HIPAA covered entities have until Wednesday, February 29, 2012 to submit notice of breaches of unsecured Protected Health Information which affected fewer than 500 individuals during 2011. Notice must be submitted electronically to the Secretary of Health & Human Services, and separate forms are required for each data breach occurring in the course of the calendar year. This action is mandated by the Interim Final Rule for Breach Notification for Unsecured Protected Health Information which became effective on September 23, 2009. A breach is defined under federal law as the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner that violates the HIPAA Privacy rule and compromises the privacy or security of the PHI. Determining whether a breach has occurred, however, requires the analysis of a number of additional factors. Under the Interim Final Rule, breaches affecting fewer than 500 individuals must be reported to the Secretary within 60 days of calendar year end. Covered entities must document data breaches affecting fewer than 500 individuals in their breach logs when the breaches occur throughout the year, but they are not required to publicly report these breaches until 60 days after the end of the calendar year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Stephen Page

Waller Lansden Dortch & Davis

Nashville City Center

511 Union Street

Nashville

TN 37219 1790

UNITED STATES

Tel: 6152446380

Fax: 6152446804

E-mail: info@wallerlaw.com

URL: www.wallerlaw.com

Click Here for related articles