HHS and OCR are starting to lower the boom on negligent and non-compliant Covered Entities and Business Associates. Are you compliant with the HIPAA-HITECH? Is the PHI you handle appropriately and reasonably secured? Are you prepared in the event of a data breach affecting your organization?
Archive | November, 2011
The Health Insurance Portability and Accountability Act (HIPAA) mandated the adoption of Federal privacy and security regulations for protected health information (PHI). PHI is individually identifiable health information which is created or received by a health care provider, health plan, or health care clearinghouse. Such information relates to the past, present or future physical health, mental health or condition of an individual AND can be directly tied to an individual.
Perhaps you saw the headlines: CALIFORNIA DEPARTMENT OF PUBLIC HEALTH ISSUES PRIVACY BREACH FINES TO 7 CALIFORNIA HEALTH FACILITIES …As we recently wrote, the right to privacy is not new. Nor is it just being taken up at the federal level. Forty-six states in the US have enacted privacy regulations. The AICPA provides a wealth of information on these state laws that we wish to share with you. The idea of a right to privacy was first addressed within a legal context in the United States.
Last month we announced to our blog readers that Clearwater Compliance joined the PHI Project, a new initiative launched by the ISA and ANSI to study the financial impact of unauthorized access to PHI. The project will culminate in the publication of a report presenting the project’s finding later this year. As a co-sponsor, Clearwater Compliance will play a significant role in the overall planning and strategic direction of the project. Check out our press release announcement below and stay tuned for more updates on the PHI Project!
The HIPAA Security Final Rule requires all that all Covered Entities and Business Associates (and, soon likely, their sub contractors) complete a Risk Analysis (45 C.F.R. § 164.308(a)(1)). Here’s a big tip – you can’t simply make up how you’re going to do it! Nor can you always rely on so-called experts who use their approach. The HHS/OCR Final Guidance on Risk Analysis is clear: Regardless of methodology (and some don’t make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis…
THE CHALLENGE The deadline for HIPAA Security Rule compliance for Covered Entities (CEs) was April 2005! For Business Associates (BAs), the date was February 2010. Additionally, the federal government unveiled its criteria for the Meaningful Use of electronic health records (EHRs) on July 13. The criteria must be met in order for a hospital or eligible provider (EP) to qualify for reimbursement of the cost of EHR software under the American Recovery and Reinvestment Act of 2009 (ARRA). The meaningful use criteria have been established and include a specific privacy / security requirement to “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”
Someone asked me (unbelievably!!) “…what’s the big deal about disclosing someone’s Protected Health Information (PHI)?” After coming down off the “surprise” ceiling, I first responded with “Hellllloooooo!!”, followed by “Duuuhhhh!”, followed by a brief discussion about Medical Identity Theft. Just last week, a federal judge in Birmingham sentenced a Pleasant Grove man to six years in prison for his part in a prescription fraud scheme that started with the theft of PHI. Of course, I could have discussed lost job opportunity, lost business opportunity, denial of medical benefits, discrimination, etc, etc. I stuck with Medical Identity Theft…
Whether you’re motivated to be compliant with the regulations, wish to implement appropriate and reasonable safeguards because it’s the right thing to do or believe implementing privacy and security controls is a basic risk management requirement, OR all of the above, now is the time to act. CEs, BAs and their respective subcontractors create a “chain of trust” or “custody of trust” when it comes to creating, receiving, maintaining or transmitting Protected Health Information (PHI) and electronic PHI (ePHI). With the surge in the amount of PHI being exchange, ensuring its protection is a huge challenge that depends on alignment of privacy and security goals.
We want to help you become and remain HIPAA HITECH compliant by implementing the most successful compliance strategies! Just a quick update in this post to let you know that we’ve recently updated and continually update our HIPAA HITECH Resources area. Among the recent additions are: “Basics of Security Risk Analysis and Risk Management”, “NIST SP800-115 Technical Guide to Information Security Testing and Assessment”, “Reassessing Your Security Practices in a Health IT Environment – A Guide for Small Health Care Practices”.
Covered Entity and Business Associate workforce members must be aware of their responsibilities when given access to information systems that create, receive, transmit or maintain electronic Protected Health Information (ePHI). Such access is a privilege and should only be used for legitimate, job-related activity. Typically, employees must sign a Confidentiality and Acceptable Computer Use Agreement at least once a year. Appropriate use of information systems apply to all workforce members regardless of tenure or rank.