Follow these 3 tips when handling patient privacy concerns at your organization.

Compliance officers may think that they’ve dotted all of their i’s and crossed all of their t’s, but if they miss even a small piece of the privacy puzzle, they can compromise their entire system. Take a look at these three reminders concerning protected health information (PHI) to ensure that your privacy program is on track:

1. Don’t Let Paper Get Lost in the Shuffle. You may think of patient privacy exclusively in terms of protecting electronic patient data, but paper files are just as likely to be compromised. “With the advent of the HITECH changes, breaches occurring with paper records will be treated the same way as electronic data,” says Gregory Michaels, manager of security and compliance solutions at BluePrint Healthcare IT in Cranbury, N.J.

“Doctors may take paper records home as opposed to USB keys, or they may take paper records in their car with them to the office or hospital, and obviously those things have the same value in terms of the information contained in them,” Michaels advises.

Even in facilities where paper records are stored securely, there’s still a chance that the information on them might be exposed. “In some hospitals, the main medical record area is very well secured, but other departments may have access to records, take them from the room, and store them temporarily while using them, and may not be keeping them secure,” he says.

“Even if we can move to 50 or 60 percent of medical practices being fully electronic in the next few years, we’re still looking at a long time before paper is eliminated, so make sure any PHI stored on paper in your office is secure.”

2. Know That Patients Are Aware. You’ve asked patients to sign a HIPAA privacy form, now they’re content, right? Not necessarily. “The HITECH Act imposed an affirmative obligation on the government agency overseeing the HIPAA program to investigate compliance breaches,” says Michelle Wilcox DeBarge, a lawyer with Wiggin and Dana LLP in Hartford, CT. “Previously it was driven by complaints only, but they now have an obligation to affirmatively audit and monitor.”

In addition, the government has been hiring people to ensure compliance and will be providing education programs to the public, “and we’re expecting a lot of awareness, and for patients to be asking more questions about the use of their private health information going forward,” says Peter Courtway, chief information officer for Danbury Health Systems in Connecticut.

“There is also a provision under HITECH that will allow individuals who have been harmed by a breach to have a share in the proceeds of the penalties,” DeBarge says. “We don’t have the details yet, but this is another reason that patients will have incentive to pay attention.”

3. Don’t Forget the Front Lines. You may be compromising patient data in other ways besides electronic and paper breaches. Perform a walkthrough in your practice or organization to ensure that no other leaks exist.

According to one HIPAA expert, a compliance officer walked through her practice and was pleased to see that computer monitors at the front desk had been turned so that patients in the waiting area could not see the screens. However, upon going to the elevators, she realized that the monitors were viewable through the glass entryway, and that anyone in the building’s lobby could see the data.

Excerpted from Health Information Compliance Alert.

There is money to be given out to medical practices for using EMRs – Don’t let your coding suffer. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

State attorneys general in particular are growing bolder. Remember Connecticut AG Richard Blumenthal suing Health Net for security breaches back in January? He’s going after a hospital now: Griffin Hospital, which says it notified almost 1,000 patients of a protected health information breach in from February to March 2010 by a formerly employed radiologist who accessed patient digital image records that ended up in the hands of other physicians at a competing hospital.

In Maine, a historical struggle is playing itself out in court over health plan premium increases. There, the state insurance superintendent Mila Kofman, represented by her state’s AG, is battling WellPoint’s Anthem Blue Cross Blue Shield in court over health insurance plan premium increases after denying Anthem’s request for a 23% increase.

Kofman’s stance is worth noting because the case is one of the first to address the definition of the “reasonable profit” that plans are supposedly allowed to make on such products, according to a recent Wall Street Journal article about the case. Shifts in how insurance companies charge consumers — sure to happen under the new reform bills — will impact fees providers charge and how many people are covered under private plans. States, of course are given new parameters to regulate health insurance under the new bills as well.

New opportunities for state action are sometimes buried in federal laws and regs. Under HITECH, for instance, which increases penalties under HIPAA’s Privacy regulations, state attorneys general are now endowed with the power to bring suits to enforce HIPAA.

“Only the HHS Office of Civil Rights could do that before,” said Robert Markette Jr., a lawyer with Gilliland & Markette LLP, in a recent webcast, “HIPAA Compliance:  From Basics to Breach.”

“They can sue for injunctions or penalties, which fall under the old HIPAA standards,” he noted. “You’ll probably see more of that now. Instead of just complaining to OCR, your patients can complain to state AGs, medical licensing boards, and consumer complaint boards, and those units will gear up and are more likely to act more quickly than HHS, which is still woefully understaffed.”

“And while HIPAA could be used as a standard for state private causes of action or torts, that has not been common, Markette points out. “But there is legislation pending in Congress that would change that,” he said.

Have you updated your compliance plan for PPACA? Here’s why you need to start now.

Start with this handy checklist for breach notification policies and procedures.

We recently covered the steps your facility or practice needs to take to get ready for the February 22 enforcement deadline for the ARRA/HITECH breach notification regulations. Now that you’ve got a good overview of the process, it’s time to focus on creating a specific policy that covers what happens when and if you experience a breach of the information contained in personal health records.

“You have to have some policies in place so you can have an organized response if you do have a breach or incident,” said Jim Sheldon-Dean, director of compliance services at Lewis Creek Systems, in a recent webinar, “The HIPAA Breach Notification Rule: Compliance Action Required Today.”

Start with an incident handling policy and procedure, he suggested, which should include:

• A definition of what “an incident” is: “An incident is when something goes wrong that’s out of the ordinary and that you may want to change to avoid in the future,” he said.
• Designate an Incident Response Team (IRT): This is the group or individual to whom incidents should be reported.
• Explain how the IRT will evaluate and prioritize the incident. This should cover how the IRT will respond to incident reports and prepare for a public response.
• The IRT should thoroughly investigate incidents and find out what happened. Identify potential breaches and document all incidents.

Next, your breach notification policy needs to add definitions of the PHI that is covered by both HIPAA and applicable state breach notification rules and laws:

• “This should require some flow and risk analysis,” Sheldon-Dean recommended.
• Your policy should also require using approved encryption and data disposal methods.
• Explain how you will report and evaluate reportable breaches. Remember that breaches are not reportable if the information lost was secured or destroyed; it was unintentional and in good faith; it was inadvertent and within the job scope; or the lost information cannot be retained, he said.
• Finally, even if the breach does not fit into one of those exceptions, does it meet the “significant risk of harm” requirement? If so, you have to provide notification.

The final thing to include in your policy is how you will provide notification for losses of information that do rise to the level of a reportable breach:

• This should include the time limits you are subject to: Remember you have 60 days under the federal regs but may have less time under some state laws.
• Delineate the content that will be included in your breach notice, as well as a substitute or additional notices that may be required to be made to HHS, credit reporting agencies, the media, law enforcement, and business associates.
• Finally, document how you evaluated the harm, made the decisions to report or not (and why), and what actions you took. “Make sure all the decisions you make and actions you take are properly documented and justified; otherwise you could be in big trouble,” said Sheldon-Dean.

HIPAA Compliance: From Basics to Breach. An audio training event with health care attorney Robert Markette.

Here’s why your compliance with the breach notification rules just got more urgent.

Did you know the HITECH provisions in the ARRA Act allow states attorneys general to enforce HIPAA?

And now, Connecticut’s Richard Blumenthal is the first state AG to use HIPAA in an enforcement action. He’s suing Health Net for a security breach involving 446,000 plan enrollees. Also a problem, in the AG’s view, was Health Net’s failure to notify enrollees of the breach until 6 months after it occurred.

HIT compliance trivia & cocktail-party conversation starter: Coincidentally, AG Blumenthal is the brother of HIT National Coordinator David Blumenthal, according to attorney blogger Bob Coffield. Last fall, AG Blumenthal reprimanded Anthem Blue Cross Blue Cross Blue Shield for a laptop that went missing in Chicago and caused a breach involving another set of Connecticut enrollees.

AG Blumenthal’s office says he’s going for CMPs in the HealthNet case, which could reach $22.3 billion if he goes for the $50,000 fine per record.

Health Net is admitting no wrong, and has offered two years of free credit monitoring services for all members whose PHI might have been impacted by the alleged breach.

Learn HIPAA compliance here.

Your facility or office has taken the advice of experts and crafted a security management process that protects the confidentiality of the personal health information in your patients’ records. You believe you are compliant with ARRA and HITECH’s changes to HIPAA. But are you ready for February 22? That’s the day that the ARRA/HITECH’s breach notification regulations become enforceable.

The regs, published in August 2009, specifically cover health information that is contained in personal health records – electronic records, managed by or for individual patients, that draw information from multiple sources. The new term PHR thus enlarges HIPAA’s scope to cover more than traditional health care providers. Entities like Google Health, Microsoft Health and all manner of other vendors will be required to keep data secure under the regs.

Your office needs to do several key things as February 22 approaches, according to Jim Sheldon-Dean, director of compliance services at Lewis Creek Systems, in a recent webinar, “The HIPAA Breach Notification Rule: Compliance Action Required Today.”

First, the best thing you can do is to encrypt your patient records, no matter where they are – on secured hard drives buried in your basement, in the “cloud,” or on portable devices that your execs take home. The breach notification regs don’t apply to the loss of properly encrypted data, so “if you can encrypt, that’s what you want to do,” Sheldon-Dean said. Encryption must meet FIPS 140-2, the federal info processing standard. Make sure that the company you hire to do your encryption boasts this credential, and you’re good to go.

Second, make sure you have sound policies & procedures in place to deal with breaches when and if they occur. It would be nice if all you had to do was lock down the information; but you need to be prepared to notify a range of people if something does happen, he said. The 60-day clock starts ticking on the first day you (or your agent) new or should have known about the breach. “If you don’t have good security procedures in place and don’t even know that a breach has occurred, the clock could expire and you wouldn’t even know you were out of compliance,” he warned.

Third, you need to be prepared to notify not only patients whose unsecured information was lost, but if more than 500 patients records were lost, the media and HHS as well. And if you are unable to get in touch with just 10 patients because you don’t have their mailing addresses, you have to post a notice on the web. Sheldon-Dean recommended one way to prepare for this requirement: “When a new patient signs up, ask if they want notifications by email. It’s a lot easier and cheaper to notify by email. Stamps and envelopes cost real dollars.”

Fourth, start thinking now about revising your contracts with your “business associates” – people or entities that perform functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity. The security breach notification regs extend to BAs as of Feb. 22, 2011, but you need to have your agreements with vendors and other entities in place by the 2010 deadline, said Sheldon-Dean. If the BA is responsible for the breach, it should be up to them to pay costs of notification, fines and damages, so make sure you have indemnification clauses in those contracts. “Start with the highest risk BAs first to minimize your risk,” he said.

Finally, research all the state laws that apply to your patients. In addition to federal laws and regs, at least 48 U.S. states and territories have enacted breach notification laws, and the variations among them are significant, according to Sheldon-Dean. For instance, while the federal regs give you 60 days to notify patients of a breach, in California, you have only 5 days. While most states require just notification, others like New York impose fines. Go to the National Council of State Legislatures for a full list of the state security breach laws.

Coming soon on AUDIO. HIPAA Compliance: From Basics to Breach.

Watch Out: Maximum monetary penalty for HIPAA violations just increased by 6,000 percent.

If you were confused by enforcement of the old HIPAA penalty rules, the new ones are only a little better — and have much sharper teeth.

On Oct. 30, 2009, HHS issued an interim final rule with request for comments under the HITECH Act revisions. The HITECH statute requires HHS to develop new penalties for violations of health care security and privacy that occur after Feb. 18, 2009.

The rulemaking takes effect on Nov. 30, 2009, according to HHS, which will consider comments until Dec. 29, 2009.

Under the proposed new rule, violations would be subject to penalty ranges that correspond to what the violator knew or didn’t know: If he did not know about the violation, he’d be subject to a penalty of $100 to $50,000 per violation; if a violation was “due to reasonable cause,” $1,000 to $50,000 per violation. If willful neglect occurred but the violation was corrected, the range is $10,000 to $50,000 per violation, and if it was not corrected, the minimum penalty is $50,000 per violation. What doesn’t make sense …

“One of the less clear areas of the HITECH Act was the penalties,” said Robert Markette, a partner with Gilliland & Markette LLP, in a recent Home Care Law Blog post. “The way the statute was worded made it sound like the high end of the penalties was basically the same for all violations, which makes little sense.”

While this can still the case — note that one can be penalized at the low and high ends for the exact same amount of $50,000 per violation — HHS has tried to create a more rational plan for civil penalties. “[A]t least you can understand the scheme,” said Markette. “I think HHS should have structured it so that each tier ends at a level below the next tier, although I understand that they felt the statute tied their hands. It will be interesting to see how penalties under these ranges play out.”

Penalties are subject to an overall cap of $1.5 million for all violations of an identical provision in a year. That’s almost a 6,000% increase in the maximum penalty an organization or provider can pay for a HIPAA violation.

Prior to the HITECH Act, the HHS Office for Civil Rights, which is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules, could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a CMP by demonstrating that it did not know that it violated the HIPAA rules.

But HITECH narrowed the defenses that health organizations and providers can turn to after a violation: “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery,” said HHS in a statement about the proposed rule.

This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act’s enforcement provisions.  HHS says that the remaining provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings.

Alert: Beginning February 22, 2010 the feds will enforce HIPAA’s Breach Notification Rule. Here’s the audio training event to help you prepare your health care organization.

Bounty Coupan

Here’s how one respected health system accidentally breached PHI last week, one attorney friend wrote HC Compliance Essentials. My friend called the hospital to ask if her friend was still in the hospital so she could send her flowers, and the hospital didn’t tell her because that would violate HIPAA.

She then called the hospital gift shop, which freely told her friend “would probably be out of intensive care” sometime tomorrow, and sure they could send flowers to her room.

So what do you think? If the hospital runs the gift shop, is it part of the covered entity. If the hospital contracts with a vendor to sell gifts, is it a business associate because it deals with patient data?

Let’s hear your thoughts on this one, folks.

AUDIO: Stimulus surprise — how the new HIPAA law targets providers. With attorney Wayne Miller.

Don’t miss the new compliance consequences for stolen laptops, mistaken e-mail.

Health care organizations are entering an era of unprecedented regulation and the compliance landscape is changing as a result.

Specifically, as security and privacy regulations expand, risk of regulatory sanctions and brand damaging incidents increases, according to an August 25, 2009 webinar, “Trends in Privacy and Security Law,” co-sponsored by Compliance 360 and Alston & Bird, a law firm based in Atlanta. David Keating, a corporate partner and a member of Alston & Bird’s technology practice, outlined some of the top compliance trends in privacy and security that your organization should be aware of as legislatures head back into session this fall.

States tighten data security and privacy laws: A number of states have passed sweeping laws protecting sensitive information, including health records, said Keating. Those states include Massachusetts, Connecticut, New York, Texas, Nevada, and Utah. Massachusetts is the state to keep an eye on, as it is an “outlier” in its aggressive approach at this point, Keating said.

Do you know the new rules for using “de-identified” data? Attorney Wayne Miller explains HIPAA’s new rules, now that ARRA is here.

Massachusetts is in the process of passing particularly sweeping new laws that would expand the state’s regulatory reach not only to companies that are headquartered there but also to companies whose customers exist in that state. The business community has managed to delay implementation of this law twice, according to Keating. It is now scheduled to come into effect in March 2011.

He said there’s talk in Massachusetts of removing health care providers from the state’s red flags rule, which addresses identity theft and overlaps to some extent with the FTC’s red flags rule. “The inclusion of health care entities has been under a lot of criticism, and is the driving force of the delays,” he explained.

Other state law compliance issues for health care organizations include encryption requirements, particularly in e-mail. “Technological solutions come down to cost,” noted Keating, and are being implemented with varying success and feasibility. “These are difficult requirements to comply with,” he said.

Another state law issue is employee privacy vis-a-vis human resources. New York, for instance, now requires the protection of employee information such as social security numbers. “This is a trend,” Keating pointed out. “There is pressure to do this in legislatures around the country, to pass new laws.”

And to further complicate matters, gone are the days in which states would act in a uniform manner when it came to data security issues. “Now they’re not,” he said. “Each law looks different, you have to scramble to figure out what it says and how to integrate it into your privacy policies.”

Health care privacy: Under HIPAA, health care companies have been required to protect health information for patients since 1996. But the stimulus act passed by Congress in early 2009 expands HIPAA to cover vendors who contract with health care entities for personal health information solutions.

“These new requirements were literally entered late at night in the law, and they took people by surprise,” said Keating. “The punch line is that a health care entity must make public disclosures of data breaches that affect private health information.” State data breach laws have been focused on financial information, but now for first time, health care organizations also have to worry about things like unauthorized access by employees, stolen laptops, mistaken e-mails going out to unauthorized parties.

Specific notice rules have come into effect, he said. Expect more action in this area as health care organizations and their vendors test these new aspects of federal law. “Customers will seek to impose these laws on vendors,” said Keating.

Keating said one of his clients, a publicly traded health care company, suffered a security breach that was instructive: An executive’s laptop was stolen from his car, and the company had to disclose the theft because the laptop contained sensitive information on the company’s patients. The company made a bad move by focusing on cost savings and not providing enough resources to handle the barrage of phone calls it received from concerned customers.

“We remedied the situation by getting a professional call center to take over the 800 line, but multiple complaints had already been filed with the HHS Office for Civil Rights, and it took a long time to resolve them.” People must have a source of information they can easily access to find out what’s happened in a security breach that you have to publicize, he said. “It’s critical to make sure as part of your crisis management there is a place for people to vent and ask questions.”

Overall, health care organizations should be prepared for specific security obligations imposed on the handling of sensitive information at the federal level, which may or may not eliminate the patchwork approach of the states, Keating said. “Any federal law passed may override state laws. But my money is on federal law not overriding them.” Thus it’s much more likely that organizations will have to comply with both federal plus state security laws, he said.

What the rules are when a breach happens, and when you must alert the media.

If you violate a patient’s privacy, the days where you can quietly sweep the breach under the rug are over. This week, the Dept. of Health and Human Services (HHS) published regulations that require you to alert affected individuals of a security breach. And sometimes, you even have to contact the media.

If your health care organization (or any HIPAA-covered entity) breaches an individual’s health information, you must “promptly” notify the individual via first-class mail at the individual’s last known address. If the individual agrees to receive electronic notice, you can instead choose to contact him via email, according to the notification, published in the Aug. 24 Federal Register.

In cases where you don’t have the contact information for 10 or more individuals whose security was breached, you must provide substitute notice, either by posting information about the breach on your Web site for 90 days or in major print or broadcast media near where those affected reside.AUDIO: Stimulus surprise — how the new HIPAA law targets health care providers. With attorney Wayne Miller.

If your breach of unsecured protected health information (PHI) affects more than 500 individuals, you’ve got to take your notification a few steps further. According to Federal Register, you must alert the media, and the HHS secretary will post your name on its Web site.

“These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said HHS Office for Civil Rights Acting Director Robinsue Frohboese, in an Aug. 19 statement.

In addition to discussing who must disclose breaches and how you must disclose them, the Federal Register also offers an update on HHS’s regulations on encryption and destruction of PHI.

For example: Covered entities “must consider” implementing encryption as a method for safeguarding electronic PHI, the Federal Register notes. “However, because these are addressable implementation specifications, a covered entity may be in compliance with the Security Rule even if it reasonably decides not to encrypt electronic PHI and instead uses a comparable method to safeguard the information.”

What this means: Although encryption isn’t required at this point, “from a practical perspective, physician practices and other covered entities should be seeking to encrypt their electronic protected health information,” says Mark Rogers, Esq. of The Rogers Law Firm in Braintree, Mass. “It is widely believed that it is only a matter of time before such encryption is mandated.”

To read the Federal Register notice, visit here.

It may seem like the government is implementing the Red Flags Rule in the distant future — now that the Federal Trade Commission (FTC) has delayed the implementation date to November 1, 2009. But the new rule will be a reality before you know it, and some providers already have nuts-and-bolts questions about things like copying ID cards and HIPAA triggers.

Under the Red Flags Rule, your practice will be required to spot the “red flags” that can signal identity theft. Just recently, a Long Island medical office employee was charged with stealing patients’ identities from medical files and using the information to go on a spending spree.

Point of contention: In preparing their Red Flags programs, some health care entities plan to check patients’ identification cards, and some choose to make photocopies or scan the photo ID cards to ensure that patients who present are using their own insurance cards. However, several medical practices report that they’ve heard that they should not keep copies of patients’ IDs in their systems due to privacy concerns with their HIPAA policies.

Reality: In a Feb. 4 letter to the AMA, the FTC noted that requesting a photo ID at patient visits is “consistent with the objectives of the Red Flags Rule.”

AUDIO TRAINING EVENT: What health care providers must do to comply with the Red Flags Rule.

Good idea: “It is our recommendation to American Medical Billing Assn. (AMBA) members to have their providers check a photo ID for each encounter,” suggests Cyndee Weston, AMBA’s executive director. “I don’t think the ID must be copied each time, but a picture in the patient’s medical record for future identification purposes would be beneficial,” she advises. Many providers already take a digital picture of the patient for the medical record, which is a “best practice suggestion.”

What about HIPAA? “Once you’ve copied the license or scanned it into your system, you’ve entered HIPAA territory,” says Barbara J. Cobuzzi, MBA, CPC,CPC-H, CPCP, CHCC, senior coder and auditor for The Coding Network, and president of CRN Healthcare Solutions. “You now have to have very strong HIPAA protocols to protect that.”

Keep in mind: The case of the Long Island woman should be a reminder that practices should include employee background checks in their Red Flags program, Cobuzzi says.

For a red flags checklist, go here.

© Part B Insider ]]> http://compliancenews.inhealthcare.com/hot-topics/hot-topic-2/feed/ 0