Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Written by:

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.

Post a Comment(4)
July 9, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  EMR  EMR Consulting  HIPAA News  HIPAA Training  HITECH  Hospital EHR  Security Rule
Tags:          

Are We Ready For ACOs? Security, Process Issues Abound

Written by:

Accountable Care Organizations are starting to emerge and solidify, though they still seem to be mostly the efforts of large integrated health systems dancing with large medical groups and partner hospitals with very strong IT departments.  In other words, ACOs don’t seem to be for the weak or poorly funded, at least not yet.

The business issues these entities face (aligning physicians with global goals, most particularly) are complicated and taxing enough. Once you’ve gotten those initiatives in motion, it’s time to interoperate and share data. After all, you have a better chance of accomplishing them if your group shares health data freely and uses advanced functions of EMRs to track collective clinical progress.

The thing is, even big, mature IDNs with a tightly-knit ACO group are still struggling with physician alignment and, as we all know, getting what they need from their EMR and health data exchange.

Given how hard creating consensus and sharing interoperable data is, it’d be nice to end the critique right there. But the truth is, shared goals and shared systems are just one layer of the problem.

One thing I don’t hear much of is serious discussion as to the security issues that open up when you share data across the porous borders of ACO partner organizations.

Now, I am neither a lawyer nor an engineer (IANALOE), so I’m not going to attempt to articulate any long list of specific security problems. But just because IANALOE doesn’t mean I can’t see the obvious:  Data shared widely is data exposed, unless you’ve got some great solutions in place.

Moreover, data shared among even partnered ACO organizations will pass through some organizations that have trained their staff effectively in HIPAA compliance, and others where the training was minimal or didn’t take.  This is a problem that must be faced by HIEs in any event, but even  more when providers need to manage at the case level, doing deep dives into patient records rather than skimming summaries and drug lists.

I’m not suggesting that ACOs don’t work — actually, I think they can perform very well — but I am suggesting that we aren’t taking the process and security issues as seriously as we should.  I do hope solutions to these problems emerge as ACOs refine their business models.  If not, I see some serious crashes in the future.

Post a Comment(0)
June 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: ACO  Clinical Decision Support  EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  Healthcare  Healthcare Business Intelligence  Healthcare Interoperability  HealthCare IT  HIPAA General  HIPAA Training  Hospital EHR  Medical Privacy  Security Rule
Tags:              

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Written by:

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?

Post a Comment(4)
June 6, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EMR  EMR Security  Healthcare  HealthCare IT  HIPAA Breaches  HIPAA General  HIPAA Training
Tags:                

HIPAA Applies To Those Who Don’t Know About It

Written by:

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

Post a Comment(8)
May 17, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA General  HIPAA Lawsuits  HIPAA News  HIPAA Training  Hospitals  Medical Privacy  Security Rule
Tags:                  

Clinical Documentation Upgrade Critical Before ICD-10 Conversion

Written by:

For most providers organizations, the news that ICD-10 implementation is likely to be delayed is, at minimum, a big relief.  But don’t let that lull you into a false sense of relief, suggests Priya Patel of tech consulting firm Perficient.  Even if the ICD-10 rollout is delayed — as many hope — until October 2013, it’s still going to happen.

So what can organizations due to reduce that weak feeling in the knees associated with ICD-10?  Well, generally speaking, Patel notes, your organization is already overdue for doing an ICD-10 impact assessment to figure out how to move ahead.

While the whole assessment is important, perhaps the most important element of the ICD-10 preparation process is clinical documentation assessment, Patel says. In fact, “if you choose not to assess your clinical documentation, you will certainly lose!” Patel asserts. Lose what?  Well, clinical and business effectiveness, sure, but also a great deal of money.

Right now, few doctors document efficiently enough to support coders, who are forced to do their work based on their assumptions and often, make mistakes and end up doing things over again.  As things move to ICD-10, these problems are only likely to get worse, as consistency in coding will become even more important.

Unfortunately, that’s not going to happen on its own. In fact, According to Patel, a recent study of 3,000-odd medical records across the country found that only 37 percent of physician documentation in existence would meet standards set by ICD-10.  Most organizations, in other words, will find that the documentation they have on hand is nowhere near as specific as it should be to support ICD-10 coding.

To figure out just how much your physicians need to improve before you transition to ICD-10, it’s critical to assess what clinical documentation gaps your organization faces, Patel says.

Anyone who reads Patel’s article and doesn’t see it as a red-hot wakeup call (deadline move-up or not) they’re crazy. It’s hard to argue that it will take a lot of time and physician training of doctors, coders and hospital staff.   If your clinicians don’t drill down to codes that have the clinical impact for them, and medical coders get much more training on documentation, anatomy and physiology and disases processes, things could get ugly, Patel notes.

Post a Comment(1)
April 4, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  HIPAA Training  Hospital EHR  Hospitals  ICD-10  Meaningful Use
Tags:              

Can Providers Cope With EMR Security Challenges?

Written by:

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  – plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

Post a Comment(13)
June 15, 2011 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  EMR Technology  Healthcare  HealthCare IT  HIPAA General  HIPAA Training  Medical Privacy
Tags:                

Meaningful Use and HIPAA – The Risk Analysis

Written by:

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

 

Post a Comment(1)
April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: ARRA  HealthCare IT  HIPAA General  HIPAA Training  HITECH
Tags:          

Meaningful Use and HIPAA – The Sanction Policy

Written by:

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

  • Which websites can staff go to during business hours?
  • Which websites are completely banned?
  • Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

  • Initial reaction to a violation
    • Document the violation
    • Detail the exact violation to the offender
    • Document this communication
    • Initiate any company checklists that may be required depending on the specific violation
  • Secondary reaction to a violation
    • Retraining
      • Re-attend Annual Awareness Training
      • Document this re-training
    • Document understanding of the violation
  • Repeat violations
    • Repeat violations need to be dealt with in a solid and consistent way
    • How many repeat violations before termination?
    • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
    • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

 

Post a Comment(1)
March 16, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: ARRA  HealthCare IT  HIPAA General  HIPAA Training  HITECH
Tags:            

EMR and HIPAA Blog

Written by:

My desire is to post things I find of importance related to HIPAA and EMR. My personal experience is in College Health so I will focus on posting items related more specifically to College Health. However, I will try to incorporate any aspects of EMR and HIPAA because I think best practices across the industry are important to know. Please feel free to post all you want if you find some good information that I haven’t seen and correct me if I’m wrong. This is my best knowledge from my research and is not guaranteed in anyway.

EMR BLOG

Post a Comment(7)
December 11, 2005 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: College Health  Electronic Medical Record  EMR  HIPAA General  HIPAA Lawsuits  HIPAA News  HIPAA Training  Interfaces  Medical Privacy  Pharmacy  Security Rule