Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Unfinished Business: More HIPAA Guidelines to Come

Posted on August 4, 2014 I Written By

The following is a guest blog post by Rita Bowen, Sr. Vice President of HIM and Privacy Officer at HealthPort.

After all of the hullabaloo since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) release of the HIPAA Omnibus, it’s humbling to realize that the work is not complete. While the Omnibus covered a lot of territory in providing new guidelines for the privacy and security of electronic health records, the Final Rule failed to address three key pieces of legislation that are of great relevance to healthcare providers.

The three areas include the “minimum necessary” standard; whistleblower compensation; and revised parameters for electronic health information (EHI) access logs. No specific timetable has been provided for the release of revised legislation.

Minimum Necessary

The minimum necessary standard requires providers to “take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

This requires that the intent of the request and the review of the health information be matched to assure that only the minimum information intended for the authorized release be provided. To date, HHS has conducted a variety of evaluations and is in the process of assessing that data.

Whistleblower Compensation

The second bit of unfinished legislation is a proposed rule being considered by HHS that would dramatically increase the payment to Medicare fraud whistleblowers. If adopted, the program, called the Medicare Incentive Reward Program (IRP), will raise payments from a current maximum of $1,000 to nearly $10 million.

I believe that the added incentive will create heightened sensitivity to fraud and that more individuals will be motivated to act. People are cognizant of fraudulent situations but they have lacked the incentive to report, unless they are deeply disgruntled.

Per the proposed plan, reports of fraud can be made by simply making a phone call to the correct reporting agency which should facilitate whistleblowing.

Access Logs

The third, and most contentious, area of concern is with EHI access logs. The proposed legislation calls for a single log to be created and provided to the patient, that would contain all instances of access to the patient’s EHI, no matter the system or situation.

From a patient perspective, the log would be unwieldy, cumbersome and extremely difficult to decipher for the patient’s needs. An even more worrisome aspect is that of the privacy of healthcare workers.

Employees sense that their own privacy would be invaded if regulations require that their information, including their names and other personal identifiers, are shared as part of the accessed record.  Many healthcare workers have raised concern regarding their own safety if this information is openly made available. This topic has received a tremendous amount of attention.

In discussion are alternate plans that would negotiate the content of access logs, tailoring them to contain appropriate data regarding the person in question by the patient while still satisfying patients and protecting the privacy of providers.

The Value of Data Governance

Most of my conversations circle back to the value of information (or data) governance. This situation of unfinished EHI design and management is no different. Once released the new legislation for the “minimum necessary” standard, whistleblower compensation and revised parameters for medical access logs must be woven into your existing information governance plan.

Information governance is authority and control—the planning, monitoring and enforcement—of your data assets, which could be compromised if all of the dots are not connected. Organizations should be using this time to build the appropriate foundation to their EHI.

About the Author:
Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Guest Post: HIPAA Responsibility – Whether You Want It or Not

Posted on March 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.

In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.

The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.

It’s Time to Act

The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.

It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.

The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.

To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.

Simple Encryption Goes a Long Way

Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.

To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.

Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.

Paper Breaches Also a Concern

And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.

Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.

Training and Education for All

Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.

Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!

Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Posted on November 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

Guest Post: Expect New Rules to Expand Notification – Current State of HIPAA Breach Notification

Posted on October 27, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

It is widely expected that Health and Human Service (HHS) final disclosure rules will mandate notification be done in every case. Should this occur as predicted, additional patient education will be needed to avoid the concerns mentioned above.

Further complicating matters is the fact that hospitals must adhere to HHS rules AND those at the state level. State laws in some cases are more onerous than federal laws and they continue to morph. Just trying to stay on top of all the changes may be reason enough to disclose every instance of breached information. Whether it contains protected health information (PHI) or not, some states require patient notification in every instance of the inadvertent release of certain i.d. information.

In next week’s post, we’ll cover whether small breaches are still reportable.

Guest Post: Over-Notifying Also Carries Risk – Current State of Breach Notification

Posted on October 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.

In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.

For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.

If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.

In next week’s post, we’ll cover the possible changes to the breach notification rules.

Guest Post: Current State of HIPAA Breach Notification – Notify Patients…or Not?

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.