HIPAA Solutions, LC    

Comprehensive Resources for HIPAA Compliance

March 25, 2010 - HIPAA Alert

HIPAA & HITECH - "Meaningful Use"

Incentive Payments & REAL HIPAA Compliance - What you need to know

 
HHS has defined its intention under the subtitle "Stage 1 Criteria for Meaningful Use, Objectives" as follows: 
 
"Compliance with HIPAA privacy and security rules is required for all covered entities, regardless of whether they participate in the EHR incentive programs or not.  Furthermore, compliance constitutes a wide range of activities, procedures, and infrastructure.   We propose to rephrase the objective to ensure that meaningful use of the certified EHR technology supports compliance with the HIPAA Privacy and Security Rules and compliance with fair sharing data practices outlined in the Nationwide Privacy and Security Framework, but do not believe meaningful use of certified EHR technology is the appropriate regulatory tool to ensure such compliance with the HIPAA Privacy and Security Rules."  
 
In other words, HHS is saying that 1) HIPAA compliance is significant and 2) that real enforcement will be used to ensure that CEs and BAs comply with all legal requirements, including HITECH Act requirements.  HHS is not relying on the promise of funds as the "carrot" on the stick to lead CEs to compliance.  But, if an organization takes all of the steps necessary to achieve and maintain compliance with HIPAA, accessing stimulus funds may be much easier.      

Furthermore, in the Code of Federal Regulations, 45 CFR § 495.6 entitled "Meaningful use objectives and measures for EPs, Eligible hospitals, and CAHs", HHS defined "Stage 1 Criteria for "Eligible Professionals," EP's, (i.e., physicians), "Eligible Hospitals," and "Critical Access Hospitals" as follows: 
 
"Stage 1 criteria for EPs and eligible hospitals or CAHs - An EP, eligible hospital or CAH must satisfy the following objectives and associated measures:
 
(17)(i) Objective - Protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities.  (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary."
 
45 CFR 164.308(a)(1) requires a "Risk Assessment" and includes the overall "General rule" of the Security Rule found at 45 CFR § 164.306, entitled "Security Standards General Rules."  
 
This General Rule requires that covered entities, (or EP's CAH's and Eligible Hospitals), comply with the Privacy rule.  For example, the General Rule states in relation to "subpart E" or the Privacy as follows:  
 
"Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part."
 
Question - So what does all of this legalese actually mean to your organization in the context of implementing health IT, HIE, or compliance in general? 
 
Answer - It's time to take HIPAA / HITECH compliance seriously in daily operations, IT infrastructure and overall governance of business processes.  
 
While most organizations have made some effort to comply with HIPAA (and believe they've done a fairly good job), in the "evolving environment" of HIPAA enforcement (i.e., audits and class action lawsuits), a "verification audit" of an organization's compliance status is a good strategy to ensure that the organization is safe and truly compliant.
 
Remember, real HIPAA compliance means taking actions and documenting those actions that impact business processes and network security.  If an organization is considering implementation of EMR, HIE or HIT technology, or if a recent audit or assessment has not been conducted to identify GAPS in compliance, now is a good time to consider a high level audit. 
 
There are a wide variety of actions that must take place and every organization must take them according to what the truly organization does and how it operates.   

As a caveat, don't be fooled by partial technology solutions and boilerplate documents.  These approaches do not guarantee compliance, but provide the illusion of compliance.  If an organization is audited, illusions of compliance are NOT the reality of compliance.   Poor corporate compliance strategies may bring high risks in the medium term.  

If you would like to discuss how a high level compliance audit or how the use of compliance software tools can assist you in achieving and maintaining compliance, contact HIPAA Solutions, LC.   
 

CLICK HERE TO REQUEST INFORMATION ON RELIABLE HIPAA RESOURCES

____________________

HIPAA Solutions, LC - Nationally Recognized Expertise in Compliance for Covered Entities & Business Associates

An excellent first step towards addressing compliance in the new HIPAA regulatory environment is to thoroughly audit or assess business processes and IT infrastructure.  This should involve both the Privacy and Security rules.  Compliance means every healthcare organization must know how PHI is used, disclosed or accessed.  And, of great importance, proper procedures must be followed and documented. 

At a time when tight budgets and limited staffs make evaluating compliance a daunting effort, these assessments provide a cost-effective and reliable option that is provided by nationally recognized HIPAA experts.

____________________

Contact HIPAA Solutions, LC to learn more about the special assessments for evaluating compliance status.  HSLC is a nationally recognized organization that provides a wide range of resources for comprehensive HIPAA compliance.  These resources include consulting, audits, training and software tools that address HIPAA compliance needs. Contact us toll free at (877) 779-3004 or e-mail info@hipaasolutions.org to learn more about these resources.

The content of this Alert is for informational purposes and not intended as legal advice.

© 2010 HIPAA Solutions, LC

      HIPAA Solutions, LC    

Comprehensive Resources for HIPAA Compliance

February 1, 2010 - HIPAA Alert

HIPAA & HITECH Stronger Enforcement Environment  

"Secondary Enforcement" & Civil Litigation Create New Worries for CEs & BAs   

Reducing the risks of non-compliance with new rules enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), means that every Covered Entity (CE) and Business Associate (BA) should take a hard look at their current levels of compliance with HIPAA on an enterprise-wide basis.

In the past, when questions arose about the right of an individual to sue using HIPAA, the quick answer was usually, "No - a person cant sue using HIPAA."  While that answer has been widely accepted and spread on the internet for years, the enforcement arena has changed.  

So, why should anyone worry about litigation and individual lawsuits now if your organization is either a Covered Entity (CE) or a Business Associate (BA)? There's a simple answer . . . the HITECH Act is the new HIPAA "sheriff" in town and HITECH has changed the face of enforcement with serious penalties for non-compliance. 

Of more than passing interest is the fact that HITECH allows "Class Action" lawsuits as a method of enforcing HIPAA.  The excerpts in this newsletter from recent health sector publications by the AMA and Health Data Management point out some of the pitfalls waiting for those who take compliance lightly. 

The Attorney General of the State of Connecticut has just initiated the first class action lawsuit against related to the new regulations.  While the purpose of this HIPAA Alert is not to re-iterate what can be found on the Internet concerning the first HIPAA class action lawsuit, the articles provide a basis for providing some practical tips on what it can mean to your organization.

A recent amednews.com headline gives the bad news for non-compliance . . .   

"Connecticut sues Health Net over data security breach."  
 
The article gives the following details . . .  "The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws..."

In addition, Connecticut Attorney General Blumenthal warned . . ."Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA." 
 
Another article on the Health Data Management website also described the lawsuit in the following manner . . . . "Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines."
 
So, from a practical standpoint, what does this really mean for other CEs or BAs and how does this impact your organization?  The following tips explain how you can avoid some of the risks associated with the trend towards stronger enforcement. 
 
Practical TIP #1:  No matter how many times you have heard the phrase - "HIPAA will never be enforced," or ,a personal favorite, "You have a better chance of getting struck by lightning than being audited under HIPAA," . . . Audits and Enforcement are here to stay.  That means it's a good time to take a serious look at your full compliance process in both privacy and security and consider an audit or assessment to identify areas that need improvement. Using software tools such as the HIPAA ComplyPAK© to assist with managing the compliance process can also be a positive step towards achieving compliance. 
 
Practical TIP #2:  Accurately track all portable devices in your organization in accordance with all appropriate Privacy Regulations.  That's right, if you're going to make the effort to track your portable devices, then follow all Privacy Rule regulations relating to this activity.  If you have any question on what this means, you can contact HIPAA Solutions for a more thorough discussion.

 
Practical TIP #3:  Make sure that you are complying with all parts of the "old" HIPAA regulations, including both privacy and security . . . AND comply with all parts of the HITECH Act.  That means you should make a real effort to ensure that your compliance process is up to date with all changes in the law.  Please note, the HITECH Act adds a lot of new compliance  issues, including the need for conducting Risk Assessments in the event of a breach of unsecured PHI.

If you need to discuss how an audit of compliance status or using compliance software tools can assist you in achieving and maintaining compliance, contact HIPAA Solutions, LC.