HIPAA Solutions, LC   

Comprehensive Resources for HIPAA Compliance  

Simplify compliance efforts by implementing the structured approach to compliance provided by the HIPAA ComplyPAK™ suite of compliance software tools.  These easily implemented web-based tools focus on compliance for specific job functions in any Covered Entity or Business Associate organization.

The HIPAA ComplyPAK™ software solution enables users to automate the regulatory process of tracking internal uses, (all forms of PHI and its physical location, employee access, and access restrictions if any), through a centralized interface. 

The "Internal Use Tracking Reports" can be used in roles-based access analysis and determinations for other software systems storing PHI.  The HIPAA ComplyPAK™ software automates the "Accounting of Disclosures" process and produces job specific disclosure reports that satisfy all legal requirements.   

HIPAA ComplyPAK™ focuses on enterprise-wide efforts to ensure compliance by all individual employees and includes the following features:  

• Provides the ability to record every Access disclosure,
• Provides customized and accurate access procedures for each specific job function according to that job function's use of PHI relating to access.
• Can be customized to monitor when employees read and follow procedures, including the amount of time the employee spent reading the procedure and providing for an employee sign-off for verification of understanding.
• Procedures and policies are provided to each employee and are specific to each employee's account. Updates for changes in the law to ensure ongoing compliance are also provided.
• Enables an employer to track and monitor employee compliance activity easily and from a centralized user interface.
• Provides a downloadable and reusable customizable "Access" form that is a part of a form library that can be signed by patients to be uploaded and stored by users . 

Learn more about how HIPAA ComplyPAK™ can save time and money associated with compliance. Contact HIPAA Solutions, LC toll free at 877-779-3004 or use the link below to request information.

HIPAA ComplyPAK™ ensures that compliance actions are taken and documented as proof of compliance. It also allows Privacy and Security Officers to effectively monitor compliance activity by employees. 

New Era of HIPAA & HITECH Enforcement in 2011 

Emphasis on Importance of Good Business Processes

A simple Google search on the term "HIPAA enforcement" will return approximately 1.3 million plus responses.  This is a clear indication that, as most of those involved in any area related to healthcare know, HIPAA enforcement is a reality and a concern to a great number of people.

Because of the evolving enforcement environment, this HIPAA Alert is focused on addressing critical tasks that should be undertaken by any organization subject to the HIPAA and HITECH regulations.  If any entity wishes to reduce risks of non-compliance and breaches, it must ensure that there is organziation-wide preparation for enforcement.

This is the first in a series of HIPAA Alerts from HIPAA Solutions, LC focused on practical compliance.,  It will provide examples of tasks and solutions for a common sense approach to compliance.  A review and summary of recent examples of HIPAA enforcement activity in 2011 is in order prior to discussing compliance strategies.

The first enforcement example involves the Maryland-based Cignet Healthcare group.  This entity failed to provide medical records to patients which involved failed business processes (Privacy issue). The result was a fine amounting to $4.3 million.   

The second example involves a Massachusetts General Hospital employee who lost hard copy medical records containing sensitive data that had been taken out of the office for review.  Again, this involved failed business processes and resulted in a $1 million fine.  

It is important to note that neither of these major enforcement actions involved a "high-tech" breach".  Both of these cases were the result of business process failures which could have been avoided. 

So, what tasks and solutions could help any Covered Entity (CE) or Business Associate (BA) avoid the same types of failures?  Following are practical approaches to address some of the business process issues.  

• COMPLIANCE TASK - Organizations should track and record all employee use of PHI in any state, format or condition.  This would give a CE or BA a clear 'map' or picture of both its ePHI and hard-copy PHI.  Employers would then be better able to restrict access and place conditions appropriate to access, use and transport of all PHI types of data.  In addition, an entity should use sign-in and sign-out sheets for any employee that may be involved in transporting hard-copy PHI and those employees should be properly trained on securing and protecting that information when it is under their control. 
• COMPLIANCE TASK - Any CE or BA impacted by HIPAA should 1) implement clear and understandable procedures and 2) ensure that employees have read the procedures and are following them in daily activities.  As an example for CEs, "patient access failures" can be avoided if all employees know and understand the rules and follow them.  Monitoring and tracking employee's usage of procedures will help in ensuring that proper actions are taken for patient access requests. 

           HIPAA Solutions, LC    

Comprehensive Resources for HIPAA Compliance

HIPAA Alert

HIPAA & HITECH - "Meaningful Use"

Incentive Payments & REAL HIPAA Compliance - What you need to know

 
HHS has defined its intention under the subtitle "Stage 1 Criteria for Meaningful Use, Objectives" as follows: 
 
"Compliance with HIPAA privacy and security rules is required for all covered entities, regardless of whether they participate in the EHR incentive programs or not.  Furthermore, compliance constitutes a wide range of activities, procedures, and infrastructure.   We propose to rephrase the objective to ensure that meaningful use of the certified EHR technology supports compliance with the HIPAA Privacy and Security Rules and compliance with fair sharing data practices outlined in the Nationwide Privacy and Security Framework, but do not believe meaningful use of certified EHR technology is the appropriate regulatory tool to ensure such compliance with the HIPAA Privacy and Security Rules."  
 
In other words, HHS is saying that 1) HIPAA compliance is significant and 2) that real enforcement will be used to ensure that CEs and BAs comply with all legal requirements, including HITECH Act requirements.  HHS is not relying on the promise of funds as the "carrot" on the stick to lead CEs to compliance.  But, if an organization takes all of the steps necessary to achieve and maintain compliance with HIPAA, accessing stimulus funds may be much easier.      

Furthermore, in the Code of Federal Regulations, 45 CFR § 495.6 entitled "Meaningful use objectives and measures for EPs, Eligible hospitals, and CAHs", HHS defined "Stage 1 Criteria for "Eligible Professionals," EP's, (i.e., physicians), "Eligible Hospitals," and "Critical Access Hospitals" as follows: 
 
"Stage 1 criteria for EPs and eligible hospitals or CAHs - An EP, eligible hospital or CAH must satisfy the following objectives and associated measures:
 
(17)(i) Objective - Protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities.  (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary."
 
45 CFR 164.308(a)(1) requires a "Risk Assessment" and includes the overall "General rule" of the Security Rule found at 45 CFR § 164.306, entitled "Security Standards General Rules."  
 
This General Rule requires that covered entities, (or EP's CAH's and Eligible Hospitals), comply with the Privacy rule.  For example, the General Rule states in relation to "subpart E" or the Privacy as follows:  
 
"Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part."
 
Question - So what does all of this legalese actually mean to your organization in the context of implementing health IT, HIE, or compliance in general? 
 
Answer - It's time to take HIPAA / HITECH compliance seriously in daily operations, IT infrastructure and overall governance of business processes.  
 
While most organizations have made some effort to comply with HIPAA (and believe they've done a fairly good job), in the "evolving environment" of HIPAA enforcement (i.e., audits and class action lawsuits), a "verification audit" of an organization's compliance status is a good strategy to ensure that the organization is safe and truly compliant.
 
Remember, real HIPAA compliance means taking actions and documenting those actions that impact business processes and network security.  If an organization is considering implementation of EMR, HIE or HIT technology, or if a recent audit or assessment has not been conducted to identify GAPS in compliance, now is a good time to consider a high level audit. 
 
There are a wide variety of actions that must take place and every organization must take them according to what the truly organization does and how it operates.   

As a caveat, don't be fooled by partial technology solutions and boilerplate documents.  These approaches do not guarantee compliance, but provide the illusion of compliance.  If an organization is audited, illusions of compliance are NOT the reality of compliance.   Poor corporate compliance strategies may bring high risks in the medium term.  

If you would like to discuss how a high level compliance audit or how the use of compliance software tools can assist you in achieving and maintaining compliance, contact HIPAA Solutions, LC.   
 

CLICK HERE TO REQUEST INFORMATION ON RELIABLE HIPAA RESOURCES

____________________

HIPAA Solutions, LC - Nationally Recognized Expertise in Compliance for Covered Entities & Business Associates

An excellent first step towards addressing compliance in the new HIPAA regulatory environment is to thoroughly audit or assess business processes and IT infrastructure.  This should involve both the Privacy and Security rules.  Compliance means every healthcare organization must know how PHI is used, disclosed or accessed.  And, of great importance, proper procedures must be followed and documented. 

At a time when tight budgets and limited staffs make evaluating compliance a daunting effort, these assessments provide a cost-effective and reliable option that is provided by nationally recognized HIPAA experts.

____________________

Contact HIPAA Solutions, LC to learn more about the special assessments for evaluating compliance status.  HSLC is a nationally recognized organization that provides a wide range of resources for comprehensive HIPAA compliance.  These resources include consulting, audits, training and software tools that address HIPAA compliance needs. Contact us toll free at (877) 779-3004 or e-mail info@hipaasolutions.org to learn more about these resources.

The content of this Alert is for informational purposes and not intended as legal advice.

© 2010 HIPAA Solutions, LC

      HIPAA Solutions, LC    

Comprehensive Resources for HIPAA Compliance

HIPAA Alert

HIPAA & HITECH Stronger Enforcement Environment  

"Secondary Enforcement" & Civil Litigation Create New Worries for CEs & BAs   

Reducing the risks of non-compliance with new rules enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), means that every Covered Entity (CE) and Business Associate (BA) should take a hard look at their current levels of compliance with HIPAA on an enterprise-wide basis.

In the past, when questions arose about the right of an individual to sue using HIPAA, the quick answer was usually, "No - a person cant sue using HIPAA."  While that answer has been widely accepted and spread on the internet for years, the enforcement arena has changed.  

So, why should anyone worry about litigation and individual lawsuits now if your organization is either a Covered Entity (CE) or a Business Associate (BA)? There's a simple answer . . . the HITECH Act is the new HIPAA "sheriff" in town and HITECH has changed the face of enforcement with serious penalties for non-compliance. 

Of more than passing interest is the fact that HITECH allows "Class Action" lawsuits as a method of enforcing HIPAA.  The excerpts in this newsletter from recent health sector publications by the AMA and Health Data Management point out some of the pitfalls waiting for those who take compliance lightly. 

The Attorney General of the State of Connecticut has just initiated the first class action lawsuit against related to the new regulations.  While the purpose of this HIPAA Alert is not to re-iterate what can be found on the Internet concerning the first HIPAA class action lawsuit, the articles provide a basis for providing some practical tips on what it can mean to your organization.

A recent amednews.com headline gives the bad news for non-compliance . . .   

"Connecticut sues Health Net over data security breach."  
 
The article gives the following details . . .  "The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws..."

In addition, Connecticut Attorney General Blumenthal warned . . ."Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA." 
 
Another article on the Health Data Management website also described the lawsuit in the following manner . . . . "Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines."
 
So, from a practical standpoint, what does this really mean for other CEs or BAs and how does this impact your organization?  The following tips explain how you can avoid some of the risks associated with the trend towards stronger enforcement. 
 
Practical TIP #1:  No matter how many times you have heard the phrase - "HIPAA will never be enforced," or ,a personal favorite, "You have a better chance of getting struck by lightning than being audited under HIPAA," . . . Audits and Enforcement are here to stay.  That means it's a good time to take a serious look at your full compliance process in both privacy and security and consider an audit or assessment to identify areas that need improvement. Using software tools such as the HIPAA ComplyPAK© to assist with managing the compliance process can also be a positive step towards achieving compliance. 
 
Practical TIP #2:  Accurately track all portable devices in your organization in accordance with all appropriate Privacy Regulations.  That's right, if you're going to make the effort to track your portable devices, then follow all Privacy Rule regulations relating to this activity.  If you have any question on what this means, you can contact HIPAA Solutions for a more thorough discussion.

 
Practical TIP #3:  Make sure that you are complying with all parts of the "old" HIPAA regulations, including both privacy and security . . . AND comply with all parts of the HITECH Act.  That means you should make a real effort to ensure that your compliance process is up to date with all changes in the law.  Please note, the HITECH Act adds a lot of new compliance  issues, including the need for conducting Risk Assessments in the event of a breach of unsecured PHI.

If you need to discuss how an audit of compliance status or using compliance software tools can assist you in achieving and maintaining compliance, contact HIPAA Solutions, LC.