Tag: HIPAA

OCR Breach Reporting: 2013 “Small Breach” Report due Saturday and Recent Settlement for Lack of Breach Notification Procedures

Amy Leopard
Amy Leopard

Guest post by Amy Leopard, partner, Bradley Arant Boult Cummings in Nashville, Tenn.

Don’t forget that the end-of-the-year reporting of Health Insurance Portability and Accountability Act (HIPAA) breaches of unsecured protected health information (PHI) discovered in 2013 is due Saturday, March 1, 2014.

Healthcare providers and health plans that are covered entities under HIPAA must report breaches of unsecured PHI affecting fewer than 500 individuals annually to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). These small breaches should already have been reported to each of the affected individuals, and reports to the OCR should include the actions to mitigate and remediate any breaches, even those affecting a single individual. Reports to the OCR of large breaches (those affecting 500 or more individuals) are made at the time of reporting to the affected individuals—that is, without unreasonable delay and in no case greater than 60 days.

Covered entities may report small breaches electronically at the OCR’s website: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

Continue Reading

Property and Casualty Alignment with HIPAA

Tina Greene
Tina Greene

Guest post by Tina Greene, senior regulatory affairs consultant, Mitchell International.

There are major healthcare regulatory mandates going in effect, at the federal and the state level, which will significantly impact property and casualty (P&C) insurance medical bills payers. The Administrative Simplification provisions of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II), state mandates for property and casualty eBilling and more regulatory initiatives are forcing payers to understand these regulation’s requirements and be prepared to implement new processes and technologies in order to be compliant. Federal healthcare administrative simplification offers payers an opportunity to prepare for compliance while meeting cost containment and operational efficiency objectives, empowering property and casualty payers to prepare for an all-electronic American healthcare future.

The concepts of eBilling and ePayment for medical bills are gaining traction throughout the healthcare arena, along with the adjacent P&C insurance industry. Medical providers and P&C payers are increasingly taking advantage of the benefits associated with electronic billing and payments, which include substantially lower transaction costs, increased efficiency for call centers, adjusters and finance departments.

Non-legislative organizations are collaborating and recommending changes that could accelerate the impact on the P&C industry.

Other non-legislative organizations are collaborating and recommending changes that could accelerate the impact on the P&C industry. For instance, the Workgroup for Electronic Data Interchange (WEDI), the International Association of Industrial Accident Boards and Commissions (IAIABC), the American Medical Association (AMA), and the Accredited Standards Committee of the American National Standards Institute (ASCX12) are all working to ensure standards to facilitate eBill exchange and adoption. The National Committee on Vital and Health Statistics (NCVHS), a public advisory body to the Secretary of Health and Human Services (HHS), periodically holds meetings to review health statistics and trends. And while the NCVHS does not set policy, they do provide analysis, insight and recommendations to HHS, with eBilling as a topic of likely review in the future. These organizations have collectively laid a path for how to participate in this new environment.

Continue Reading

Providence Hospital Automates User Account Provisioning

Providence Hospital

Providence Hospital, located in downtown Columbia, South Carolina, is a 247-bed hospital founded in 1938 by the Sisters of Charity of Saint Augustine to minister to the community, in both body and spirit. The facility is best known for the expertise in cardiac care it provides through Providence Heart and Vascular Institute. With a hospital staff of more than 2,000 nurses, doctors and hospital administrators, Providence Hospital needed to standardize setup of user accounts and reduce the amount of time network engineers spent assigning rights in Active Directory.

Tony McNeil, technical manager said, “We have more demands on our department and we are not getting any additional staff because of the economic situation. Therefore, we have to work smarter and we need tools that help us work more efficiently.”

This became a perfect opportunity to put into action a permanent process for user account life cycle management utilizing Tools4ever’s complete User Management Resource Administrator solution.

Immediate delivery

Providence Hospital decided to implement UMRA to mainstream the provisioning process from the time an employee is hired and entered into the hospital developed, web based security application to the time they are entered into Active Directory. The previous process took nearly 2 days to complete before a user was ultimately provisioned in all systems. Now the process allows for an almost immediate creation of a user account with the correct provisioning. A web form allows for the assignment of group privileges and permissions to individual users. The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive.

Continue Reading

How Document Imaging Can Benefit the Healthcare Industry

The healthcare industry has to grapple with a lot of sensitive information of patients, and also deal with numerous stringent regulations. This is an industry that has to manage a considerable amount of information without compromising on its safety. From patients’ medical records to prescriptions, information needs to be maintained securely, but also be available for quick access to healthcare professionals.

With all the technological advancements being introduced each day, information has indeed become readily available in the modern world. As a result, healthcare professionals tend to get a larger amount of files and spend more time trying to manage these files. Fortunately, technology has also introduced ways for us to manage documents more efficiently. Document imaging is one of these ways.

What is Document Imaging?

Document imaging involves the conversion of paper documents into computer files and electronic images. There is a good number of document imaging software available and they all allow you to easily retrieve your documents within seconds. The benefits offered by a document imaging system are such that several companies and organizations all over the world are now using it in lieu of the traditional paper filing system.

Benefits of Document Imaging

These are the most notable benefits of having a document imaging system:

–          It prevents the loss of important records and documents. A while ago, an article in BioSpace spoke about China halting shipments of HIV therapy because of a missing regulatory document. That could never happen with document imaging and cloud based sharing.

–          It allows you to save a great deal of physical storage space and use it for other important purposes.

–          It helps you manage your records efficiently. SureClinical has given healthcare companies a cloud based ecosystem that helps them manage content. Collaborative cloud digital signing functionality gives clients the opportunity to adhere to EsMD or Electronic Trial Master File Standard which is a part of the US Medicare program.

Continue Reading

Trendwatch 2014: The Role of IT in Population Health Management

Bill Walker
Bill Walker

Guest post by Bill Walker, chief technology officer, Aegis Health Group.

Fo r the last several years, there has been an increasing emphasis by the federal government on digitizing the healthcare industry. The allocation of meaningful use dollars to physician practices for converting to electronic health records was only the beginning. The Affordable Care Act (ACA) was the seminal event that demonstrated without a doubt that electronic management of patient information was going to be an absolute if hospitals and health systems are to survive.

The ACA puts healthcare organizations at financial risk for duplication of services, lapses in care coordination and questionable patient safety practices. Population health management demands that electronic patient records be accessible for planning, managing and tracking care coordination. But the fact is fully managing the continuum of care for a patient cannot be achieved without data collection both inside and outside the hospital’s walls. This is a trend that will take on increased importance as healthcare reform rolls out in 2014.

Health systems with forward-thinking HIT executives saw the writing on the wall after the ACA became law and began converting their organizations to electronic medical records. Systems that are considering becoming accountable care organizations (ACOs) – and accepting value-based reimbursement, which will become the predominant reimbursement model – need to find ways to track the health status of individuals in their community before they become patients. How? By embracing the use of technology that closes the healthcare loop before people even know they need those services.

Continue Reading

Benefits of ICD-10 in Casualty Claims

Michele Hibbert-Iacobacci
Michele Hibbert-Iacobacci

Guest post by Michele Hibbert-Iacobacci, vice president, Mitchell International.

The casualty claim arena involves evaluating and payment of claims for claimants who have suffered from an auto accident or workers’ compensation injury. This side of the health payment continuum has been omitted from the Health Insurance Portability and Accountability Act (HIPAA) as a covered entity.

This means that casualty claim insurers are not required to abide by the standards set forth in HIPAA and that these standards only apply to the health payer. Omitting the ICD-10 in casualty claims from standards does have merit, but when it comes to standardization, all health claims should be adjudicated and paid in the same manner. Why should a provider charge differently and be paid differently when the payer of the claim is not on the health side? This is a question many casualty payers ask and not being part of the standardization only raises the question more.

There is no option for submission of claims by the covered entity to not be compliant by October 1, 2014 with the International Classification of Diseases, 10 Revision (ICD-10). Why is it a good idea to omit the casualty payer from these standards if the majority of health payments are made using this new standard? In addition, if providers are covered entities, then why would the casualty payer not speak the same code language? It’s almost like trying to communicate in a foreign country without the benefit of knowing the language.

Continue Reading

Mobile Technology Core to HIT Implementation for Transforming Healthcare

Bettina Experton
Bettina Experton

Guest post by Bettina Experton, MD, MPH, president and CEO, Humetrix.

Mobile technology core to HIT implementation, a silent revolution which took place on September 23 this year when the HIPAA omnibus rule took effect, giving Americans the right to obtain electronic copies of their health records. But how can this new right be exercised at scale to transform healthcare nationwide? How do we help patients better coordinate their care and ensure their safety by getting their health records in their own hands?

The scalable computing device of choice in the hands of many is a smartphone, now owned by more than 50 percent of the population, and for many the only computing device they use daily to access information on the Internet. Clearly, electronic access to health records would be best provided on the very mobile device most of us carry at all times, especially when navigating a complex health care system with multiple  and dispersed providers.

Electronic copies of health records on CDs or flash drives are not only tools of the past, but also perpetuate the barriers and complexity most of us have to face when requesting copies of our records. Desktop and portal-only solutions are also not the optimum approach to consumer-directed health information exchange, since these cannot be available at the point of care where patients need to share their medical history in the most convenient and expedient way. Mobile is, therefore, central to health information exchange policies and new care delivery models built on patient-centered care, and should not be an afterthought or secondary implementation to dated patient portal systems.

Continue Reading

Risk Management Concerns Arising Out of HITECH and the Hospital Re-admission Penalties Program

Guest post by James Hofert, Roy Bossen, Linnea Schramm and Michael Dowell, all partners with Hinshaw & Culbertson.

James Hofert
James Hofert

New federal healthcare legislation and implementing regulations, seek to exert control over multiple aspects of patient care. The Health Information Technology for Economic and Clinical Health Act (“HITECH”)[i] with staged implementation through 2016, seeks to not only promote implementation of electronic health record systems (“EHR”), but also regulate electronic communications of health information by and between the patient, physician, hospitals and other healthcare institutions so as to enhance care quality, care coordination and reduce costs.

HITECH further envisions implementation of clinical decision support algorithms for the diagnosis and treatment of disease both during admission and after discharge. The Hospital Readmission Reduction Program[ii], effective October 1, 2012, consistent with the objectives of HITECH seeks to financially penalize hospitals for higher than standardized readmission rates for heart failure, acute MI and pneumonia. The Center of Medicine and Medicaid Service (“CMS”) intends to expand application of the program to readmission for COPD, elective total hip arthroplasty and elective total knee arthroplasty in 2015[iii].  Consistent with preventative care goals so as to mitigate further health care problems as found in HITECH, CMS has refused to adjust the re-admission penalty program to account for readmissions unrelated to the patient’s initial hospitalization even though the readmission could be considered to be outside the hospital’s or physician’s control[iv].

Continue Reading

Survey Finds that Cloud Computing is becoming More Prevalent in Healthcare

According to the 2013 Desktop Virtualization Trends in Healthcare report from Imprivita, the third-annual survey about the adoption rates and benefits of desktop virtualization and cloud-based applications in healthcare, cloud computing is becoming more prevalent in healthcare.

The use of Server Hosted Virtual Desktops (SHVD) is up 39 percent and the use of Server Based Computing (SBC) is up 23 percent from last year’s survey.

The study also indicates that a mixed use of both SBC and SHVD is becoming more commonplace, with 49 percent of respondents indicating that they are using both technologies today (compared with 23 percent from the 2012 survey).

In addition to desktop virtualization, the Imprivata survey also asked healthcare organizations about current and planned adoption of cloud computing. The results indicate that the adoption of cloud-based applications and services is increasing more rapidly than expected, with 30 percent of survey respondents stating that they use cloud computing today (up from nine percent from the 2012 survey).

Continue Reading

Decoding the New HIPAA Privacy and Security Rules

Andrew Hicks

Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire

In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?

First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.

James D. Brown

Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking.  Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.

Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.

It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.

Here are the top five issues that organizations need to be aware of:

1.       Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.

2.       Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.

3.       Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.

4.       Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.

5.       Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.

We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.

James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.

Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.