Archive for the ‘In the news’ Category:
Using ‘Secure FAX’ to comply with HIPAA’s ‘SafeGuards Principle’
There are various concerns when healthcare organizations urgent need to send important and sensitive information, like protected health information (PHI) via facsimile as anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. HIPAA deals with FAXes in the “SafeGuards Principle” which states that ‘Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.’
With email, there are many physical, technical, and administrative safeguards that are easy to apply. With FAXes, the situation is very different as
* There is no easy way to secure a FAX transmission between two parties unless they are both setup with special encrypting fax machines. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
* Everyone already uses insecure FAX machines.
* FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
* FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
* FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
To combat this situation, you need to opt for “Secure FAX” services over internet. These services make your information secure in the following process:
* You access their web site using a secure (SSL) connection.
* You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
* You enter an email address and possibly a FAX number of the recipient.
* The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
* The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
* The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
* The transmission from the sender to the server is secured.
* The temporary storage is secured.
* The transmission from the server to the recipient is secured.
* An audit trail may be available to track the process, for improved compliance.
* Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX.
Subscribe to the comments for this postIs UW’s fundraising drive violating HIPAA by misusing PHI?
Though HIPAA takes all efforts to protect PHI, it allows covered entities to use or disclose to a business associate or institution-related foundation two types of protected health information (PHI) without specific permission. These include basic demographic information relating to an individual, and dates of health care provided to an individual. Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.
Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before mainly because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.
“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”
The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000 but the way it has used PHI has annoyed many. Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, was astounded when he got a call and on his unlisted telephone number seeking donation and the caller told him the information had come from patient records.
The callers were primarily students under contract to the UW and trained in HIPAA privacy rules. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, but when Finn tried, he found it wasn’t as easy as he thought it should be.
In frustration, he called the UW’s privacy office to complain and finally, when he went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”
The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.
Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.
“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”
ePharmaSolutions joins hands with iTrials for better patient recruitment process
ePharmaSolutions, a leading provider of clinical research technologies and services, has joined hands with iTrials to help improve the site selection and patient recruitment process. For this, ePharmaSolutions will integrate iTrials’ longitudinal patient database into its CRID (Clinical Research Investigator Database), linking practicing physicians and experienced research Investigators with iTrials’ patient data to provide detailed views on each Investigator’s protocol-specific patient populations from within their own practice and their established referral networks. Pharmaceutical companies will be able to contract directly with ePharmaSolutions to provide this service at the study level and/or license the SFA (Site Feasibility Application) for self-service access to the global Investigator database
“For the last 10 years iTrials has developed one of the industry’s largest HIPAA-compliant sets of longitudinal patient data, linking more than 80 million patients with over 350,000 physicians including each patient’s diagnoses, procedure events, age, gender and even original referral physician,” stated Lance Converse, CEO of ePharmaSolutions. “This data is very helpful in both protocol/site feasibility and patient recruitment campaigns and will be integrated into our Site Feasibility Application (www.epharmasolutions.com/sfa) for better site profiling and selection,” he added.
“Our new partnership will provide the pharmaceutical industry with actionable data to help improve site feasibility and patient recruitment that until now has been either too expensive or not packaged in a way that was meaningful to study teams,” stated Mike Hassell, CEO of iTrials. “We are now in a position to support our clients’ needs at both the study and enterprise level,” added Hassell.
Privacy Rule exception in case of using the PHI of a deceased subject
The Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ protected health information (PHI) in the course of that research. Among other exceptions to this rule, one exception is for the use of decedents’ PHI, after filing an appropriate certification.
When you wish to use the PHI of any deceased subject, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents, (2) you can document the death of each individual if asked to do so, and (3) the PHI is necessary to the research purposes.
The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals.
You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.
Filing a complaint with OCR for HIPAA violation
You know that a covered entity has violated or tampered with your PHI under HIPAA. But what are you supposed to do next? To redress your grievances, you have to file a complaint with the Office for Civil Rights (OCR). OCR is the authority entitled to receive and investigate complaints against covered entities related to the Privacy Rule.
The complaints to the Office for Civil Rights must:
1. Be filed in writing, either on paper or electronically;
2. Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;
3. It must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”
The violation for which the complaint is filed must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.
OCR has ten regional offices, and each regional office covers certain states. Complaints should be sent to the attention off the appropriate OCR Regional Manager.
You can submit your complaint in any written format but the complaint should include the following information:
1. Your name, full address, home and work telephone numbers, email address.
2. If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
3. Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.
4. Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?
5. Any other relevant information.
The Privacy Rule prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint with the Office for Civil Rights. You should notify OCR immediately in the event of any retaliatory action.
Former UCLA researcher sentenced to prison for violating HIPAA privacy rule
Huping Zhou, a licensed cardiothoracic surgeon in China, and a former UCLA School of Medicine researcher, becomes one of the first healthcare workers sentenced to prison for violating the HIPAA privacy rule.
Working as a researcher at the university in 2003 Mr. Zhou began accessing the medical records of his superior, his co-workers and celebrity patients in the UCLA Health System, including Tom Hanks, Drew Barrymore and Arnold Schwarzenegger. FBI reports that he accessed confidential medical records in violation of the HIPAA privacy rule a total of 323 times over a 3-week period.
Zhou has been sentenced to 4 months in federal prison, plus a fine of $2,000. The U.S. Attorney’s Office in Los Angeles said in a press release that this is the first time a healthcare worker has been given jail time for violating the HIPAA privacy rule.
Edward Robinson, attorney for Mr. Zhou, told CBS News his client had “no idea that looking at another person’s medical records was a federal criminal violation for which you could go to jail.”
Apptix launches Secure Mail for email protection
Apptix is the leading provider of hosted Microsoft Exchange, Microsoft SharePoint, and business VoIP services for businesses worldwide. The company has now announced the launch of Apptix Secure Mail which will provide email encryption and decryption at the desktop for secure end-to-end transmission. It will protect messages while in transit over the Internet, and at rest in the local email stores and in corporate email archives. Persons sent an encrypted message that do not subscribe to the Secure Mail service will receive a notification email with a link to retrieve the message at a secure web-based portal.
The features of Apptix Secure Mail include:
• One-click security – Users simply click a “Secure” button within the Outlook email client before sending to have the application encrypt the message.
• Send to anyone capability – Subscribers receive the encrypted mail directly in their Inbox; non-subscribers collect the messages via a secure Web portal.
• No key exchange or management required – Intelligent key lookup occurs transparently, eliminating the need for users to exchange and manage encryption keys.
• Strong encryption and authentication –Standards-based technologies such as Public Key Infrastructure (PKI), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), S/MIME and X.509 certificates establish confidentiality, message integrity, and user authentication.
“Apptix Secure Mail is a cost effective, end-to-end encryption solution for customers, particularly in healthcare and finance, to meet regulatory compliance requirements,” James Bond, Vice President of Product and Software Development with Apptix. “From within Microsoft Outlook, users can send secure messages to any email address including Gmail, Yahoo, or Hotmail accounts, even if the recipient does not subscribe to the email encryption service. In addition, customers do not have the hassle of sending shared secret passwords or negotiating certificates/encryption keys—everything is seamless and transparent.”
A webinar on HIPAA and HITECH compliance
A webinar under privacy expert Rebecca Herold will be held on Wednesday, April 27th, which will focus on the real solutions to the 4 key areas that your business needs to focus on for HIPAA HITECH compliance. These areas include assessment of your risks and vulnerabilities, development of policies and procedures, encrypting ePHI for client data protection and having a breach notification plan in case of a problem.
The topics which will be addressed by the industry experts include
Risk Assessments - ACR 2 Solutions, will discuss identifying, quantifying and assessing information security risks using automated technology developed under federal sponsorship for high value military and civilian networks. Risk assessment is mandatory under HIPAA, GLBA, FISMA and other statutes, and is also part of the “Meaningful Use” qualification to receive subsidies under the HITECH act.
Policies and Procedures - Compliance Helper (CH) provides turn-key solutions for those needing policies and procedures based on content developed by Rebecca Herold and Associates. The combination of the ACR 2 Gap report and the Compliance Helper Prepare and Care solution creates a simple and organized process for organizations to become fully HIPAA HITECH compliant.
Email Encryption - The Industry Radar in partnership with industry leading email encryption provider, ZixCorp, and hosting partner Greenview Data, has developed the RadarMail 360 suite with email encryption solutions for both outbound and inbound communication to meet any organization’s needs, regardless of size.
Breach Remediation - ID Experts will discuss the need for a comprehensive data breach response plan and describe best practices for healthcare data breach notification and patient care. They will also review the HHS-mandated risk assessment requirement for breaches involving protected health information (PHI).
GHG choses INetU as the hosting provider for its healthcare software program
Gorman Health Group (GHG) has a innovative health plan enrollment and payment reconciliation software called Valencia and the Group has chosen INetU as the dedicated managed hosting provider for this healthcare software platform. Valencia is a unique software in the sense that it ties workflow and reporting controls directly to the discrepancy engine, giving plans faster processing times, increased visibility into performance, and more compliant operations.
GHG needed a hosting provider that could actively help GHG with HIPAA-compliant hosting as well as provide a close partnership with their hosting company, an expert IT staff, high availability solution design, and SAS 70 Type II certification.
“Heath care in general, and Medicare contractors especially, demand the highest standards of HIPAA compliance and security,” said GHG’s Senior Vice President of Strategic Development, Nathan Goldstein. “INetU’s expert solution design and service make it easy for us to help our clients by delivering secure and scalable hosted solutions as part of their business plans. We had over 2.5 million members on our software within weeks of launch and INetU made the launch simple and seamless.”
“With HIPAA privacy laws, and especially the new HIPAA HITECH requirements for hosted data, it is important that health care-related services choose a hosting provider with proven experience in keeping patient data secure,” said GHG’s Chief Hosting Officer at INetU, Chad Mowery, “INetU’s data centers are SAS 70 Type II audited, Visa PCI certified, and EU Safe Harbor compliant. Our commitment to security, privacy, and 100% uptime is the perfect match for hosting the Valencia software package. We are also able to provide guidance to our customers to help them with complex compliance issues enabling them to focus on their core business.”
Looking for HIPAA compliant medical billing services for group practices?
Those in healthcare industry can submit medical bills and insurance claims promptly and accurately by availing the services of HIPAA complaint medical billing services for group practices. These services considerably minimize the managerial tasks of medical practitioners, saving time and effort and thus enhance productivity and profitability. These companies understand the medical billing needs of group practices and many multi-specialty hospitals, rehab clinics, individual practices, acute care clinics, long-term healthcare agencies and many others are benefitting from them.
These companies have experienced professionals with in-depth knowledge of HIPAA complaint medical billing software including NextGen, Inception, IDX, and Practice Admin and so on. They offer services like:
• Patient enrollment
• Insurance enrollment
• Scheduling and rescheduling
• Medical coding
• Insurance verification
• Insurance authorizations
• Charge entry and payment posting
• Billing and reconciling of accounts
• AR collections
• Report maintenance
The advantages of HIPAA complaint medical billing services offer include:
• Greater data confidentiality and security
• Fewer claim rejections and denials
• Secure data storage, access facility and periodic data backup
• Rapid turnaround time
• Minimum paperwork in your practice
• Regular technical evaluation and constant support
To conclude, before hiring any HIPAA compliant medical billing services for group practices, one should compare price quotes from various providers and also ensure that they hire a provider who can deliver competent solutions.