Archive for the ‘Legislation’ Category:
Safety issues at risk with chat transcripts of sensitive medical information
Doctors and healthcare centers as well as pharmacists have started using chats these days to get closer to their customers. However, the preservation of these chat discussions of super-sensitive patient medical history may prove a very serious threat to that security.
In the eyes of HIPAA and lawyers for consumers whose data may get accessed, it won’t make much of a difference who said the protected data. They will assume that a retail conversation-in this case, a patient-to-pharmacist conversation-will be protected as well as any sensitive medical data.
To avoid such threat, pharmacists could opt for an approach where live chat retailers will have no access to patient medical records and will instead only react to what the customer chooses to share during the exchange. However, once those customer-shared thoughts are preserved in the chat transcript text file, they can be later accessed.
Some chains like Walgreens are allowing its pharmacists to access full pharmacy histories for all customers, but they’re not supposed to reveal anything until the patient has verified identity by answering questions. According to Walgreens spokesperson Jim Cohn, the live chat sessions are encrypted. But given that the consumer has to be able to read the answers, it’s unclear how secure those communications could be. Even if we assume, however, that they are fully secure, it’s unclear how secure the transcripts of those chat sessions will be.
Whatever be the procedure adopted by the chains, chats are always a threat to patients sensitive medical information as the information stays in the system and could be leaked either through backups, chat transcripts, cyber thefts and search engine spiders. All of the security in the world will be made meaningless by the weak link. If not properly handled, chat transcripts of sensitive discussions might be just that.
Subscribe to the comments for this postHow to write a Notice of Information Practices and Privacy Statement?
HIPAA applies to all medical and mental health service providers. It requires that all persons you collect medical information from either directly or indirectly (such as by filling a prescription) be notified of their rights to privacy and receive a “Notice of Privacy Practices” which is sometimes also called “Notice of Information Practices.”
The statement must tell your patient clients what you do with their information and it either must be signed by the patient, or the patient must sign on a HIPAA consent form that they have received a copy of your privacy practices prior to signing a HIPAA consent form.
Here is a sample HIPAA privacy practices statement for your guidance, but before you use it, you should also revise this document to detail your own privacy policies and have an attorney review it to make sure it meets the legal requirements of your own business before using it.
Notice of Information Practices and Privacy Statement for ABC Healthcare Services
123, ABC Lane,
City, Country, Code
Telephone Number
Email Address
How Your Information is collected by us:
ABC Healthcare Services and its employees and volunteers collect data through a variety of means including but not necessarily limited to letters, phone calls, emails, voice mails, and from the submission of applications that is either required by law, or necessary to process applications or other requests for assistance through our organization.
What is NOT done with your information:
Information about your financial situation and medical conditions and care that you provide to us in writing, via email, on the phone (including information left on voice mails), contained in or attached to applications, or directly or indirectly given to us, is held in strictest confidence.
We do not give out, exchange, barter, rent, sell, lend, or disseminate any information about applicants or clients who apply for or actually receive our services that is considered patient confidential, is restricted by law, or has been specifically restricted by a patient/client in a signed HIPAA consent form.
How your information IS USED:
Information is only used as is reasonably necessary to process your application or to provide you with health or counseling services which may require communication between ABC Healthcare Services and health care providers, medical product or service providers, pharmacies, insurance companies, and other providers necessary to: verify your medical information is accurate; determine the type of medical supplies or any health care services you need including, but not limited to; or to obtain or purchase any type of medical supplies, devices, medications, insurance,
If you apply or attempt to apply to receive assistance through us and provide information with the intent or purpose of fraud or that results in either an actual crime of fraud for any reason including willful or un-willful acts of negligence whether intended or not, or in any way demonstrates or indicates attempted fraud, your non-medical information can be given to legal authorities including police, investigators, courts, and/or attorneys or other legal professionals, as well as any other information as permitted by law.
Information NOT Collected by us:
We do not use cookies on our website to collect date from our site visitors. We do not collect information about site visitors except for one hit counter on the main index page (www.yourwebpage.org) that simply records the number of visitors and no other data. We do use some affiliate programs that may or may not capture traffic date through our site.
Limited Right to Use Non-Identifying Personal Information from Biographies, Letters, Notes, and Other Sources: Any pictures, stories, letters, biographies, correspondence, or thank you notes sent to us become the exclusive property of ABC Healthcare Services. We reserve the right to use non-identifying information about our clients (those who receive services or goods from or through us) for fundraising and promotional purposes that are directly related to our mission.
Clients will not be compensated for use of this information and no identifying information (photos, addresses, phone numbers, contact information, last names or uniquely identifiable names) will be used without client’s express advance permission.
You may specifically request that NO information be used whatsoever for promotional purposes, but you must identify any requested restrictions in writing.
We respect your right to privacy and assure you no identifying information or photos that you send to us will ever be publicly used without your direct or indirect consent.
Revision Date: 01/09/2010
Binary Spectrum gets HIPAA certification
Binary Spectrum, a Microsoft Gold certified partner and a member of the Sun Partner Advantage Program, with years of expertise in designing and developing customized Healthcare software products incorporating HL7 integration solutions and outsourcing support for the global market, has finally achieved Health Insurance Portability and Accountability Act (HIPAA) Certification. It is now amongst those organizations that comply with the HIPAA regulations and are certified to provide IT services and solutions to Healthcare Organizations.
Thus, now the company’s software offerings including Electronic medical records, HMIS, EHR, medical billing and coding, medical practice management, medical prescription and outcome registry are HIPAA and HL7 compliant.
Binary Spectrum is committed to ensure the confidentiality, integrity, availability, and privacy of information of all stakeholders and protected health information of all the customers, by adopting a formal Business Risk Management Framework and establishing a Compliance and Security management system.
Based on the audit performed by ProMinds Consulting in May 2009, as per the scope detailed, Binary Spectrum has been declared Compliant to HIPAA. ProMinds Consulting certifies that Binary has established and applies applicable privacy regulations and provisions of HIPAA.
“With just 5 years of expertise in the healthcare domain, achieving HIPAA compliance not only ensures that we are compliant to global standards but also assures the security of our customer’s most sensitive information and individual health records being handled” says Mr. Ashok Kumar, CEO, Binary Spectrum. He further adds, “We are pleased to have achieved this recognition and as a likely succession, we look forward to achieving our subsequent milestones that would continue to focus on providing improved and assured quality products and services to our customers.”
What are HIPAA transactions and code set standards?
The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.
A “transaction” is an electronic business document. Each of the HIPAA standard transactions has a name, a number, and a business or administrative use. Those of importance in a medical practice are listed below:
Claim/encounter (X12 837)
For submitting claim to health plan, insurer, or other payer
Eligibility inquiry and response (X12 270 and 271)
For inquiring of a health plan the status of a patient’s eligibility for benefits and details regarding the types of services covered, and for receiving information in response from the health plan or payer.
Claim status inquiry and response (X12 276 and 277)
For inquiring about and monitoring outstanding claims (where is the claim? Why haven’t you paid us?) and for receiving information in response from the health plan or payer. Claims status codes are now standardized for all payers.
Referrals and prior authorizations (X12 278)
For obtaining referrals and authorizations accurately and quickly, and for receiving prior authorization responses from the payer or utilization management organization (UMO) used by a payer.
Health care payment and remittance advice (X12 835)
For replacing paper EOB/EOPs and explaining all adjustment data from payers. Also, permits auto-posting of payments to accounts receivable system.
Health claims attachments (proposed) (X12 275)
For sending detailed clinical information in support of claims, in response to payment denials, and other similar uses.
The purpose of the HIPAA standards is to simplify the processes and decrease the costs associated with the payment for health care services. The savings to payers, physicians and other providers could be enormous, but only if there is collaboration between all parties involved.
Informations sought by HHS officers during HIPAA audit
Health Insurance Portability and Accountability Act (HIPAA) requires compliance audit to be conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and here is a list of some of the information which can be sought by the HHS official if your organization is on an HIPAA audit:
The HHS officers can seek the policies and procedures responsible for:
- Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
- Emergency access to electronic information systems.
- Inactive computer sessions (periods of inactivity).
- Recording and examining activity in information systems that contain or use ePHI.
- Electronically transmitting ePHI.
- Preventing, detecting, containing and correcting security violations (incident reports).
- Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
- Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
- Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
- Physical access to electronic information systems and the facility in which they are housed.
- Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
- Firewalls, routers and switches.
- Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
- Terminating an electronic session and encrypting and decrypting ePHI.
- Password and server configurations.
- Anti-virus software.
- Network remote access.
HHS can also request to provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI, a list of terminated employees and all new recruits, authentication methods used to identify users authorized to access ePHI, a list of transmission methods used to transmit ePHI over an electronic communications network, a list of systems administrators, backup operators and users, a list of database security requirements and settings, a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows) and so on and so forth.
HHS Proposed Rule for marketing under HIPAA
The U.S. Department of Health and Human Services (HHS) has proposed a set of significant updates to health privacy rules. The rule is open for public comment until September 13th. Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, it does contain numerous changes to the HIPAA Privacy Rule, the most prominent being Business Associates, Enforcement, Marketing and Research.
As per HIPAA, Covered Entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule states several exceptions, however, for which covered entities do not need patient authorization to make communications. The exceptions include communications about, treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.
However, as per the proposed rule, prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would require that the provider must notify the patient of its intent to send the patient subsidized treatment communications, the notice must inform the patient that she may opt out of receiving such communications, and the treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.
In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers.
Are you running out your Cobra coverage?
After 31st May, the 15-month federal Cobra premium subsidy ran out for Americans. These are the people who started receiving the premium in March 2009, when it first became available to laid-off workers who were eligible to remain in their group health plan, under either the federal law known as Cobra or a state version.
If you fall under this group and are about to lose your Cobra subsidy, follow these tips:
1. If you are healthy, an individual or family plan will usually be cheaper than paying 100 percent of your Cobra premium. Call your insurance broker and surf the net for new plans. Meanwhile, do not drop your Cobra coverage until you are approved for a new plan, even if you have to pay the full Cobra premium for an extra month.
2. If you have a pre-existing condition, it will usually be cheaper to stay in your group health plan and pay the entire premium until your Cobra or Cal-Cobra eligibility ends, than switch to a HIPAA plan. HIPAA policies can be quite expensive, but they are still better than going without coverage or going into a state high-risk pool, which provides limited coverage for people who have been rejected for insurance.
3. Mix and match your options. For example, rather than pay 100 percent of the Cobra premium for family coverage, one parent - who is healthy – may opt for an individual policy. The other parent, who has a pre-existing condition, may remain on Cobra as a single person until it runs out and then get a HIPAA policy. The two children may qualify for Healthy Families. The total cost is less than what the family would pay to stay on Cobra as a family.
WORM emerging as a new generation storage technology in healthcare industry
To comply with HIPAA, the healthcare organizations have to rely upon latest in information technology for the storage infrastructure to be deployed for protecting patients’ data. The transition to “filmless” digital diagnostic imaging and the need for compliance with the Health Information Portability and Accountability Act (HIPAA) have spurred medical IT departments to re-think their approach to data storage to better support these new applications and data management requirements. The American Medical Association estimates the cost of restructuring the healthcare industry as a result of HIPAA at more than $43 billion during the next few years.
One such technology which has caught attention for storing patient’s data is Write-once read many (WORM). Once the exclusive realm of write-once optical disk, a new generation of WORM storage alternatives has emerged that includes WORM disk arrays and WORM tape. Both of these WORM options provide certain advantages over traditional optical WORM, particularly with the need for higher capacities in large-scale storage applications. However, tape-based WORM is poised to become a major presence for medical storage environments by delivering more secure, scalable and versatile storage with a significantly lower total cost of ownership than disk-based WORM.
The two dominant mid-range tape technologies–Super DLTtape II and Linear Tape Open Ultrium 3 (LTO 3)–have embraced the WORM concept and both now offer WORM functionality, although each takes a different approach. Super DLTtape enables customers to use conventional Super DLT II media for WORM applications. The write-once functionality (designated as DLTIce on Quantum’s Super DLT 600 tape drives) is enabled by the tape drive as part of Quantum’s DLTSage architecture platform a suite of predictive and preventative management software tools that enable end users to diagnose, plan, and manage their tape storage investments.
Is UW’s fundraising drive violating HIPAA by misusing PHI?
Though HIPAA takes all efforts to protect PHI, it allows covered entities to use or disclose to a business associate or institution-related foundation two types of protected health information (PHI) without specific permission. These include basic demographic information relating to an individual, and dates of health care provided to an individual. Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.
Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before mainly because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.
“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”
The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000 but the way it has used PHI has annoyed many. Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, was astounded when he got a call and on his unlisted telephone number seeking donation and the caller told him the information had come from patient records.
The callers were primarily students under contract to the UW and trained in HIPAA privacy rules. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, but when Finn tried, he found it wasn’t as easy as he thought it should be.
In frustration, he called the UW’s privacy office to complain and finally, when he went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”
The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.
Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.
“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”
ePharmaSolutions joins hands with iTrials for better patient recruitment process
ePharmaSolutions, a leading provider of clinical research technologies and services, has joined hands with iTrials to help improve the site selection and patient recruitment process. For this, ePharmaSolutions will integrate iTrials’ longitudinal patient database into its CRID (Clinical Research Investigator Database), linking practicing physicians and experienced research Investigators with iTrials’ patient data to provide detailed views on each Investigator’s protocol-specific patient populations from within their own practice and their established referral networks. Pharmaceutical companies will be able to contract directly with ePharmaSolutions to provide this service at the study level and/or license the SFA (Site Feasibility Application) for self-service access to the global Investigator database
“For the last 10 years iTrials has developed one of the industry’s largest HIPAA-compliant sets of longitudinal patient data, linking more than 80 million patients with over 350,000 physicians including each patient’s diagnoses, procedure events, age, gender and even original referral physician,” stated Lance Converse, CEO of ePharmaSolutions. “This data is very helpful in both protocol/site feasibility and patient recruitment campaigns and will be integrated into our Site Feasibility Application (www.epharmasolutions.com/sfa) for better site profiling and selection,” he added.
“Our new partnership will provide the pharmaceutical industry with actionable data to help improve site feasibility and patient recruitment that until now has been either too expensive or not packaged in a way that was meaningful to study teams,” stated Mike Hassell, CEO of iTrials. “We are now in a position to support our clients’ needs at both the study and enterprise level,” added Hassell.