Archive for the ‘News’ Category:
How to write a Notice of Information Practices and Privacy Statement?
HIPAA applies to all medical and mental health service providers. It requires that all persons you collect medical information from either directly or indirectly (such as by filling a prescription) be notified of their rights to privacy and receive a “Notice of Privacy Practices” which is sometimes also called “Notice of Information Practices.”
The statement must tell your patient clients what you do with their information and it either must be signed by the patient, or the patient must sign on a HIPAA consent form that they have received a copy of your privacy practices prior to signing a HIPAA consent form.
Here is a sample HIPAA privacy practices statement for your guidance, but before you use it, you should also revise this document to detail your own privacy policies and have an attorney review it to make sure it meets the legal requirements of your own business before using it.
Notice of Information Practices and Privacy Statement for ABC Healthcare Services
123, ABC Lane,
City, Country, Code
Telephone Number
Email Address
How Your Information is collected by us:
ABC Healthcare Services and its employees and volunteers collect data through a variety of means including but not necessarily limited to letters, phone calls, emails, voice mails, and from the submission of applications that is either required by law, or necessary to process applications or other requests for assistance through our organization.
What is NOT done with your information:
Information about your financial situation and medical conditions and care that you provide to us in writing, via email, on the phone (including information left on voice mails), contained in or attached to applications, or directly or indirectly given to us, is held in strictest confidence.
We do not give out, exchange, barter, rent, sell, lend, or disseminate any information about applicants or clients who apply for or actually receive our services that is considered patient confidential, is restricted by law, or has been specifically restricted by a patient/client in a signed HIPAA consent form.
How your information IS USED:
Information is only used as is reasonably necessary to process your application or to provide you with health or counseling services which may require communication between ABC Healthcare Services and health care providers, medical product or service providers, pharmacies, insurance companies, and other providers necessary to: verify your medical information is accurate; determine the type of medical supplies or any health care services you need including, but not limited to; or to obtain or purchase any type of medical supplies, devices, medications, insurance,
If you apply or attempt to apply to receive assistance through us and provide information with the intent or purpose of fraud or that results in either an actual crime of fraud for any reason including willful or un-willful acts of negligence whether intended or not, or in any way demonstrates or indicates attempted fraud, your non-medical information can be given to legal authorities including police, investigators, courts, and/or attorneys or other legal professionals, as well as any other information as permitted by law.
Information NOT Collected by us:
We do not use cookies on our website to collect date from our site visitors. We do not collect information about site visitors except for one hit counter on the main index page (www.yourwebpage.org) that simply records the number of visitors and no other data. We do use some affiliate programs that may or may not capture traffic date through our site.
Limited Right to Use Non-Identifying Personal Information from Biographies, Letters, Notes, and Other Sources: Any pictures, stories, letters, biographies, correspondence, or thank you notes sent to us become the exclusive property of ABC Healthcare Services. We reserve the right to use non-identifying information about our clients (those who receive services or goods from or through us) for fundraising and promotional purposes that are directly related to our mission.
Clients will not be compensated for use of this information and no identifying information (photos, addresses, phone numbers, contact information, last names or uniquely identifiable names) will be used without client’s express advance permission.
You may specifically request that NO information be used whatsoever for promotional purposes, but you must identify any requested restrictions in writing.
We respect your right to privacy and assure you no identifying information or photos that you send to us will ever be publicly used without your direct or indirect consent.
Revision Date: 01/09/2010
Subscribe to the comments for this postGetting yourself insured against security breach or privacy loss
If you are in healthcare industry managing PHI, then a single security breach can cost millions. With the large numbers of patients or insured customers, the potential cost of a breach can be very high. In such a case, you should opt for network security or privacy loss insurance. What started with just a few specialist insurers, like Lloyds of London, has gone up with more than 15 companies offering coverage for security breaches, as well as brokers who can help you find the right coverage.
Insurance against security breaches covers two main areas. First-party coverage protects you against the direct costs suffered by your business, including potential fines, productivity loss, financial damage and even PR expenses. Third-party coverage protects you against costs incurred for damage to third parties, such as virus damage or identity. Healthcare and insurance companies are buying these policies to cover the residual risk of a breach that reveals HIPAA protected information.
When going for this type of insurance, you need to first figure out how much coverage is needed. The potential loss depends on the number of records of sensitive data, the regulatory framework and the company’s existing security infrastructure. Coverage can be secured for a few thousand dollars, offering protection against losses in the $1 million to $5 million range. Special policies can be tailored for more coverage.
CMS sends letter to state Medicaid agencies for guidance on use of EHR
The HITECH Act provides 100 percent federal funding for Medicaid meaningful use incentive programs and 90 percent for reasonable state administrative expenses. States must, at a minimum, demonstrate adequate administrative and oversight procedures, and promote adoption of certified EHR products and secure exchange of health information.
The Centers for Medicare and Medicaid Services has sent a 19-page letter to state Medicaid agencies. The letter gives guidance on developing state-level incentive programs for the meaningful use of electronic health records.
CMS in the letter urges states to implement their Medicaid EHR incentive programs as soon as possible in 2011 to benefit most from available federal resources, such as time-limited funding and technical assistance.
Here is an excerpt from the letter:
…………………..
Dear State Medicaid Director:
This letter provides guidance to State Medicaid agencies regarding implementation of section 4201 of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), Pub. L. 111-5, and our recently published regulations at 42 CFR Part 495, Subpart D. Section 4201, as well as our final regulations, will allow the payment of incentives to eligible professionals (EPs) and eligible hospitals to promote the adoption and meaningful use of certified electronic health record (EHR) technology.
The Recovery Act provides 100 percent Federal financial participation (FFP) to States for incentive payments to eligible Medicaid providers to adopt, implement, upgrade, and meaningfully use certified EHR technology, and 90 percent FFP for State administrative expenses related to the program.
The Centers for Medicare & Medicaid Services (CMS) issued a State Medicaid Director (SMD) letter on September 1, 2009, that provided guidance to States on allowable expenses for activities supporting the administration of incentive payments to providers. CMS has now promulgated final regulations that also govern State administrative expenses related to administering the program. Both the SMD letter and our regulations at 42 CFR section 495.318 explain that, in order to qualify for the 90 percent FFP administrative match, a State must, at a minimum, demonstrate to the satisfaction of the Secretary compliance with three requirements:
• Administration of Medicaid incentive payments to Medicaid EPs and eligible hospitals;
• Oversight of the Medicaid EHR Incentive Program, including routine tracking of meaningful use attestations and reporting mechanisms; and
• Pursuit of initiatives that encourage the adoption of certified EHR technology for the promotion of health care quality and the electronic exchange of health information.
………………………………………..
You can access the full guidance letter at
https://www.cms.gov/smdl/downloads/SMD10016.pdf
Blumenthal announces the first state settlement with Healthnet
This January Connecticut State Attorney General Richard Blumenthal painted the headlines red when he brought a HIPAA enforcement action against insurance giant Health, thus becoming the first AG in the country to do so. Health Net has been under suit for it’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. According to Blumenthal, Healthnet then compounded the gaffe (which they chalked up to theft) by failing to inform those affected about what had occurred for over six months after the incident occurred.
Now, Blumenthal has added more to the news with his announcement that he has brokered the first state settlement of such an action. Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner.
This is sure to add more lines to some already wrinkled brows at Healthnet……..
Is your Email system HIPAA compliant?
With the advent of internet email has emerged as a communication solution and more and more patients are looking to communicate with their healthcare providers via email. Some healthcare practitioners do however feel that emailing their patients equates to working for free, but some clinics have already adopted charging for email consultations.
It is possible for clinics to shift towards a digital medical office while remaining financially solid. Rights management software tools have become a reality for the small and medium business office.
With any medical advance, the side affects of a solution or cure, must also be considered. While email is beneficial time-wise and financially, there are also cons to using this tool – many HIPAA related. According to the Health Privacy Project’s 2005 study, 70% of Americans are concerned that personal health information (PHI) could be disclosed as a result of weak data security.
Currently, healthcare organizations are required to provide a disclosure statement when communication is sent to their patients. With the advent of phishing, malware, and spyware, the unintended recipient could possibly spread a patients PHI like a virus; using or selling data to any number of damaging sites.
Under HIPAA, facilities not compliant to protecting their patient’s PHI face stiff penalties. PHI includes and is not limited to:
* Patient’s address, phone number
* Treating Hospital/Clinic number assigned the patient
* Patient’s date of birth/ SSN
* Patients legal next of kin/guardian and their telephone number
* Patient’s insurance information (pre-certification/ DSHS/ Medicare)
* Anticipated Admission date and time
HIPAA email is regarded as anything that contains any information relating to your medical records. They can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.
It isn’t only clinics, hospitals or doctors that are subject to this. Your employer is too if you have a health or medical plan. Companies who handle this kind of information have to have an information storage strategy that complies with HIPAA and many other pieces of legislation. Many companies handle this in-house with their existing staff and infrastructure.
While some companies handle this in house, others outsource this burden to companies like Archive Compliance who will take care of their secure storage for them. Companies like this have to demonstrate that their storage and retrieval methods are secure to be able to remain in business.
Informations sought by HHS officers during HIPAA audit
Health Insurance Portability and Accountability Act (HIPAA) requires compliance audit to be conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and here is a list of some of the information which can be sought by the HHS official if your organization is on an HIPAA audit:
The HHS officers can seek the policies and procedures responsible for:
- Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
- Emergency access to electronic information systems.
- Inactive computer sessions (periods of inactivity).
- Recording and examining activity in information systems that contain or use ePHI.
- Electronically transmitting ePHI.
- Preventing, detecting, containing and correcting security violations (incident reports).
- Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
- Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
- Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
- Physical access to electronic information systems and the facility in which they are housed.
- Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
- Firewalls, routers and switches.
- Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
- Terminating an electronic session and encrypting and decrypting ePHI.
- Password and server configurations.
- Anti-virus software.
- Network remote access.
HHS can also request to provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI, a list of terminated employees and all new recruits, authentication methods used to identify users authorized to access ePHI, a list of transmission methods used to transmit ePHI over an electronic communications network, a list of systems administrators, backup operators and users, a list of database security requirements and settings, a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows) and so on and so forth.
Are you running out your Cobra coverage?
After 31st May, the 15-month federal Cobra premium subsidy ran out for Americans. These are the people who started receiving the premium in March 2009, when it first became available to laid-off workers who were eligible to remain in their group health plan, under either the federal law known as Cobra or a state version.
If you fall under this group and are about to lose your Cobra subsidy, follow these tips:
1. If you are healthy, an individual or family plan will usually be cheaper than paying 100 percent of your Cobra premium. Call your insurance broker and surf the net for new plans. Meanwhile, do not drop your Cobra coverage until you are approved for a new plan, even if you have to pay the full Cobra premium for an extra month.
2. If you have a pre-existing condition, it will usually be cheaper to stay in your group health plan and pay the entire premium until your Cobra or Cal-Cobra eligibility ends, than switch to a HIPAA plan. HIPAA policies can be quite expensive, but they are still better than going without coverage or going into a state high-risk pool, which provides limited coverage for people who have been rejected for insurance.
3. Mix and match your options. For example, rather than pay 100 percent of the Cobra premium for family coverage, one parent - who is healthy – may opt for an individual policy. The other parent, who has a pre-existing condition, may remain on Cobra as a single person until it runs out and then get a HIPAA policy. The two children may qualify for Healthy Families. The total cost is less than what the family would pay to stay on Cobra as a family.
Is UW’s fundraising drive violating HIPAA by misusing PHI?
Though HIPAA takes all efforts to protect PHI, it allows covered entities to use or disclose to a business associate or institution-related foundation two types of protected health information (PHI) without specific permission. These include basic demographic information relating to an individual, and dates of health care provided to an individual. Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.
Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before mainly because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.
“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”
The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000 but the way it has used PHI has annoyed many. Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, was astounded when he got a call and on his unlisted telephone number seeking donation and the caller told him the information had come from patient records.
The callers were primarily students under contract to the UW and trained in HIPAA privacy rules. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, but when Finn tried, he found it wasn’t as easy as he thought it should be.
In frustration, he called the UW’s privacy office to complain and finally, when he went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”
The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.
Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.
“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”
ePharmaSolutions joins hands with iTrials for better patient recruitment process
ePharmaSolutions, a leading provider of clinical research technologies and services, has joined hands with iTrials to help improve the site selection and patient recruitment process. For this, ePharmaSolutions will integrate iTrials’ longitudinal patient database into its CRID (Clinical Research Investigator Database), linking practicing physicians and experienced research Investigators with iTrials’ patient data to provide detailed views on each Investigator’s protocol-specific patient populations from within their own practice and their established referral networks. Pharmaceutical companies will be able to contract directly with ePharmaSolutions to provide this service at the study level and/or license the SFA (Site Feasibility Application) for self-service access to the global Investigator database
“For the last 10 years iTrials has developed one of the industry’s largest HIPAA-compliant sets of longitudinal patient data, linking more than 80 million patients with over 350,000 physicians including each patient’s diagnoses, procedure events, age, gender and even original referral physician,” stated Lance Converse, CEO of ePharmaSolutions. “This data is very helpful in both protocol/site feasibility and patient recruitment campaigns and will be integrated into our Site Feasibility Application (www.epharmasolutions.com/sfa) for better site profiling and selection,” he added.
“Our new partnership will provide the pharmaceutical industry with actionable data to help improve site feasibility and patient recruitment that until now has been either too expensive or not packaged in a way that was meaningful to study teams,” stated Mike Hassell, CEO of iTrials. “We are now in a position to support our clients’ needs at both the study and enterprise level,” added Hassell.
Privacy Rule exception in case of using the PHI of a deceased subject
The Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ protected health information (PHI) in the course of that research. Among other exceptions to this rule, one exception is for the use of decedents’ PHI, after filing an appropriate certification.
When you wish to use the PHI of any deceased subject, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents, (2) you can document the death of each individual if asked to do so, and (3) the PHI is necessary to the research purposes.
The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals.
You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.