Archive for the ‘News’ Category:
Survey reveals that healthcare organizations are keen to comply with Federal Privacy laws
FairWarning recently commissioned an independent firm to execute a national survey of healthcare providers. The survey included 200 unique hospitals from across the US, the majority of which were compliance, privacy or risk personnel, followed by IT management and executive management. The survey was designed to elicit answers regarding opinion and insights on new healthcare privacy regulations (specifically ARRA HITECH), patient safety, privacy and auditing budgets and information technology risk management.
In the survey, nearly half of healthcare organizations (or 47.3 percent) believed their organization is already compliant with federal privacy laws such as ARRA HITECH and HIPAA and is audit ready. However, nearly one-third of survey respondents stated they will not be compliant with ARRA HITECH requirements by the set deadlines. Again, just 7 percent of respondents have demonstrated that they have both processes and automated systems in place which incorporate cornerstone technologies designed to eliminate security and privacy vulnerabilities.
The greatest concern of the respondents surrounding non-compliance with any of the federal privacy laws, were reputational impact of a failed audit or major privacy breach, financial penalties for non-compliance and media exposure.
“It is highly unlikely that an organization can fully comply with its obligations under HIPAA and the ARRA HITECH without implementing automated systems for patient and user privacy auditing, managing and aggregating accounting of disclosures and identity management,” stated John Houston, Vice President of Privacy and Information Security and Assistant Counsel at the University of Pittsburgh Medical Center. “While respondents felt that their level of compliance was high, their implementation of necessary technologies was much lower.”
The survey findings concluded that healthcare organizations are:
1. Familiar with new healthcare privacy and security regulations, specifically ARRA HITECH
2. Concerned with the reputational impact associated with a breach and breach notification requirements
3. Mobilizing to meet compliance requirements and deploying critical technologies to plug security gaps and meet compliance requirements
4. Allocating budget to meeting new privacy and security requirements
5. Beginning to believe that enforcement of these laws is a government priority and,
6. In need of further education to align spending and technology deployments to government expectations.
Subscribe to the comments for this postHow can you ensure HIPAA compliance with WLAN?
With the progress of technology and the growth in need for freedom to access, exchange, store and process the information from any point in the network, Wireless LAN is increasingly being used by doctors, nurses, paramedics and caregivers in order to process the patient data conveniently in large settings of the healthcare setting. WLAN has given the medical world the increased mobility, which makes it easy for the medical personnel to exchange information while on move. This saves time, increases productivity and raises the quality of patient care.
But as it is rightly said, each bright aspect has its darker side. So, it is with WLAN which can seriously compromise the ability of the health care facility to follow the HIPAA compliance laws pertaining to electronic exchange of confidential patient health information. Compared to the wired network, which requires physical access, the open network architecture feature of the WLAN makes it easy for any unauthorized person to get behind the firewall and access the network. This poses a serious threat to the safety of the confidential patient health information, which is stored, exchanged or processed by the network.
To overcome this problem, WLAN should have security features like unique user identification, emergency access procedure, automatic logoff, encryption and decryption system that creates tamper proof communication channel between the sender and authenticated receiver, and the ability to authenticate electronic health information and maintain integrity of the information. The network should maintain its integrity through continuous monitoring and shut out any unauthorized access from any rogue entry point. Clients associating with rogue entry points should be shut off from the network, unless they approach from the authorized access point.
Besides this, any change in the configuration of the access points, which points to unauthorized access should be immediately brought to the notice of the IT manager through proper communication channel. The WLAN should be able to maintain a audit log of the time, nature and resolution of the intrusion and steps taken to avert it.
In the end the WLAN in any healthcare setting should be securely configured in manner so that it becomes safe for the organization to store and exchange the confidential patient health information in line with HIPAA compliance laws.
Hiring a HIPAA compliance consultant
HIPAA lays down numerous laws, rules, and regulations to which you are subject and the volume of information you are accountable for is massive indeed. To manage through, you need a compliance consultant who utilizes these guidelines as well as the laws, rules, and regulations of the various agencies to help you formulate an effective compliance program for your office which will provide you with a number of benefits like:
•Providing a protective shield against fraudulent and erroneous conduct,
•Helping reduce the risk of Qui Tam (whistleblower) lawsuits,
•Addressing billing and coding issues and establishing monitoring procedures for the life of the practice,
•Addressing education and training for the doctor and staff, and
•Serve as a mitigating factor for agencies in accessing fines and penalties.
Besides, a compliance consultant will help your staff to learn the procedures of your office. The consultant will also review randomly selected records including the billing and follow-up for each record. From this information, the consultant will determine where deficiencies are and recommend steps to correct them. He will suggest changes necessary by answering questions, helping in formulating strategies, conducting follow-up reviews based on the error rate, and even serving as the clinic’s compliance officer.
When choosing a compliance consultant, your first choice should be a chiropractor. Secondly, the consultant you choose should be certified in both the areas of compliance and insurance.
With the increasing complexity in laws, it is virtually impossible for the average practitioner to keep up with all of the laws, rules, and regulations to which he is subject.
Hiring a compliance consultant is like hiring a specialist that knows the ins and outs of compliance that will assist you in correcting existing errors and developing an effective compliance program to avoid future errors.
MCS sues CHS for breach of contract
Managed Care Solutions (MCS) had signed an exclusive three-year deal in 2003 to manage and collect payments for all Franklin, Tenn.-based Community Health Systems (CHS) hospitals, which then numbered 111, for a 22 percent cut of collections. However, now CHS, which operates 122 hospitals with approximately 18,000 licensed beds in 29 states, is being sued by Managed Care Solutions (MCS) Inc. for breach of contract. The Hollywood, Fla.-based collections agency claims it was fired by the hospital chain on the pretext of the alleged arrest of a third-party employee.
It also charges that CHS didn’t provide adequate paperwork for 109 of the hospitals and claims that it has already more than $1.2 million in collections software to provide services to CHS.
In its lawsuit, MCS alleges that CHS was already trying to find a way out of the deal when it learned that an MCS employee had been arrested for identity theft for stealing patients’ confidential information at a New Jersey hospital. CHS then canceled the contract, citing a material breach.
In its defense, MCS argues that the employee actually worked for a third-party staffing firm and that it has no proof the employee either stole patient information or was arrested. MCS also says that the employee shouldn’t have had access to such information, holding CHS accountable and suggesting potential HIPAA violations.
Treatment of requests for additional restrictions on disclosure of PHI
Under HIPAA’s Privacy Rule, individuals may request additional restrictions on uses and disclosures of their protected health information. However, covered entities are not bound to agree to any restriction.
If the restriction is accepted, covered entities must abide by it except in emergency situations where a use or disclosure is necessary to provide treatment and those to whom the restricted information is disclosed must be asked not to redisclose it.
It must be noted here that such restrictions do not apply to the broad “fourth class” of uses and disclosures for which no consent, authorization nor opportunity to agree or object is required. These uses and disclosures include:
* Public health
* Abuse
* Neglect or domestic violence reporting
* Health oversight
* Judicial or administrative proceedings
* Law enforcement
* Research under Privacy Board or IRB waiver
* Immediate threats to public safety
* National security
* Government functions
* Uses and disclosures otherwise required by law.
A covered entity may terminate its agreement to a restriction, if the:
* individual agrees to or requests the termination in writing;
* requests such a termination orally (there oral declaration must still be documented); or
* covered entity informs the individual that it is terminating its agreement to a restriction. Here, the termination is only effective for protected health information created or received after the individual has been informed.
MindLeaf introduces new 5010 conversion services
MindLeaf Technologies, Inc., is a leading provider of HIPAA 5010 conversion services. The company has announced that it will provide these services to clearinghouse, payer and provider organizations.
MindLeaf’s introduced its new 5010 conversion services at the 2nd WEDI 5010, ICD-10 Forum, February 2nd through 4th, at the Hyatt Regency in Austin, TX. At the forum MindLeaf announced that it would offer the event attendees a limited number of complementary 5010 pre-engagement analysis packages on a first-come, first-serve basis which would include up to 40 hours of work by experienced EDI professionals and deliver a full inventory of affected EDI translation maps and transaction processes suitable for use with MindLeaf or any conversion services provider — or to support internal teams.
“Many organizations still see 5010 conversion as a future challenge, and they are not making it a ‘now’ issue,” said Paresh Shah, MindLeaf president. “However, the Level I testing phase is already underway, and organizations that begin the process now will benefit from better quality and lower costs, while conversion vendors are still not in high demand. Companies that begin to transition now will also have time to get in front of unexpected issues and will also have a chance to run their 4010 and 5010 systems in parallel to ensure zero downtime through the transition.”
Paul Reymann to review HIPAA & HITECH at LogRhythm’s webinar
Based in Boulder, Colorado with European Headquarters in Maidenhead, England, and Asia Pacific operations in Hong Kong, LogRhythm provides enterprise-class SIEM 2.0 Technology – log and event management, file integrity monitoring, and network and user monitoring in a single integrated solution – that empowers organizations to comply with regulations, secure their networks, and optimize IT operations.
The company will offer a Webinar delivered to your desktop on Tuesday, February 9, 2010 2:00 PM - 3:00 PM EST. As the new provisions in the HITECH ACT will affect every healthcare organization, this webinar will highlight changes in HIPAA security requirements, gaps found in HIPAA compliance provisions, as well as new penalties for non-compliance.
Paul Reymann, CEO, ReymannGroup, who is one of the nation’s foremost experts on regulatory compliance and information risk management, will review the state of HIPAA, the benefits and challenges of the HITECH Act, and clarify the impact of sleeper provisions associated with new “meaningful use” requirements published by the Department of Health and Human Services (HHS) at the start of 2010. He will explain how these new requirements can allow organizations to access available stimulus dollars, while demonstrating a streamlined path to compliance.
Attendees will also learn how to obtain stimulus dollars to fund Electronic Health Record (EHR) projects, reduce the risk of medical identify theft, automate compliance reporting, audits, and forensic analysis and comply with federal and state laws and rules for protecting EHRs.
Lighthouse Continuity Partners LLC opens office in Greenville
With an objective of helping eastern North Carolina businesses with disaster preparedness and response, Lighthouse Continuity Partners LLC has established an office in Greenville. This office offers a full range of disaster planning services and products including a free initial assessment, project management, impact analysis, planning, strategy development, external agency coordination, training, exercising and other available disaster planning services. These services, which can also be customized according to specific customer needs, also include fire pre-plans and executive family disaster plans.
With the help of its external partners, Lighthouse Continuity Partners can provide specific disaster-related products including documentation templates, remote online computer system backup, information security services, HIPAA security audits, managed IT services and other products.
“We are excited to open our business office here in Greenville,” Chris Servia, president and chief executive officer, said in a news release. “Our location provides for full access to all areas of eastern North Carolina. For area businesses, there are several natural risks such as snowstorms, tornadoes and hurricanes. Each business also has unique risks inherent to the business industry of which they are a part. Our hope is that our business services can help protect and speed recovery in business disaster events.”
“Our partnerships ensure we can provide services to small, mid-size, and enterprise customers throughout the United States as well as locally. And our specialty includes planning for health care service organizations and helping them meet the electronic security specifications of HIPAA. We are uniquely qualified to help medical organizations prepare for disaster events,” Servia added.
The Winter IT Summit to take place on February 9-10
The Winter Health IT Summit of the Institute for Health Technology Transformation is taking place on February 9-10 in Phoenix, Arizona. The Winter Health IT Summit is designed to bring together C-level, physician, practice management and IT decision-makers from North America’s leading provider organizations and physician practices. It was announced recently that Redspin, Inc. will be participating and speaking at the summit. CEO and Founder John Abraham will be speaking on behalf of Redspin. Redspin, founded in 2000, delivers the highest quality information security assessments to leading companies in the industries of healthcare, financial services, hotels, casinos, and resorts as well as retailers and technology providers
The panel entitled, “Technology, Security Mandates, and HIPAA Privacy.” will cover the new mandates that ARRA has brought practices under HIPAA. “New mandates will force practices to adopt policies and procedures in order to avoid new enforcement provisions and significantly increased penalties,” said Waco Hoover, CEO, Institute for Health Technology Transformation adding, “These critical changes include: new provisions for accounting of disclosures; new patient rights that you will need to incorporate into your policies and staff training; new requirements should your patient data be breached; modifications that will need to be made to your business associate relationships; and increased penalties up to $50,000 per violation to a maximum of $1.5 million a year in the most egregious cases of data breaches.”
The panel will be moderated by Khalid Kark, Principal Analyst, Forrester Research, and speaking, along with John Abraham, will be Ram Krishnan, SVP of Products and Marketing, GuardianEdge; Carole Klove, Chief Compliance Officer & Privacy Officer, UCSF Medical Center; Robert Israel, Vice President & Chief Information Officer, John C Lincoln Health Network; and Aaron Carpenter, Chief Information Security Officer, Arizona Department of Health Services.
The Summit’s attendees include industry leaders and senior executives from the healthcare community with the following job titles: Chief Information Officer, Chief Medical Officer, Chief Medical Informatics Officer, Physician, Practice Manager, VP and Director of IT.
HIPAA for fundraising purposes
If required for fundraising purposes, the covered entities can disclose to a business associate or institution-related foundation, only two types of PHI without specific permission. These informations are basic demographic informations relating to an individual, and dates of health care provided to an individual.
Although it has not been clarified in the regulations as to what constitutes demographic information, but DHHS has indicated that it “generally include[s] in this context name, address and other contact information, age, gender and insurance status.” It specifically excludes “any information about the illness or treatment” including any information about “diagnosis [or] nature of services.” DHHS has also been clear that the limitations apply to internal uses (solely within the covered entity) as well as “external” disclosures to business associates or institutionally related foundations. “Broad access to [PHI] is unnecessary for fundraising and unnecessarily intrudes on the privacy of the patient.”
HIPAA, again, does not offer any explicit definition of fundraising. The only reference available is the DHHS’s commentary that it is activity “for the specific purpose of raising funds” for the institution, rather than a general charitable purpose.
Again, the “institutionally related foundation” is defined as one qualified under the tax code (e.g., 501(c)3) that has an “explicit linkage” to the covered entity, or to a group of organizations of which the covered entity is one. “The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases” even if some of its resources may be given to the covered entity.
The provision for institutionally-related foundations was included because of tax code provisions that may not allow such foundations to be considered business associates. Note that the tax status of the covered entity — viz., for-profit vs. not-for-profit — does not affect the application of any of these rules.