Archive for the ‘Products’ Category:
Blumenthal announces the first state settlement with Healthnet
This January Connecticut State Attorney General Richard Blumenthal painted the headlines red when he brought a HIPAA enforcement action against insurance giant Health, thus becoming the first AG in the country to do so. Health Net has been under suit for it’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. According to Blumenthal, Healthnet then compounded the gaffe (which they chalked up to theft) by failing to inform those affected about what had occurred for over six months after the incident occurred.
Now, Blumenthal has added more to the news with his announcement that he has brokered the first state settlement of such an action. Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner.
This is sure to add more lines to some already wrinkled brows at Healthnet……..
Subscribe to the comments for this postHHS Proposed Rule for marketing under HIPAA
The U.S. Department of Health and Human Services (HHS) has proposed a set of significant updates to health privacy rules. The rule is open for public comment until September 13th. Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, it does contain numerous changes to the HIPAA Privacy Rule, the most prominent being Business Associates, Enforcement, Marketing and Research.
As per HIPAA, Covered Entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule states several exceptions, however, for which covered entities do not need patient authorization to make communications. The exceptions include communications about, treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.
However, as per the proposed rule, prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would require that the provider must notify the patient of its intent to send the patient subsidized treatment communications, the notice must inform the patient that she may opt out of receiving such communications, and the treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.
In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers.
Using ‘Secure FAX’ to comply with HIPAA’s ‘SafeGuards Principle’
There are various concerns when healthcare organizations urgent need to send important and sensitive information, like protected health information (PHI) via facsimile as anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. HIPAA deals with FAXes in the “SafeGuards Principle” which states that ‘Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.’
With email, there are many physical, technical, and administrative safeguards that are easy to apply. With FAXes, the situation is very different as
* There is no easy way to secure a FAX transmission between two parties unless they are both setup with special encrypting fax machines. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
* Everyone already uses insecure FAX machines.
* FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
* FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
* FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
To combat this situation, you need to opt for “Secure FAX” services over internet. These services make your information secure in the following process:
* You access their web site using a secure (SSL) connection.
* You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
* You enter an email address and possibly a FAX number of the recipient.
* The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
* The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
* The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
* The transmission from the sender to the server is secured.
* The temporary storage is secured.
* The transmission from the server to the recipient is secured.
* An audit trail may be available to track the process, for improved compliance.
* Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX.
ePharmaSolutions joins hands with iTrials for better patient recruitment process
ePharmaSolutions, a leading provider of clinical research technologies and services, has joined hands with iTrials to help improve the site selection and patient recruitment process. For this, ePharmaSolutions will integrate iTrials’ longitudinal patient database into its CRID (Clinical Research Investigator Database), linking practicing physicians and experienced research Investigators with iTrials’ patient data to provide detailed views on each Investigator’s protocol-specific patient populations from within their own practice and their established referral networks. Pharmaceutical companies will be able to contract directly with ePharmaSolutions to provide this service at the study level and/or license the SFA (Site Feasibility Application) for self-service access to the global Investigator database
“For the last 10 years iTrials has developed one of the industry’s largest HIPAA-compliant sets of longitudinal patient data, linking more than 80 million patients with over 350,000 physicians including each patient’s diagnoses, procedure events, age, gender and even original referral physician,” stated Lance Converse, CEO of ePharmaSolutions. “This data is very helpful in both protocol/site feasibility and patient recruitment campaigns and will be integrated into our Site Feasibility Application (www.epharmasolutions.com/sfa) for better site profiling and selection,” he added.
“Our new partnership will provide the pharmaceutical industry with actionable data to help improve site feasibility and patient recruitment that until now has been either too expensive or not packaged in a way that was meaningful to study teams,” stated Mike Hassell, CEO of iTrials. “We are now in a position to support our clients’ needs at both the study and enterprise level,” added Hassell.
Choosing the right biometric system for securing PHI
HIPAA lays special emphasis on conversion of medical records of patient from paper to electronic format and any covered entity failing to protect the patient health data as per HIPAA compliance norms is subject to strict penalties and criminal convictions.
When making health transactions on the internet, it is mandatory for health service entities to provide a very secure access system. Here, biometric technology could be of help as it deploys unique physical and behavioral characteristics like fingerprints, Iris Retina, and signature, keystroke pattern, voice print, respectively which are embedded in system to create a secure and unique identification for each and every user.
When choosing a biometric system, the health care provider should look for these features:
- It should be easily deployable. The devices should be cost effective and sport user friendly features so that users can easily access the services.
- The system should allow the service provider to quickly gather the user data and compare it to an accepted benchmark.
- There should be a provision for a proper training backup on installation, integration and optimization of such devices.
- High degree of accuracy. The false-acceptance rate (FAR) and false–rejection rate (FJR) used in the biometric measurement standards should balance each other so that the crossover error rate (CER) is less. A lower CER points to higher accuracy in the system.
- Customized to the environment. In patient admission, nursing, billing and administration fingerprint scan will work well but will fail in the clinics and labs where latex hand gloves are used.
- The system should support interoperability so that the data from the different biometric devices can be exchanged and compared with each other. This also provides a greater security assurance by integrating two or more different type of devices to create a strong and tamperproof access system.
Apptix launches Secure Mail for email protection
Apptix is the leading provider of hosted Microsoft Exchange, Microsoft SharePoint, and business VoIP services for businesses worldwide. The company has now announced the launch of Apptix Secure Mail which will provide email encryption and decryption at the desktop for secure end-to-end transmission. It will protect messages while in transit over the Internet, and at rest in the local email stores and in corporate email archives. Persons sent an encrypted message that do not subscribe to the Secure Mail service will receive a notification email with a link to retrieve the message at a secure web-based portal.
The features of Apptix Secure Mail include:
• One-click security – Users simply click a “Secure” button within the Outlook email client before sending to have the application encrypt the message.
• Send to anyone capability – Subscribers receive the encrypted mail directly in their Inbox; non-subscribers collect the messages via a secure Web portal.
• No key exchange or management required – Intelligent key lookup occurs transparently, eliminating the need for users to exchange and manage encryption keys.
• Strong encryption and authentication –Standards-based technologies such as Public Key Infrastructure (PKI), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), S/MIME and X.509 certificates establish confidentiality, message integrity, and user authentication.
“Apptix Secure Mail is a cost effective, end-to-end encryption solution for customers, particularly in healthcare and finance, to meet regulatory compliance requirements,” James Bond, Vice President of Product and Software Development with Apptix. “From within Microsoft Outlook, users can send secure messages to any email address including Gmail, Yahoo, or Hotmail accounts, even if the recipient does not subscribe to the email encryption service. In addition, customers do not have the hassle of sending shared secret passwords or negotiating certificates/encryption keys—everything is seamless and transparent.”
HHS reports a significant number of PHI breaches by HIPAA covered entities
The U.S. Department of Health and Human Services (HHS) states that post the coming into effect of the new federal breach notification requirement in September 2009, large breaches of patients’ health information have been reported by more than 30 HIPAA covered entities. The breach notification requirement, enacted in the American Recovery and Reinvestment Act of 2009, requires Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities to notify individuals whose protected health information may have been improperly accessed, used or disclosed. If the incident affects 500 or more patients, the covered entities also are required to notify HHS and the media. HHS must post the names of entities that report large breaches on its Web site.
Among these breaches, the most significant breach was reported by Blue Cross Blue Shield of Tennessee which affected about 5,00,000 persons and attributed to stolen hard drives. More than half of the 36 reported large breaches involved theft, loss or unauthorized access of computers or laptops. Several others occurred in portable electronic devices. Only a few of the reported breaches involved paper records. Approximately 300 reports of smaller breach incidents, typically involving paper records, were received by HHS.
HHS posted its list on the Web site on Feb. 22 which stated the causes of the 36 breaches as:
• theft (22);
• theft and unauthorized access (five);
• loss (three);
• incorrect mailing/e-mail (two);
• unauthorized access (two);
• hacking (one); and
• phishing scam (one).
HIPAA ensures benefits from health insurance to individuals with pre-existing conditions
Getting a health coverage is a big issue for plenty of individuals who are unable to purchase private health insurance because they have a known health condition or problem that is very expensive to treat. Insurance companies have the right to refuse to cover such individuals since they are considered as liabilities and may cost the company more than the actual premium that the individuals pay for. The insurer has to pay for medical fees expected from the individual.
In addition, if an individual get sick while on a coverage from one insurance carrier, he may be forced to leave the carrier to search for a new one, if he changes occupation or the original insurer cancels the policy. Then the new insurers will not want to pay for subsequent treatments.
Here, HIPAA or the Health Insurance Portability and Accountability Act which includes a lot of aspects in health care comes to help. HIPAA has already had a profound effect on health care being available to a lot of individuals in America. HIPAA makes sure that individuals with pre-existing conditions still benefit from health insurance.
HIPAA rules that limit the longest amount of time that a pre-existing exclusion can be applied to a group plan. There are ways wherein you can minimize or eliminate the exclusion completely. Using the HIPAA guidelines, the highest amount of time that you need to wait to get more coverage for the pre-existing condition cannot go beyond 12 months or 18 months for those who enrolled late.
There is credible coverage by HIPAA too which pertains to any health insurance you had in the past, given that it was not interrupted over a period of 63 or more days. The time period can extend, depending on the laws of the sate and the kind of insurance plan you had before.
If you have provided sufficient evidence that you had uninterrupted insurance before the current plan, the insurance coverage can be credited toward any pre-existing condition exclusion you have before. If you had a minimum of 1 year of group health insurance during a single occupation then got health insurance at a new work without getting a break longer than 63 days, exclusion on any pre-existing condition you may have cannot be imposed by the new health insurance plan.
Exclusions for hidden pre-existing condition include denial of medical coverage for the treatment of injury stemming from accident before the plan was acquired, counting the coverage of a previous health insurance toward another plan’s lifetime coverage limit and failing to cover a congenital medical condition, if the condition can be covered if found not to be of congenital origin.
IQMax ties up with Transolutions to deliver its mobile dictation platform
IQMax, a healthcare technology provider, has partnered with Transolutions to deliver IQMax’s mobile dictation platform to 150 physicians at a leading acute care facility in the Midwest. Transolutions is a healthcare information company providing medical transcription services and technology document driven solutions to acute care facilities, clinics and surgery centers.
Physicians are using iPAQ mobile devices from Hewlett Packard running the Windows Mobile OS to dictate patient notes and view their patient schedules. IQMax will help physicians view their patient schedules and dictate patient notes anytime, anywhere on the same device that is used to manage their e-mail, calendar, and contact information.
Besides this, IQMax platform keeps patient data secure, unlike many other dictation input methods and also supports HIPAA compliance through data encryption and secure user login.
Thus IQMax improves physician productivity by gving them the freedom to dictate at their convenience while on the move or at the point of care, across any care setting.
“IQMax has built what we believe to be a best in class Enterprise mobile platform. It is a scalable, dependable, and easily deployable technology”, said Chris Allen, director of client relations at Transolutions, in the release.
“Today’s demanding schedules require that physicians maximize the value of every minute. With IQMax, providers have the ability to view patient information and dictate patient notes where it matters most- at the point of care”, said Paul Adkison, founder and CEO of IQMax.
Emdeon lunches HIPAA Simplified to help compliance
According to the rules issued by HHS on January 16, 2009, all healthcare segments, hospitals, physicians, dentists, pharmacies, PBMs, payers and vendors require to comply with the new HIPAA 5010 and NCPDP D.0 standards by January 1, 2012. This has posed a number of challenges for the covered entities.
Now, Emdeon has launched HIPAA Simplified to be a one-stop resource for the information that covered entities needed for HIPAA readiness. HIPAA Simplified will be a communications focal point as Emdeon helps its customers adopt the 5010 and D.0 standards prior to 2012. The website offers technical gap analyses, simplified business-level downloads, trading partner transition strategy information, frequently asked questions and testing tools.
HIPAA Simplified is classified according to business units across the entire healthcare industry, eliminating the need for complex web navigation or surfing multiple sites. As such, the visitors simply select their line of business and all available resources are located on the page to browse and download. For free. Besides, HIPAA Simplified offers informational and analytical tools, from high-level FAQs, to documents that explain the transition in business-level language, to in-depth technical analyses.
With this, Emdeon may be tagged as the nation’s largest health information network offering a most comprehensive source for HIPAA readiness. Just as with HIPAA 4010 and the National Provider Identifier (NPI), Emdeon is working diligently to deliver solutions that enable its customers to seamlessly meet the new requirements for HIPAA 5010, NCPDP D.0, and ICD-10.