Archive for the ‘Strategy’ Category:
Getting yourself insured against security breach or privacy loss
If you are in healthcare industry managing PHI, then a single security breach can cost millions. With the large numbers of patients or insured customers, the potential cost of a breach can be very high. In such a case, you should opt for network security or privacy loss insurance. What started with just a few specialist insurers, like Lloyds of London, has gone up with more than 15 companies offering coverage for security breaches, as well as brokers who can help you find the right coverage.
Insurance against security breaches covers two main areas. First-party coverage protects you against the direct costs suffered by your business, including potential fines, productivity loss, financial damage and even PR expenses. Third-party coverage protects you against costs incurred for damage to third parties, such as virus damage or identity. Healthcare and insurance companies are buying these policies to cover the residual risk of a breach that reveals HIPAA protected information.
When going for this type of insurance, you need to first figure out how much coverage is needed. The potential loss depends on the number of records of sensitive data, the regulatory framework and the company’s existing security infrastructure. Coverage can be secured for a few thousand dollars, offering protection against losses in the $1 million to $5 million range. Special policies can be tailored for more coverage.
Subscribe to the comments for this postCMS sends letter to state Medicaid agencies for guidance on use of EHR
The HITECH Act provides 100 percent federal funding for Medicaid meaningful use incentive programs and 90 percent for reasonable state administrative expenses. States must, at a minimum, demonstrate adequate administrative and oversight procedures, and promote adoption of certified EHR products and secure exchange of health information.
The Centers for Medicare and Medicaid Services has sent a 19-page letter to state Medicaid agencies. The letter gives guidance on developing state-level incentive programs for the meaningful use of electronic health records.
CMS in the letter urges states to implement their Medicaid EHR incentive programs as soon as possible in 2011 to benefit most from available federal resources, such as time-limited funding and technical assistance.
Here is an excerpt from the letter:
…………………..
Dear State Medicaid Director:
This letter provides guidance to State Medicaid agencies regarding implementation of section 4201 of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), Pub. L. 111-5, and our recently published regulations at 42 CFR Part 495, Subpart D. Section 4201, as well as our final regulations, will allow the payment of incentives to eligible professionals (EPs) and eligible hospitals to promote the adoption and meaningful use of certified electronic health record (EHR) technology.
The Recovery Act provides 100 percent Federal financial participation (FFP) to States for incentive payments to eligible Medicaid providers to adopt, implement, upgrade, and meaningfully use certified EHR technology, and 90 percent FFP for State administrative expenses related to the program.
The Centers for Medicare & Medicaid Services (CMS) issued a State Medicaid Director (SMD) letter on September 1, 2009, that provided guidance to States on allowable expenses for activities supporting the administration of incentive payments to providers. CMS has now promulgated final regulations that also govern State administrative expenses related to administering the program. Both the SMD letter and our regulations at 42 CFR section 495.318 explain that, in order to qualify for the 90 percent FFP administrative match, a State must, at a minimum, demonstrate to the satisfaction of the Secretary compliance with three requirements:
• Administration of Medicaid incentive payments to Medicaid EPs and eligible hospitals;
• Oversight of the Medicaid EHR Incentive Program, including routine tracking of meaningful use attestations and reporting mechanisms; and
• Pursuit of initiatives that encourage the adoption of certified EHR technology for the promotion of health care quality and the electronic exchange of health information.
………………………………………..
You can access the full guidance letter at
https://www.cms.gov/smdl/downloads/SMD10016.pdf
Binary Spectrum gets HIPAA certification
Binary Spectrum, a Microsoft Gold certified partner and a member of the Sun Partner Advantage Program, with years of expertise in designing and developing customized Healthcare software products incorporating HL7 integration solutions and outsourcing support for the global market, has finally achieved Health Insurance Portability and Accountability Act (HIPAA) Certification. It is now amongst those organizations that comply with the HIPAA regulations and are certified to provide IT services and solutions to Healthcare Organizations.
Thus, now the company’s software offerings including Electronic medical records, HMIS, EHR, medical billing and coding, medical practice management, medical prescription and outcome registry are HIPAA and HL7 compliant.
Binary Spectrum is committed to ensure the confidentiality, integrity, availability, and privacy of information of all stakeholders and protected health information of all the customers, by adopting a formal Business Risk Management Framework and establishing a Compliance and Security management system.
Based on the audit performed by ProMinds Consulting in May 2009, as per the scope detailed, Binary Spectrum has been declared Compliant to HIPAA. ProMinds Consulting certifies that Binary has established and applies applicable privacy regulations and provisions of HIPAA.
“With just 5 years of expertise in the healthcare domain, achieving HIPAA compliance not only ensures that we are compliant to global standards but also assures the security of our customer’s most sensitive information and individual health records being handled” says Mr. Ashok Kumar, CEO, Binary Spectrum. He further adds, “We are pleased to have achieved this recognition and as a likely succession, we look forward to achieving our subsequent milestones that would continue to focus on providing improved and assured quality products and services to our customers.”
Blumenthal announces the first state settlement with Healthnet
This January Connecticut State Attorney General Richard Blumenthal painted the headlines red when he brought a HIPAA enforcement action against insurance giant Health, thus becoming the first AG in the country to do so. Health Net has been under suit for it’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. According to Blumenthal, Healthnet then compounded the gaffe (which they chalked up to theft) by failing to inform those affected about what had occurred for over six months after the incident occurred.
Now, Blumenthal has added more to the news with his announcement that he has brokered the first state settlement of such an action. Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner.
This is sure to add more lines to some already wrinkled brows at Healthnet……..
What are HIPAA transactions and code set standards?
The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.
A “transaction” is an electronic business document. Each of the HIPAA standard transactions has a name, a number, and a business or administrative use. Those of importance in a medical practice are listed below:
Claim/encounter (X12 837)
For submitting claim to health plan, insurer, or other payer
Eligibility inquiry and response (X12 270 and 271)
For inquiring of a health plan the status of a patient’s eligibility for benefits and details regarding the types of services covered, and for receiving information in response from the health plan or payer.
Claim status inquiry and response (X12 276 and 277)
For inquiring about and monitoring outstanding claims (where is the claim? Why haven’t you paid us?) and for receiving information in response from the health plan or payer. Claims status codes are now standardized for all payers.
Referrals and prior authorizations (X12 278)
For obtaining referrals and authorizations accurately and quickly, and for receiving prior authorization responses from the payer or utilization management organization (UMO) used by a payer.
Health care payment and remittance advice (X12 835)
For replacing paper EOB/EOPs and explaining all adjustment data from payers. Also, permits auto-posting of payments to accounts receivable system.
Health claims attachments (proposed) (X12 275)
For sending detailed clinical information in support of claims, in response to payment denials, and other similar uses.
The purpose of the HIPAA standards is to simplify the processes and decrease the costs associated with the payment for health care services. The savings to payers, physicians and other providers could be enormous, but only if there is collaboration between all parties involved.
Is your Email system HIPAA compliant?
With the advent of internet email has emerged as a communication solution and more and more patients are looking to communicate with their healthcare providers via email. Some healthcare practitioners do however feel that emailing their patients equates to working for free, but some clinics have already adopted charging for email consultations.
It is possible for clinics to shift towards a digital medical office while remaining financially solid. Rights management software tools have become a reality for the small and medium business office.
With any medical advance, the side affects of a solution or cure, must also be considered. While email is beneficial time-wise and financially, there are also cons to using this tool – many HIPAA related. According to the Health Privacy Project’s 2005 study, 70% of Americans are concerned that personal health information (PHI) could be disclosed as a result of weak data security.
Currently, healthcare organizations are required to provide a disclosure statement when communication is sent to their patients. With the advent of phishing, malware, and spyware, the unintended recipient could possibly spread a patients PHI like a virus; using or selling data to any number of damaging sites.
Under HIPAA, facilities not compliant to protecting their patient’s PHI face stiff penalties. PHI includes and is not limited to:
* Patient’s address, phone number
* Treating Hospital/Clinic number assigned the patient
* Patient’s date of birth/ SSN
* Patients legal next of kin/guardian and their telephone number
* Patient’s insurance information (pre-certification/ DSHS/ Medicare)
* Anticipated Admission date and time
HIPAA email is regarded as anything that contains any information relating to your medical records. They can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.
It isn’t only clinics, hospitals or doctors that are subject to this. Your employer is too if you have a health or medical plan. Companies who handle this kind of information have to have an information storage strategy that complies with HIPAA and many other pieces of legislation. Many companies handle this in-house with their existing staff and infrastructure.
While some companies handle this in house, others outsource this burden to companies like Archive Compliance who will take care of their secure storage for them. Companies like this have to demonstrate that their storage and retrieval methods are secure to be able to remain in business.
Informations sought by HHS officers during HIPAA audit
Health Insurance Portability and Accountability Act (HIPAA) requires compliance audit to be conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and here is a list of some of the information which can be sought by the HHS official if your organization is on an HIPAA audit:
The HHS officers can seek the policies and procedures responsible for:
- Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
- Emergency access to electronic information systems.
- Inactive computer sessions (periods of inactivity).
- Recording and examining activity in information systems that contain or use ePHI.
- Electronically transmitting ePHI.
- Preventing, detecting, containing and correcting security violations (incident reports).
- Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
- Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
- Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
- Physical access to electronic information systems and the facility in which they are housed.
- Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
- Firewalls, routers and switches.
- Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
- Terminating an electronic session and encrypting and decrypting ePHI.
- Password and server configurations.
- Anti-virus software.
- Network remote access.
HHS can also request to provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI, a list of terminated employees and all new recruits, authentication methods used to identify users authorized to access ePHI, a list of transmission methods used to transmit ePHI over an electronic communications network, a list of systems administrators, backup operators and users, a list of database security requirements and settings, a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows) and so on and so forth.
HHS Proposed Rule for marketing under HIPAA
The U.S. Department of Health and Human Services (HHS) has proposed a set of significant updates to health privacy rules. The rule is open for public comment until September 13th. Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, it does contain numerous changes to the HIPAA Privacy Rule, the most prominent being Business Associates, Enforcement, Marketing and Research.
As per HIPAA, Covered Entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule states several exceptions, however, for which covered entities do not need patient authorization to make communications. The exceptions include communications about, treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.
However, as per the proposed rule, prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would require that the provider must notify the patient of its intent to send the patient subsidized treatment communications, the notice must inform the patient that she may opt out of receiving such communications, and the treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.
In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers.
WORM emerging as a new generation storage technology in healthcare industry
To comply with HIPAA, the healthcare organizations have to rely upon latest in information technology for the storage infrastructure to be deployed for protecting patients’ data. The transition to “filmless” digital diagnostic imaging and the need for compliance with the Health Information Portability and Accountability Act (HIPAA) have spurred medical IT departments to re-think their approach to data storage to better support these new applications and data management requirements. The American Medical Association estimates the cost of restructuring the healthcare industry as a result of HIPAA at more than $43 billion during the next few years.
One such technology which has caught attention for storing patient’s data is Write-once read many (WORM). Once the exclusive realm of write-once optical disk, a new generation of WORM storage alternatives has emerged that includes WORM disk arrays and WORM tape. Both of these WORM options provide certain advantages over traditional optical WORM, particularly with the need for higher capacities in large-scale storage applications. However, tape-based WORM is poised to become a major presence for medical storage environments by delivering more secure, scalable and versatile storage with a significantly lower total cost of ownership than disk-based WORM.
The two dominant mid-range tape technologies–Super DLTtape II and Linear Tape Open Ultrium 3 (LTO 3)–have embraced the WORM concept and both now offer WORM functionality, although each takes a different approach. Super DLTtape enables customers to use conventional Super DLT II media for WORM applications. The write-once functionality (designated as DLTIce on Quantum’s Super DLT 600 tape drives) is enabled by the tape drive as part of Quantum’s DLTSage architecture platform a suite of predictive and preventative management software tools that enable end users to diagnose, plan, and manage their tape storage investments.
Using ‘Secure FAX’ to comply with HIPAA’s ‘SafeGuards Principle’
There are various concerns when healthcare organizations urgent need to send important and sensitive information, like protected health information (PHI) via facsimile as anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. HIPAA deals with FAXes in the “SafeGuards Principle” which states that ‘Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.’
With email, there are many physical, technical, and administrative safeguards that are easy to apply. With FAXes, the situation is very different as
* There is no easy way to secure a FAX transmission between two parties unless they are both setup with special encrypting fax machines. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
* Everyone already uses insecure FAX machines.
* FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
* FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
* FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
To combat this situation, you need to opt for “Secure FAX” services over internet. These services make your information secure in the following process:
* You access their web site using a secure (SSL) connection.
* You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
* You enter an email address and possibly a FAX number of the recipient.
* The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
* The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
* The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
* The transmission from the sender to the server is secured.
* The temporary storage is secured.
* The transmission from the server to the recipient is secured.
* An audit trail may be available to track the process, for improved compliance.
* Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX.