Archive for the ‘Tips’ Category:
Survey reveals that healthcare organizations are keen to comply with Federal Privacy laws
FairWarning recently commissioned an independent firm to execute a national survey of healthcare providers. The survey included 200 unique hospitals from across the US, the majority of which were compliance, privacy or risk personnel, followed by IT management and executive management. The survey was designed to elicit answers regarding opinion and insights on new healthcare privacy regulations (specifically ARRA HITECH), patient safety, privacy and auditing budgets and information technology risk management.
In the survey, nearly half of healthcare organizations (or 47.3 percent) believed their organization is already compliant with federal privacy laws such as ARRA HITECH and HIPAA and is audit ready. However, nearly one-third of survey respondents stated they will not be compliant with ARRA HITECH requirements by the set deadlines. Again, just 7 percent of respondents have demonstrated that they have both processes and automated systems in place which incorporate cornerstone technologies designed to eliminate security and privacy vulnerabilities.
The greatest concern of the respondents surrounding non-compliance with any of the federal privacy laws, were reputational impact of a failed audit or major privacy breach, financial penalties for non-compliance and media exposure.
“It is highly unlikely that an organization can fully comply with its obligations under HIPAA and the ARRA HITECH without implementing automated systems for patient and user privacy auditing, managing and aggregating accounting of disclosures and identity management,” stated John Houston, Vice President of Privacy and Information Security and Assistant Counsel at the University of Pittsburgh Medical Center. “While respondents felt that their level of compliance was high, their implementation of necessary technologies was much lower.”
The survey findings concluded that healthcare organizations are:
1. Familiar with new healthcare privacy and security regulations, specifically ARRA HITECH
2. Concerned with the reputational impact associated with a breach and breach notification requirements
3. Mobilizing to meet compliance requirements and deploying critical technologies to plug security gaps and meet compliance requirements
4. Allocating budget to meeting new privacy and security requirements
5. Beginning to believe that enforcement of these laws is a government priority and,
6. In need of further education to align spending and technology deployments to government expectations.
Subscribe to the comments for this postNew HITECH Law deadline knocks at the healthcare industry’s door
The new HITECH Law gets effective from February 20, 2010 and with this, will change the way you handle Private Health Information (PHI), especially when using computers. Internet information sharing has made Private Health Information (PHI) vulnerable to employees stealing patient info and maliciously posting it on the internet and hackers stealing insurance ID information and misusing social security numbers.
This has provoked the federal government to take protective measures and go for The Health Information Technology for Economic and Clinical Health Act (HITECH or “The Act”), of 2009 (ARRA), which encourage the use of health information technology by endorsing several incentives.
As the new laws become effective, electronic health information sharing will be subject to much stricter guidelines. Penalties for HIPAA violations range from $100 to $50,000 per incident for businesses in non-compliance. And civil penalties (placed upon employee breaches) will be strict and hefty as well.
However, the basic problem is getting your Risk Management / HI TECH Law requirements in place properly and effectively as this new law has many written components it can take several days to research, format and get into place. Although there are many websites which offer organized, easy to understand and customized support, most of them are charging upwards of $400 for this info. Make sure that you go in for the right help and support which makes your HI TECH Law is comprehensive and user friendly!
How can you ensure HIPAA compliance with WLAN?
With the progress of technology and the growth in need for freedom to access, exchange, store and process the information from any point in the network, Wireless LAN is increasingly being used by doctors, nurses, paramedics and caregivers in order to process the patient data conveniently in large settings of the healthcare setting. WLAN has given the medical world the increased mobility, which makes it easy for the medical personnel to exchange information while on move. This saves time, increases productivity and raises the quality of patient care.
But as it is rightly said, each bright aspect has its darker side. So, it is with WLAN which can seriously compromise the ability of the health care facility to follow the HIPAA compliance laws pertaining to electronic exchange of confidential patient health information. Compared to the wired network, which requires physical access, the open network architecture feature of the WLAN makes it easy for any unauthorized person to get behind the firewall and access the network. This poses a serious threat to the safety of the confidential patient health information, which is stored, exchanged or processed by the network.
To overcome this problem, WLAN should have security features like unique user identification, emergency access procedure, automatic logoff, encryption and decryption system that creates tamper proof communication channel between the sender and authenticated receiver, and the ability to authenticate electronic health information and maintain integrity of the information. The network should maintain its integrity through continuous monitoring and shut out any unauthorized access from any rogue entry point. Clients associating with rogue entry points should be shut off from the network, unless they approach from the authorized access point.
Besides this, any change in the configuration of the access points, which points to unauthorized access should be immediately brought to the notice of the IT manager through proper communication channel. The WLAN should be able to maintain a audit log of the time, nature and resolution of the intrusion and steps taken to avert it.
In the end the WLAN in any healthcare setting should be securely configured in manner so that it becomes safe for the organization to store and exchange the confidential patient health information in line with HIPAA compliance laws.
Getting started with your home-based medical transcription business
As HIPAA becomes more and more important, the career opportunities for a home-based medical transcriptionist are very bright. But to start your career as a medical transcriptionist you need to follow certain guidelines and steps so that you can set up a successful home-based medical transcription business.
To begin with, you have to find a good space for your home-office which should be a space dedicated totally for the medical transcription work without which you cannot start a medical transcription career from home, let alone flourish in i. The work area should be secluded, noise-free and comfortable ensuring that it is not frequented by others in the family.
After you are done with the work space, you need to acquire all medical transcription tools and aids. You would need a medical dictionary, a medical spell checker and a copy of the medical transcription style guide issued by the Association for Healthcare Documentation Integrity (AHDI). Your system should have the best anti-virus and firewall software.
Another important step to be followed by a medical transcriptionist is becoming HIPAA-compliant. One has to remember that the Health Insurance Portability and Accountability Act (HIPAA) has laid down certain rules on keeping patient information confidential and secure and as a home-based transcriptionist, certain measures have to be taken to comply with HIPAA’s requirements. For example, a secure FTP connection is needed to transfer work files, an encryption software is needed to encrypt work-related e-mails, a paper-shredder is to be used to shred papers that are no longer required.
Last, but not the least, your computer should be dedicated to your work. It is neither to be used for personal purposes nor anyone else must be allowed to use it. Also, get a secure cabinet to keep work-related papers.
MindLeaf introduces new 5010 conversion services
MindLeaf Technologies, Inc., is a leading provider of HIPAA 5010 conversion services. The company has announced that it will provide these services to clearinghouse, payer and provider organizations.
MindLeaf’s introduced its new 5010 conversion services at the 2nd WEDI 5010, ICD-10 Forum, February 2nd through 4th, at the Hyatt Regency in Austin, TX. At the forum MindLeaf announced that it would offer the event attendees a limited number of complementary 5010 pre-engagement analysis packages on a first-come, first-serve basis which would include up to 40 hours of work by experienced EDI professionals and deliver a full inventory of affected EDI translation maps and transaction processes suitable for use with MindLeaf or any conversion services provider — or to support internal teams.
“Many organizations still see 5010 conversion as a future challenge, and they are not making it a ‘now’ issue,” said Paresh Shah, MindLeaf president. “However, the Level I testing phase is already underway, and organizations that begin the process now will benefit from better quality and lower costs, while conversion vendors are still not in high demand. Companies that begin to transition now will also have time to get in front of unexpected issues and will also have a chance to run their 4010 and 5010 systems in parallel to ensure zero downtime through the transition.”
HIPAA provides special protection to psychotherapy notes
As per the HIPAA, many types of Protected Health Information (PHI) can be accessed for treatment, payment or other healthcare operations without an explicit permission from the individual, but HIPAA’s Privacy Rule extends special protections to psychotherapy notes. As such, the use or disclosure of psychotherapy notes requires an authorization except:
- for the originator of the notes (i.e., the mental health practitioner), for treatment of the subject patient;
- for students, trainees or practitioners, for supervised training programs;
- to defend a legal action or other proceeding brought by the patient against the covered entity;
- for lawful health oversight activities or as otherwise required by law,
- for coroners or medical examiners (where the patient is deceased); or
- where, consistent with applicable law and the standards to ethical conduct, there is a good faith belief that the use or disclosure is necessary to prevent or lessen a serious threat to health or safety.
What are the different laws governing email compliance?
The world of business today seems incomplete without the concept of email and as email becomes an increasingly integral part of business, it is not without an onslaught of laws that are designed to keep email compliant with things like customer privacy, law enforcement investigations, and corporate governance. The purpose of these laws is to make sure that email is being used, and managed, properly.
In a doctor’s office, the two rules that affect email compliance are the Privacy Rule and the Security Rule. Of the two, the Security Rule is more in-depth and essentially mirrors the Privacy Rule; its purpose is to focus on information and security best practices and revolves around the security cornerstones of confidentiality, integrity, and availability. The Security Rule focuses on everything from workstation management of information to facility access and transmission security. It is vital that any information you send via email, not speak of the patient’s identity or the problem they are facing; many offices will use initials when speaking about patients via email.
In the financial industry, email compliance is governed by the Gramm-Leach-Bliley Act. Also known as GLBA, it is basically the same law as HIPAA, just for a different type of business. It is designed to ensure the privacy and security of non-public personal information as it relates to individuals financial information. GLBA’s rules apply to mortgage lenders, banks, stock firms and others of the like. Within GLBA, the financial company is charged with several things: to designate an employee or employees to coordinate the information security program, to identify reasonably foreseeable risks to non-public information, to make sure their suppliers are also using safeguards, and to monitor all of the above.
To conclude, when it comes to email compliance, there are rules everywhere, and your business needs to know which apply to you and how to handle them. There are several ways to handle these issues, most of which include hiring at least some type of IT security firm to develop a total information security plan that will comply with recent, and future, government email regulations.
Blumenthal sues Health Net for violation of HIPAA
Taking the first legal action for the violation of HIPAA, State Attorney General Richard Blumenthal is suing Health Net of Connecticut Inc. for allegedly failing to secure the private medical records and financial information of 446,000 Connecticut members and delaying to report a widespread security breach. The data went missing from Health Net’s Northeast office at One Far Mill Crossing. A portable disk drive containing members’ personal information, including Social Security and bank account numbers, went missing from the company in May, but Health Net did not report it until November.
The insurer issued a statement Wednesday saying: “Protecting the privacy of our members is extremely important to us. Health Net’s company policy states that data must be encrypted and secure.”
“These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft,” Blumenthal said in a statement. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable.”
Health Net argues that there is no evidence of any of the missing data being misused. The company is offering two years of free credit monitoring to all affected members who want it, and has said that special software is needed to decipher information contained on the missing drive.
New data security laws take effect in Nevada this January
In order to strengthen data security laws, new additions have taken effect in Nevada and New Hampshire on January 1, 2010. Nevada’s law makes it the first state to mandate compliance with the entire Payment Card Industry Data Security Standard (PCI DSS) and impose a requirement on businesses and government agencies to encrypt sensitive data transmitted or carried outside of the premises of the business or agency.
Nevada’s law addresses transaction data created by a customer’s use of a credit, debit, or other payment card, and personal information, and applies to “a data collector doing business” in Nevada. The law requires that a data collector that accepts payment cards is now required to comply with “the current version” of the PCI DSS, no later than the date for compliance set forth by the PCI DSS or the PCI Security Standards Council. Data collectors who do not accept payment cards must use encryption when transferring personal information through “an electronic, non voice transmission other than a facsimile” to a person outside the secure system of the data collector and when moving any data storage device containing personal information “beyond the logical or physical controls of the data collector.”
The Nevada law redefines “encryption” as
(1) “an encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology”.
(2) “[a]ppropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
The new law also establishes a safe harbor by stating that a data collector is not liable for damages for a breach of the system data security if the data collector is in compliance with this law and the security breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.
Four categories of uses and disclosures of PHI under HIPAA
Under HIPAA’s Privacy Rule, there are four categories under which covered entities can use and disclose of protected health information (PHI). These categories are:
- core uses and disclosures, for which no permission is required — although an optional consent can be employed. This includes routine treatment, payment and other health care operations;
- Disclosures requiring a supplemental authorization — such as most kinds of research, and some kinds or marketing and fundraising;
- Disclosures which require an opportunity to agree or object, but no written authorization. This category includes the limited subset of PHI used for for facility directories, and disclosures to those involved in a person’s care. (As regards the latter, see the discussion of personal representatives.).
- Disclosures which do not require even an opportunity to agree or object. This category includes uses and disclosures for public health activities, about victims of abuse, neglect or domestic violence, for health oversight activities, for judicial or administrative proceedings, for law enforcement, about deceased persons (including cadaveric organ and tissue donations), where permitted by an IRB or Privacy Board waiver, for research, to avert a serious, imminent threat to public safety, certain government functions (e.g., national security, military, corrections) or anything else required by law. In most cases, the language of the regulations for this fourth category is that the covered entity “may disclose” such information — indicating it is permitted but not required by HIPAA. Individuals are entitled to an accounting of disclosures in the fourth category, though that accounting may be temporarily suspended in certain circumstances.