The statement must tell your patient clients what you do with their information and it either must be signed by the patient, or the patient must sign on a HIPAA consent form that they have received a copy of your privacy practices prior to signing a HIPAA consent form.

Here is a sample HIPAA privacy practices statement for your guidance, but before you use it, you should also revise this document to detail your own privacy policies and have an attorney review it to make sure it meets the legal requirements of your own business before using it.

Notice of Information Practices and Privacy Statement for ABC Healthcare Services

123, ABC Lane,

City, Country, Code

Telephone Number

Email Address

How Your Information is collected by us:

ABC Healthcare Services and its employees and volunteers collect data through a variety of means including but not necessarily limited to letters, phone calls, emails, voice mails, and from the submission of applications that is either required by law, or necessary to process applications or other requests for assistance through our organization.

What is NOT done with your information:

Information about your financial situation and medical conditions and care that you provide to us in writing, via email, on the phone (including information left on voice mails), contained in or attached to applications, or directly or indirectly given to us, is held in strictest confidence.

We do not give out, exchange, barter, rent, sell, lend, or disseminate any information about applicants or clients who apply for or actually receive our services that is considered patient confidential, is restricted by law, or has been specifically restricted by a patient/client in a signed HIPAA consent form.

How your information IS USED:

Information is only used as is reasonably necessary to process your application or to provide you with health or counseling services which may require communication between ABC Healthcare Services and health care providers, medical product or service providers, pharmacies, insurance companies, and other providers necessary to: verify your medical information is accurate; determine the type of medical supplies or any health care services you need including, but not limited to; or to obtain or purchase any type of medical supplies, devices, medications, insurance,

If you apply or attempt to apply to receive assistance through us and provide information with the intent or purpose of fraud or that results in either an actual crime of fraud for any reason including willful or un-willful acts of negligence whether intended or not, or in any way demonstrates or indicates attempted fraud, your non-medical information can be given to legal authorities including police, investigators, courts, and/or attorneys or other legal professionals, as well as any other information as permitted by law.

Information NOT Collected by us:

We do not use cookies on our website to collect date from our site visitors. We do not collect information about site visitors except for one hit counter on the main index page (www.yourwebpage.org) that simply records the number of visitors and no other data. We do use some affiliate programs that may or may not capture traffic date through our site.

Limited Right to Use Non-Identifying Personal Information from Biographies, Letters, Notes, and Other Sources: Any pictures, stories, letters, biographies, correspondence, or thank you notes sent to us become the exclusive property of ABC Healthcare Services. We reserve the right to use non-identifying information about our clients (those who receive services or goods from or through us) for fundraising and promotional purposes that are directly related to our mission.

Clients will not be compensated for use of this information and no identifying information (photos, addresses, phone numbers, contact information, last names or uniquely identifiable names) will be used without client’s express advance permission.

You may specifically request that NO information be used whatsoever for promotional purposes, but you must identify any requested restrictions in writing.

We respect your right to privacy and assure you no identifying information or photos that you send to us will ever be publicly used without your direct or indirect consent.

Revision Date: 01/09/2010

Insurance against security breaches covers two main areas. First-party coverage protects you against the direct costs suffered by your business, including potential fines, productivity loss, financial damage and even PR expenses. Third-party coverage protects you against costs incurred for damage to third parties, such as virus damage or identity. Healthcare and insurance companies are buying these policies to cover the residual risk of a breach that reveals HIPAA protected information.

When going for this type of insurance, you need to first figure out how much coverage is needed. The potential loss depends on the number of records of sensitive data, the regulatory framework and the company’s existing security infrastructure. Coverage can be secured for a few thousand dollars, offering protection against losses in the $1 million to $5 million range. Special policies can be tailored for more coverage.

The Centers for Medicare and Medicaid Services has sent a 19-page letter to state Medicaid agencies. The letter gives guidance on developing state-level incentive programs for the meaningful use of electronic health records.

CMS in the letter urges states to implement their Medicaid EHR incentive programs as soon as possible in 2011 to benefit most from available federal resources, such as time-limited funding and technical assistance.

Here is an excerpt from the letter:

…………………..

Dear State Medicaid Director:

This letter provides guidance to State Medicaid agencies regarding implementation of section 4201 of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), Pub. L. 111-5, and our recently published regulations at 42 CFR Part 495, Subpart D. Section 4201, as well as our final regulations, will allow the payment of incentives to eligible professionals (EPs) and eligible hospitals to promote the adoption and meaningful use of certified electronic health record (EHR) technology.

The Recovery Act provides 100 percent Federal financial participation (FFP) to States for incentive payments to eligible Medicaid providers to adopt, implement, upgrade, and meaningfully use certified EHR technology, and 90 percent FFP for State administrative expenses related to the program.

The Centers for Medicare & Medicaid Services (CMS) issued a State Medicaid Director (SMD) letter on September 1, 2009, that provided guidance to States on allowable expenses for activities supporting the administration of incentive payments to providers. CMS has now promulgated final regulations that also govern State administrative expenses related to administering the program. Both the SMD letter and our regulations at 42 CFR section 495.318 explain that, in order to qualify for the 90 percent FFP administrative match, a State must, at a minimum, demonstrate to the satisfaction of the Secretary compliance with three requirements:

• Administration of Medicaid incentive payments to Medicaid EPs and eligible hospitals;

• Oversight of the Medicaid EHR Incentive Program, including routine tracking of meaningful use attestations and reporting mechanisms; and

• Pursuit of initiatives that encourage the adoption of certified EHR technology for the promotion of health care quality and the electronic exchange of health information.

………………………………………..

You can access the full guidance letter at

https://www.cms.gov/smdl/downloads/SMD10016.pdf

Thus, now the company’s software offerings including Electronic medical records, HMIS, EHR, medical billing and coding, medical practice management, medical prescription and outcome registry are HIPAA and HL7 compliant.

Binary Spectrum is committed to ensure the confidentiality, integrity, availability, and privacy of information of all stakeholders and protected health information of all the customers, by adopting a formal Business Risk Management Framework and establishing a Compliance and Security management system.

Based on the audit performed by ProMinds Consulting in May 2009, as per the scope detailed, Binary Spectrum has been declared Compliant to HIPAA. ProMinds Consulting certifies that Binary has established and applies applicable privacy regulations and provisions of HIPAA.

“With just 5 years of expertise in the healthcare domain, achieving HIPAA compliance not only ensures that we are compliant to global standards but also assures the security of our customer’s most sensitive information and individual health records being handled” says Mr. Ashok Kumar, CEO, Binary Spectrum. He further adds, “We are pleased to have achieved this recognition and as a likely succession, we look forward to achieving our subsequent milestones that would continue to focus on providing improved and assured quality products and services to our customers.”

Now, Blumenthal has added more to the news with his announcement that he has brokered the first state settlement of such an action. Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner.

This is sure to add more lines to some already wrinkled brows at Healthnet……..

A “transaction” is an electronic business document. Each of the HIPAA standard transactions has a name, a number, and a business or administrative use. Those of importance in a medical practice are listed below:

Claim/encounter (X12 837)

For submitting claim to health plan, insurer, or other payer

Eligibility inquiry and response (X12 270 and 271)

For inquiring of a health plan the status of a patient’s eligibility for benefits and details regarding the types of services covered, and for receiving information in response from the health plan or payer.

Claim status inquiry and response (X12 276 and 277)

For inquiring about and monitoring outstanding claims (where is the claim?  Why haven’t you paid us?) and for receiving information in response from the health plan or payer.  Claims status codes are now standardized for all payers.

Referrals and prior authorizations (X12 278)

For obtaining referrals and authorizations accurately and quickly, and for receiving prior authorization responses from the payer or utilization management organization (UMO) used by a payer.

Health care payment and remittance advice (X12 835)

For replacing paper EOB/EOPs and explaining all adjustment data from payers.  Also, permits auto-posting of payments to accounts receivable system.

Health claims attachments (proposed) (X12 275)

For sending detailed clinical information in support of claims, in response to payment denials, and other similar uses.

The purpose of the HIPAA standards is to simplify the processes and decrease the costs associated with the payment for health care services. The savings to payers, physicians and other providers could be enormous, but only if there is collaboration between all parties involved.

It is possible for clinics to shift towards a digital medical office while remaining financially solid. Rights management software tools have become a reality for the small and medium business office.

With any medical advance, the side affects of a solution or cure, must also be considered. While email is beneficial time-wise and financially, there are also cons to using this tool – many HIPAA related. According to the Health Privacy Project’s 2005 study, 70% of Americans are concerned that personal health information (PHI) could be disclosed as a result of weak data security.

Currently, healthcare organizations are required to provide a disclosure statement when communication is sent to their patients. With the advent of phishing, malware, and spyware, the unintended recipient could possibly spread a patients PHI like a virus; using or selling data to any number of damaging sites.

Under HIPAA, facilities not compliant to protecting their patient’s PHI face stiff penalties. PHI includes and is not limited to:

* Patient’s address, phone number
* Treating Hospital/Clinic number assigned the patient
* Patient’s date of birth/ SSN
* Patients legal next of kin/guardian and their telephone number
* Patient’s insurance information (pre-certification/ DSHS/ Medicare)
* Anticipated Admission date and time

HIPAA email is regarded as anything that contains any information relating to your medical records. They can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.

It isn’t only clinics, hospitals or doctors that are subject to this.  Your employer is too if you have a health or medical plan.  Companies who handle this kind of information have to have an information storage strategy that complies with HIPAA and many other pieces of legislation.  Many companies handle this in-house with their existing staff and infrastructure.

While some companies handle this in house, others outsource this burden to companies like Archive Compliance who will take care of their secure storage for them.  Companies like this have to demonstrate that their storage and retrieval methods are secure to be able to remain in business.

The HHS officers can seek the policies and procedures responsible for:

• Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
• Emergency access to electronic information systems.
• Inactive computer sessions (periods of inactivity).
• Recording and examining activity in information systems that contain or use ePHI.
• Electronically transmitting ePHI.
• Preventing, detecting, containing and correcting security violations (incident reports).
• Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
• Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
• Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
• Physical access to electronic information systems and the facility in which they are housed.
• Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
• Firewalls, routers and switches.
• Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
• Terminating an electronic session and encrypting and decrypting ePHI.
• Password and server configurations.
• Anti-virus software.
• Network remote access.

HHS can also request to provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI, a list of terminated employees and all new recruits, authentication methods used to identify users authorized to access ePHI, a list of transmission methods used to transmit ePHI over an electronic communications network, a list of systems administrators, backup operators and users, a list of database security requirements and settings, a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows) and so on and so forth.

As per HIPAA, Covered Entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule states several exceptions, however, for which covered entities do not need patient authorization to make communications. The exceptions include communications about, treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.

However, as per the proposed rule, prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would require that the provider must notify the patient of its intent to send the patient subsidized treatment communications, the notice must inform the patient that she may opt out of receiving such communications, and the treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.

In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers.

If you fall under this group and are about to lose your Cobra subsidy, follow these tips:

1. If you are healthy, an individual or family plan will usually be cheaper than paying 100 percent of your Cobra premium. Call your insurance broker and surf the net for new plans. Meanwhile, do not drop your Cobra coverage until you are approved for a new plan, even if you have to pay the full Cobra premium for an extra month.

2. If you have a pre-existing condition, it will usually be cheaper to stay in your group health plan and pay the entire premium until your Cobra or Cal-Cobra eligibility ends, than switch to a HIPAA plan. HIPAA policies can be quite expensive, but they are still better than going without coverage or going into a state high-risk pool, which provides limited coverage for people who have been rejected for insurance.

3. Mix and match your options. For example, rather than pay 100 percent of the Cobra premium for family coverage, one parent - who is healthy – may opt for an individual policy. The other parent, who has a pre-existing condition, may remain on Cobra as a single person until it runs out and then get a HIPAA policy. The two children may qualify for Healthy Families. The total cost is less than what the family would pay to stay on Cobra as a family.