Posts Tagged ‘hipaa compliance’
Is HIPAA Privacy Rule a failure in protecting Patient Privacy?
Institute of Medicine has released a new report on its findings that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule not only fails to adequately protect the privacy of people’s personal health information but it also hinders important health research discoveries. HIPAA act regulates what uses and disclosures of personally identifiable health information are permitted by health plans, health care
providers, and other entities covered by the regulation.
The report clarifies that the current HIPAA rule is difficult to reconcile with other federal regulations governing research involving people and their personally identifiable information. Based on this report the Institute recommends that Congress should authorize the development of an entirely new approach, separate from the current HIPAA Privacy Rule that would help protect personal health information in research. This new approach should apply privacy, data security, and accountability standards uniformly to information used in all health-related research regardless of who funds or conducts the research.
Again the committee has also stated recommendations in case the policymakers decide to continue relying on the current rule to protect privacy in health research. It recommends a
series of changes to improve the rule and the guidance that the US Department of Health and Human Services (HHS) gives on how to comply with it. In addition, the report urges all institutions conducting health research to strengthen their data protection, including encryption for all laptops, flash drives, and other portable media containing such data.
Subscribe to the comments for this postHIPAA Requirements for business associates
In keeping with the growing privacy and security compliance as per the American laws, business associates are immediately required to comply directly with many of the HIPAA’s rules. If as a business associate, you fail to comply with these rules, you are subject to civil and criminal penalties, including a provision that allows individuals to receive financial compensation for the violation. With passage of the American Recovery and Reinvestment Act (ARRA), other remedial actions have also been expanded such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA.
A business associate shall have the following tasks on his list in order to comply with the law-
* Appointing a Security Official.
* Developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails).
* Training workforce on how to protect electronic protected health information (“EPHI”).
If you violate EPHI for a reasonable cause and not with willful neglect, your penalty per violation would be $1,000. If there is a reasonable cause, corrected, the penalty is $25,000 per violation and maximum $2,50,000 per year. For reasonable cause, uncorrected, the penalty is $50,000 per violation and a maximum of $1,500,000 per year.
Also, with immediate effect
* You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
* If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
* For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
* You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.
A New Health IT Bill On the Floor for U.S. House of Representative’s Preview
In order to speed up the collection of nationwide electronic health record infrastructure the U.S. House of representatives may have to go under consensus to pass a bill regarding this. However, some are oppose to this exercise giving inappropriate funding an excuse for postponing this bill.
This legislation, if passed in its practical implementation will cost, approximately around $575 million dollar. The bill has approval in a voice vote by a subcommittee in late June and is pending for approval by the House Energy and Commerce Committee.
The bill as proposed by the committee is seeking $115 million in federal grants and loans each fiscal year from 2009 to 2013. As according to the points as mentioned in the bill, the physicians and hospitals can compete in order to get an access to funds to buy certified health information technology. An applicant would have to contribute $1 for each $ 3 given by the government and preference would be given to small practices and hospitals and those in unreserved areas would have an upper edge and preference.
The grant measures of the proposed bills are also looks into the programs for health IT purchase and to develop interoperable information technology networks. Other provisions of the bill seeks for the possibility of creating permanent health IT co-ordination office at the Department of Health and Human Services to encourage universal consumption of electronic health record by 2014.
As the bill is yet not approved by American Medical Association yet its members believes that bill has all to moving towards the broad adoption of health IT. It has positive nod towards on the adoption of nation wide health IT infrastructure.
Further, AMA has appreciated measures in the bill to provide financial assistance to physicians and expanding the Health Insurance Portability and Accountability Act’s (HIPAA) privacy rule scrutiny as every one is involved in the electronic exchange of the information as regarding workers’ compensation carriers, researchers, life insurance issuers, employers and marketing firms. However on the issue of privacy a more work is needed to be done in terms of clear definition of privacy and meaningful penalties for privacy violations.
SAS 70 Audits
SAS 70 Audits (Statement on Auditing Standards No. 70) is described as auditing statement regulated by Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) that is officially termed as “Reports on the Processing of Transactions by Service Organizations”.
An auditor issues report after assessing internal controls of service organization on the basis of professional standards issued under SAS 70. Under the definition in SAS 70 service organization can be understood with entities providing outsourcing services which have control over their consumer behavior. Example of such entities is insurance and medical claim processors, trust companies, hosted data centers, application service providers (ASPs), managed secured providers, credit processing organizations and clearing houses.
A SAS 70 Auditor presents, typically, two types of reports. The Type I service auditor report brings in light the fairness adopted by an organization in controls to achieve specified control objectives. A Type II service auditor’s report includes the information preserved in a Type I service auditor’s report and also contains the service auditor’s view whether the respective controls were working up to the capacity as during the time.
The USE of SAS 70 has been changed during the period of last few years and is employed in non traditional way during audits; it is modified as according to need of the industry, for example service organizations catering to the need of financial services industry are bound to have a SAS 70 review conducted to according to Gramm-Leach-Bliley Act (GLBA) requirements.
Whereas in service organizations in service sector for health care, companies are asked by their clients to have a SAS 70 audit in the norms of HIPAA (Health Insurance Portability Act) as to confirm that a third party has verified the controls over the processing of healthcare information as being very receptive.
Document Shredding Business in Boom - Thanks to HIPAA
Health Insurance Portability and Accountability Act of 1996 may have restricted and devoid insurance and health sector of certain benefits because of certain prohibitions in its act related to identity theft but has benefited a US, Knoxville-based document shredding company that is looking in positive mood to ascertain margin able profit as a result of second wave of consolidation in the industry in the United States.
3GS LLC a company in the shredding business started by Mike West, managing partner of NorthShore Capital Advisors is expected to grow through the acquisition of small shredder firms to form the largest independent document shredding company in the United States.
“We are essentially entrepreneurs helping other entrepreneurs to exit their business,” said Boehringer, CEO of 3GS, who will oversee the strategic acquisitions and integration of companies. “We standardize the operations and upgrade the employee situation as it relates to benefits.”
And with the release of Health Insurance Portability and Accountability Act of 1996, Sarbanes-Oxley Act of 2002 and accompanying ever increasing stories of identity theft the document shredding industry is growing day by day.