Is the transition to HIPAA 5010 too demanding on hospitals?

The American Recovery and Reinvestment Act is acting tough on hospitals by requiring them to do many Herculean tasks at one go, some of them being converting to an EHR, transition to HIPAA 5010, coordinate vendor and health plan testing, train staff members on new technology and so on.

Among them the transition to HIPAA 5010 is perhaps the most demanding one because its compliance deadline is just about two years away that is Jan 1 2012. Even as it is a year ahead of the October 1, 2013 deadline for the ICD-10 cutover, the two terminal dates overlap enough so that both upgrades will have to be underway at the same time.

During its first national provider education call about HIPAA Version 5010, CMS provided an overview of the updated national code standard for billing software and answered several questions from providers, vendors, and other health information management and health information technology professionals.

It was said during the call that Medicare Administrative Contractors must be ready to use 5010 by January 1, 2011, thus giving providers one full year to coordinate testing efforts. The Medicare fee-for-service implementation of 5010 will include the following:

* Improved claims receipt, control, and balancing procedures
* Increased consistency of claims editing and error handling
* Improved efficiency for returning claims needing correction earlier in the process
* Improved assignment of claim numbers closer to the time of receipt.

What if your laptop containing PHI gets lost or stolen?

Just imagine this… A doctor’s laptop containing Personal Health Information of about 1,000 patients gets stolen or lost. What is to be done next?

The first issue which comes to the mind in this scenario is that PHI should never be stored in a laptop in the first place. The correct practice would be to use EMR to store all the patient information on the server and in any case, PHI should never be stored in a laptop.

If, however, it does happen, then the advancement in technology these days comes to immediate aid. As soon as your laptop gets stolen you need to report it stolen and then the authorities start the process of tracking down your laptop (in the same way as they track stolen cars). Then if your laptop ever gets connected to a network, it will call back to the main center and receive the command to wipe out the laptop.

It will also give the authorities the information about where it was connected so the police can possibly recover the stolen laptop as well. This is the beauty of technology these days and an increasing number of companies are allowing this facility on their laptops these days.

Adhering to HIPAA as a medical transcriptionist working from home

In order to have a good reputation as a medical transcriptionist, you not only need to have a quality work record, you are also to be reliable enough for keeping confidential all the medical data that pass your hands.

Medical transcriptionists working in a medical transcription company usually adheres to the Health Insurance Portability and Accountability Act (HIPAA) standards, but if you are working from home, you must follow certain steps keep medical records secure and confidential.

Firstly, keep your office in a private place out of the reach of family and friends so that all the medical data – the voice recordings and the transcribed information – are beyond anyone’s reach.

Protect your medical transcription work on the computer with passwords and keep your anti-virus software updated. Again, keep the firewall on whenever you are connected to a network and when sending files to your client, make sure the files are transmitted over a secure computer network.

Encrypt e–mails that contain queries and information on the medical records. Lastly, back-up your medical transcription work periodically on an external drive.

Parental access to child’s medical records as per HIPAA

The HIPAA Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. However, the exceptions to this when the parent would not be the minor’s personal representative under the Privacy Rule are:

When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law;
When the minor obtains care at the direction of a court or a person appointed by the court; and
When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

However, even in these exceptional situations, if the State or other applicable law requires or permits parental access, the parent may have access to the medical records of the minor related to this treatment. All the same if the State or any other law denies such access, parental access would be denied. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.

Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

Difference between consent & authorization under the HIPAA Privacy Rule

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.

Filing a complaint with OCR – HIPAA

One can file a complaint with OCR if he/she believes that a covered entity violated health information privacy rights or committed another violation of the Privacy Rule. OCR can investigate complaints against covered entities related to the Privacy Rule. Under the Privacy Rule an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

The rules which the complaint must follow are:

  • The complaint must be filed in writing, either on paper or electronically, by mail, fax, or email.
  • It should contain the name of the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy Rule.
  • The complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. There is no need to sign the complaint and consent forms if sent by email because submission by email represents your signature.

Cloud storage and HIPAA compliance

Cloud computing reduces reliance on internal resources, cuts down on manpower requirements, and keeps you free from administration and fixing problems.

However, the fact that the botheration is on someone else with the implementation of cloud backup may not be an idea liked by all. To start with, the compliance officer, who must ensure that all data storage, backup, and archiving strategies are in line with the many different regulations and internal policies that govern how data is stored and for how long.

Ensuring compliance that relates to data storage is hard enough when storage is internal, but when using a cloud system, you’re relying on the provider. If you’re in healthcare for example, your internal strategies revolve around HIPAA, but if you’re a cloud provider, technically you’re not bound by the regulation. Because of these regulations, you will typically have to have a long-term data retention policy.

However, online backup services have often failed to meet long-term commitments. There have been several online backup services, including those run by very large companies such as Hewlett-Packard which have been unable to meet long-term storage strategies.

Another factor to be considered is who has the access to data and how is it governed. Compliance with HIPAA and other regulations call for strict access controls to be in place.

To sum up, when opting for cloud storage, one must always take in consideration the compliance legislation such as HIPAA or Sarbanes-Oxley and opt for in-house management if there seems to be any doubt.

Adhering to HIPAA regulations is important

Privacy to personal information is the right if any individual at any part of the globe. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to prevent unauthorized access to patient information, and it is something by which all medical-related businesses should abide.

HIPAA is to be abided by all ‘covered entities’ and the term includes:

  • Hospitals and clinics
  • Insurance Companies dealing with health and medical policies
  • Private Practices – General practitioners and specialists, dentists, chiropractors, etc.
  • Psychiatrists and Psychologists
  • Medical Billing Centers and Collection Agencies

Whether you have two people or two hundred working in the office which deals with medical health records, the security of patient information is important. It’s imperative for all employees to make sure sensitive data is not compromised and exposed to unauthorized people.

The medical information which is considered personal and private and which is not to be disclosed by healthcare centers as recognized by Federal law include and are not limited to:

  • Prescription Information
  • Medical History Records
  • Appointment Logs
  • Phone and Voice Mail Message Notes
  • Insurance Forms and Claims
  • Billing Information

While adhering to HIPAA rules, you need to destroy all the patient information which is outdated or no longer necessary. The destruction of records must be done in accordance to HIPAA regulations and it says that every sticky note, every printout needs to be shredded thoroughly. Simply throwing away papers does not guarantee security – as any unscrupulous person could sift through the garbage and have access to credit card numbers and addresses. One could also hire a professional to destroy documents.

Webcast released by VirtualHealth Technologies

VirtualHealth Technologies, Inc. has released an on-demand corporate Webcast on Breakthrough Healthcare Software to Meet HIPAA Compliance, Lower Healthcare Costs and Reduce Crime. The company has also introduced Real-Time Prescription Drug Monitoring, Healthcare Security, Practice Management and Electronic Health Records Solutions.

Webcast offers solutions for improved healthcare management and the reduction of prescription fraud and crime through real-time prescription drug monitoring software. Additionally, the Webcast provides an overview of the Company’s healthcare security and authentication solutions, and practice management and electronic health records technology.

VirtualHealth has over 1500 clients and has completed government trials for the Company’s next generation real-time, web-based prescription monitoring solution focused on reducing controlled substance fraud and crime. Additionally, the winner of the 2008 Hot Product TEPR award, PrivateAccess, Inc., has licensed solutions from VirtualHealth that provide security platforms to facilitate data sharing and communication.

Getting to know the definition of ‘Covered Entity’

On of the terms mentioned in the HITECH privacy provisions of the American Recovery and Reinvestment Act that President Obama signed into law on Tuesday, February 17, 2009, in Denver, CO, is ‘Covered Entity’. The definitions for different terms appear in Subtitle D—Privacy, Section 13400 in the Conference Report on page H1345 of Congressional Record—House, February 12, 2009. These definitions are critical in understanding the content of the new HITECH privacy provisions and how they relate to existing HIPAA Administrative Simplification Privacy Rule standards.

Here we reproduce the definition of ‘COVERED ENTITY’ as per the act. The term ‘covered entity’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

Section 160.103—

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter [e.g., HIPAA Administrative Simplification transaction standards].