HIPAA News & Updates 

Jan McDavidAs the leading provider of release of information services, HealthPort® is committed to remaining proactive when implementing HIPAA standards in all products that we offer. Jan McDavid, HealthPort's compliance officer and general counsel, is an expert on HIPAA compliance and takes a hands-on approach to ensure that we remain on the cutting edge of security rules and regulations.

With posts to the HIPAA blog, Jan is committed to providing an informational resource to the healthcare community that includes news, tips and updates on HIPAA related information.

Click here to see all of Jan's upcoming speaking engagements!

  • Three Privacy Enforcement Trends to Watch and Steps to Take in 2014

    The Department of Health and Human Services has been unusually active with data breaches. There were 70 health data breaches affecting more than 500 individuals alone during the month of January. This doesn’t include smaller breaches of patient information, those affecting fewer than 500 individuals. We expect the real number of breaches occurring in covered entities (CEs) and business associates (BAs) may be much higher.
    In fact, 2013 was a historic year for Health Insurance Portability and Accountability Act (HIPAA) violations, with more than 5.7 million patients affected, according to HHS’s online database. Five ‘‘mega-breaches’’ accounted for 90 percent of the 2013 incidents according to the HHS site. According to the Ponemon Institute December 2012 report, breaches cost health organizations close to $7 billion annually.
    While HHS is quick to state that ‘‘numbers fluctuate’’ on its popular breach reporting site, the trends are evident. Most breaches aren’t related to electronic information hacking—like those recently reported by Target and other consumer retailers. Instead, they involve three long-standing privacy compliance problems in health care:

    • lack of physical safeguards;
    • unauthorized employee access into records; and
    • accidental commingling of patient information.

    As health-care executives, privacy officers and legal counselors head into the coming year, proactive breach prevention must go back to the basics. Here are three tips to get it done.


    Full story

    Comments (0)

  • Omnibus Rules Update on Required Patient Pricing

    The Omnibus Rule’s compliance date of September 23 has passed, and everyone should by now have implemented many new provisions, including the required patient pricing.  The Rule states (in one reference) that only labor costs, plus supplies and postage, can be charged to patients who request that their records be delivered in electronic format.  There are references in the Rule to other types of costs that potentially could be charged, but HealthPort opted to implement the more conservative interpretation of “labor.”  We sought (more than three months ago) guidance from the HHS Office for Civil Rights (OCR), but so far have not received a response (note: OCR was shut down, along with most of the rest of the government, as this was being written). 
    We are asking OCR for clarification on which other components of “labor,” as listed inconsistently throughout the Omnibus Rule, may be included in the patient price for the electronic release of information. Some of those discrepancies in the rule state or imply that both direct and indirect labor can be charged, along with the labor to prepare and transmit the records, various overhead expenses, and the cost of capital.  Watch this space for more information if and when HealthPort receives a response from OCR. 

    Full story

    Comments (0)

  • Omnibus Compliance Comes Down to the Wire

    In only one week, fines commence for failing to comply with new HIPAA Omnibus rules. Eight months ago, when we all took our first look at the new Final Rule, it appeared to be loaded with changes, and the path to compliance seemed daunting. However, the past months have been filled with a plethora of information and education for both Covered Entities (CEs) and the Business Associates (BAs) that serve them. 

    At this stage of the game, you should have a firm handle on the nuances of HIPAA Omnibus, which you must convey to your staff in advance of the impending compliance deadline. You’ve researched the changes, updated policies and procedures, and educated staff. BA agreements have been refreshed and new Notices of Privacy Practices distributed. (If you’re still a little fuzzy about certain intricacies of the new Final Rule, the American Medical Association provides a nice summary here.) 

    So with one week left, what is the final task to ensure compliance and mitigate risk of OIG fines? It is a thorough check of your I.T. systems. This final hurdle must be overcome within the next week and documentation describing your compliance efforts completed. 

    Patient Requests for Restriction—Check Your Systems

    Unique from other areas affected by HIPAA Omnibus, the management of patient requests for information restrictions to health insurers involves more than just policy change. When you accept a restriction, you have to manage it, and your electronic health record (EHR) is likely your primary means of doing so. Your IT systems need to accommodate restrictions. 
    They must have programmable flags for identifying information that shouldn’t be released or forwarded. These flags need to be obvious and heeded by everyone who accesses the record. Ask yourself the following questions as you fine tune your software in the coming week: 

    • How will the restricted record be prevented from flowing through other systems?
    • How will you intercept a restricted record that may be released within aggregate health plan data, or other sources for which the patient may ask for a restriction that you have accepted?
    • Will removing this data skew the results of critical information that is required for optimum quality of care?
    • How will restriction requests affect situations of managed care and other payer contracts for which you are obliged to provide data?
    • Does your organization allow for the restriction of separable and unbundled healthcare items or services?
    • Finally, the processing of patient requests for restriction must be fully documented, workflow and policies must be updated, and staff must be informed. The plan should answer the following questions:
    • How will the request for restriction be received?
    • Who in particular will receive the notification and start processing the request? 
    • Who will ultimately approve/deny the request? 

    Crossing the Finish Line

    September 23 will be here in one week. Although compliance with HIPAA Omnibus seems an arduous task, many of the required adjustments are policy changes, which must be comprehended and conveyed to staff. But it’s your mastery of restriction management that will go furthest toward satisfying HIPAA compliance. Pay particularly close attention to your EHR—your primary tool for restriction management. Carefully programmed to monitor restrictions, your EHR can prevent the unwanted flow of data, limiting access to that data, and moving you ever closer to the private and secure data environment envisioned by HIPAA.

    Full story

    Comments (0)

  • 2014 Update: ABCs of Working with BAs

    The Dept. of Health and Human Services (HHS) released its long-awaited HIPAA omnibus rule in mid-January, which significantly amends the original HIPAA privacy, security and breach rules. Nowhere are the changes more impactful than in the relationship between covered entities (CEs) and business associates (BAs).

    BAs are now, for the first time, directly liable for compliance with certain requirements of the HIPAA rules, including the cost of remediation of breaches for which they are responsible. The new rule went into effect March 26, 2013. Covered entities and BAs must comply by September 23 of this year, so there is much work to do. 

    Read more …

    Full story

    Comments (0)

  • Final HIPAA Omnibus Rule Released

    On Thursday, January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the final HIPAA omnibus rule. It’s a 563-page rule, covering several issues. And while the rule was published a year later than initially promised, covered entities and business associates have only eight months to comply.  

    HealthPort conducted an initial review of the rule. We’ve identified five key areas of change for healthcare providers. 

    • Business Associates (BAs) are now directly liable for the increased penalties for non-compliance based on their own actions, as well as the level of negligence and non-compliance by their subcontractors. 
    • HITECH’s breach notification requirements are strengthened by clarifying when breaches of unsecured health information must be reported to HHS. 
    • There will be stronger limitations on disclosures for providers’ fund-raising efforts. 
    • Patients can request a copy of their EMR in electronic form.
    • When individuals pay by cash, they can instruct their provider not to share information about their treatment with their health plan.
    • It appears the changes in breach notification processing and the elements used to determine “cost” in processing requests from patients will have the greatest impact on HIM professionals. 
    We invite you to visit this blog often for more details and practical advice as we dig deeper into HIPAA’s final omnibus rule. 

    NOTE: The final rule may be viewed in the Federal Register at: https://www.federalregister.gov/public-inspection

    Full story

    Comments (0)

  • Healthcare Reform Changes and What HIM Professionals Need To Know

    As you know, healthcare reform was upheld by the Supreme Court earlier this year.  Now that it is upon us, it is important that health information management professionals understand which record management workflows will be impacted and what other changes are ahead.  As a guest columnist in this month’s Advance for Health Information Professionals online Privacy Points column, I outline some of the reform changes and discuss what HIM professionals need to know to enhance their knowledge and understanding.  

    Click here to read my column, “Healthcare Reform and HIM: What You Need to Know,” and feel free to comment in the area provided below.

    Full story

    Comments (0)

  • Healthcare Reform and HIM: What You Need to Know

    Recently, I served as the guest columnist in Advance for Health Information Professional’s enewsletter  Privacy Points column.  Titled, “Healthcare Reform and HIM: What You Need To Know,” my column focuses on the ways that Healthcare reform offers HIM another opportunity to shine.  Now that healthcare reform is inevitable, it is important that health information management professionals understand which record management workflows will be impacted and what other changes lay ahead.

    Click here to read my column in its entirety and I welcome your comments about the changes ahead and their affect on HIM.

    Full story

    Comments (0)

  • EMR vs EHR-What is the Difference?

    As I browsed the web recently, I came across an interesting article that I wanted to share with my blog readers.  The article titled, “EMR vs EHR-What is the Difference?” was posted on the U.S. Department of Health and Human Services Health IT Buzz online newsletter and authored by Peter Garrett / ONC Office of Communications, and Joshua Seidman, PhD / Director Meaningful Use, ONC. 

    Click here to read the article in its entirety and let me know what you think in the comments section below.

    Full story

    Comments (1)

  • HIPAA/HITECT Act Final Rules Delayed

    The White House’s Office of Management and Budget (OMB) has extended its review of the rules, although HHS recently indicated that it was targeting July 2012 for release and, at the same time, the Director of OCR stated that the rule was “extremely close” to publication.

    OMB has 90 days to review most proposed and final rules. However, OMB is permitted to extend the review period for an additional 30 calendar days on its own, and, with the agreement of the agency head, for longer periods of time. Of the 19 HHS submissions to OMB currently listed on the federal website that reports on regulations under review by OMB, 11 have extended review periods.

    The omnibus rule is expected to include modifications to:

    • The Breach Notification Rule,
    • The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act,
    • The Privacy and Security Rules, implementing changes mandated by HITECH, as well as other changes to the Privacy Rule proposed in July 2010, and
    • The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act.

    Full story

    Comments (1)

  • Final HITECH Privacy Rules-Coming Soon?

    I just returned from the 20th National HIPAA Summit in Washington, D.C.  There was a lot of good information and there were excellent speakers, many of whom were from HHS, OCR, and ONC.  We learned that the final HITECH privacy rules were sent last Saturday (March 24, 2012) to the US Office of Management (OMB) Website as RIN 0945-AA03. This means that OMB will do its final review before the rule is published in the Federal Register. There is no timetable for this review, but we were told it could be up to three months.

    Included was (i) the breach notification rule, (ii) the finalization of much of HITECH, (iii) the enforcement rule, and (iv) a final rule implementing changes to the Privacy Rule required by the Genetic Information Nondiscrimination Act (“GINA”).

    OCR also promised to publish guidance on business associate contracts, de-identification, and conducting risk assessments to determine breaches.  The latter proposed guidance — assessing breaches — suggests that OCR retained a controversial provision of the interim final rule on breach notification: the harm threshold assessment. This threshold allows entities to conduct their own risk assessments on breaches and potentially avoid notifying individuals of breaches. If the breach is considered to have no financial or reputational harm, then entities don’t have to notify patients. Although OCR had previously expressed an intention to combine all HITECH update rules together, including the accounting of disclosures, OCR told us at the meeting that the AOD rule was not included in what was submitted to OMB.

    Accounting for Disclosures will come out separately and is reportedly close to being ready.  Language supporting AOD can be found in the recently released NPRMs for Meaningful Use Stage 2 and Implementation Standards and Certification Criteria, both of which are now out for public comment.  AOD is still expected to cover accounting for access to information related to Treatment, Payment and Operations and require automated accounting.

    Several unofficial commentators have suggested that requirements in those rules are geared toward supporting automated auditing and the ability to produce an audit list, something that was very controversial when the AOD NPRM first came out last year. Stay tuned.

    Full story

    Comments (1079)

  1. 1
  2. 2
  3. 3
  4. Next page
Sign Up
for HealthPort Blogs
HIPAA News & Updates
Meaningful Use Updates
Audit Insights Blog
ROI 101 Blog

Email Customer Care