HIPAA News & Updates 

As the leading provider of release of information services, HealthPort is committed to remaining proactive when implementing HIPAA standards in all products that we offer. Jan McDavid, HealthPort's compliance officer and general counsel, is an expert on HIPAA compliance and takes a hands-on approach to ensure that we remain on the cutting edge of security rules and regulations.

With posts to the HIPAA blog, Jan is committed to providing an informational resource to the healthcare community that includes news, tips and updates on HIPAA related information.

Click here to see all of Jan's upcoming speaking engagements!

• Final HIPAA Omnibus Rule Released

  January 23, 2013

  On Thursday, January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the final HIPAA omnibus rule. It’s a 563-page rule, covering several issues. And while the rule was published a year later than initially promised, covered entities and business associates have only eight months to comply.  

  HealthPort conducted an initial review of the rule. We’ve identified five key areas of change for healthcare providers. 
  

  • Business Associates (BAs) are now directly liable for the increased penalties for non-compliance based on their own actions, as well as the level of negligence and non-compliance by their subcontractors. 
  • HITECH’s breach notification requirements are strengthened by clarifying when breaches of unsecured health information must be reported to HHS. 
  • There will be stronger limitations on disclosures for providers’ fund-raising efforts. 
  • Patients can request a copy of their EMR in electronic form.
  • When individuals pay by cash, they can instruct their provider not to share information about their treatment with their health plan.
  • It appears the changes in breach notification processing and the elements used to determine “cost” in processing requests from patients will have the greatest impact on HIM professionals. 

  We invite you to visit this blog often for more details and practical advice as we dig deeper into HIPAA’s final omnibus rule. 

  NOTE: The final rule may be viewed in the Federal Register at: https://www.federalregister.gov/public-inspection
  

  
  

  Full story

  Comments (0)

• Healthcare Reform Changes and What HIM Professionals Need To Know

  September 13, 2012

  As you know, healthcare reform was upheld by the Supreme Court earlier this year.  Now that it is upon us, it is important that health information management professionals understand which record management workflows will be impacted and what other changes are ahead.  As a guest columnist in this month’s Advance for Health Information Professionals online Privacy Points column, I outline some of the reform changes and discuss what HIM professionals need to know to enhance their knowledge and understanding.  

  Click here to read my column, “Healthcare Reform and HIM: What You Need to Know,” and feel free to comment in the area provided below.

  Full story

  Comments (0)

• Healthcare Reform and HIM: What You Need to Know

  August 28, 2012

  Recently, I served as the guest columnist in Advance for Health Information Professional’s enewsletter  Privacy Points column.  Titled, “Healthcare Reform and HIM: What You Need To Know,” my column focuses on the ways that Healthcare reform offers HIM another opportunity to shine.  Now that healthcare reform is inevitable, it is important that health information management professionals understand which record management workflows will be impacted and what other changes lay ahead.

  Click here to read my column in its entirety and I welcome your comments about the changes ahead and their affect on HIM.

  Full story

  Comments (0)

• EMR vs EHR-What is the Difference?

  August 03, 2012

  As I browsed the web recently, I came across an interesting article that I wanted to share with my blog readers.  The article titled, “EMR vs EHR-What is the Difference?” was posted on the U.S. Department of Health and Human Services Health IT Buzz online newsletter and authored by Peter Garrett / ONC Office of Communications, and Joshua Seidman, PhD / Director Meaningful Use, ONC. 

  Click here to read the article in its entirety and let me know what you think in the comments section below.

  Full story

  Comments (1)

• HIPAA/HITECT Act Final Rules Delayed

  June 27, 2012

  The White House’s Office of Management and Budget (OMB) has extended its review of the rules, although HHS recently indicated that it was targeting July 2012 for release and, at the same time, the Director of OCR stated that the rule was “extremely close” to publication.
  
  

  OMB has 90 days to review most proposed and final rules. However, OMB is permitted to extend the review period for an additional 30 calendar days on its own, and, with the agreement of the agency head, for longer periods of time. Of the 19 HHS submissions to OMB currently listed on the federal website that reports on regulations under review by OMB, 11 have extended review periods.

  The omnibus rule is expected to include modifications to:

  • The Breach Notification Rule,
  • The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act,
  • The Privacy and Security Rules, implementing changes mandated by HITECH, as well as other changes to the Privacy Rule proposed in July 2010, and
  • The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act.

  Full story

  Comments (1)

• Final HITECH Privacy Rules-Coming Soon?

  March 30, 2012

  I just returned from the 20th National HIPAA Summit in Washington, D.C.  There was a lot of good information and there were excellent speakers, many of whom were from HHS, OCR, and ONC.  We learned that the final HITECH privacy rules were sent last Saturday (March 24, 2012) to the US Office of Management (OMB) Website as RIN 0945-AA03. This means that OMB will do its final review before the rule is published in the Federal Register. There is no timetable for this review, but we were told it could be up to three months.

  Included was (i) the breach notification rule, (ii) the finalization of much of HITECH, (iii) the enforcement rule, and (iv) a final rule implementing changes to the Privacy Rule required by the Genetic Information Nondiscrimination Act (“GINA”).

  OCR also promised to publish guidance on business associate contracts, de-identification, and conducting risk assessments to determine breaches.  The latter proposed guidance — assessing breaches — suggests that OCR retained a controversial provision of the interim final rule on breach notification: the harm threshold assessment. This threshold allows entities to conduct their own risk assessments on breaches and potentially avoid notifying individuals of breaches. If the breach is considered to have no financial or reputational harm, then entities don’t have to notify patients. Although OCR had previously expressed an intention to combine all HITECH update rules together, including the accounting of disclosures, OCR told us at the meeting that the AOD rule was not included in what was submitted to OMB.

  Accounting for Disclosures will come out separately and is reportedly close to being ready.  Language supporting AOD can be found in the recently released NPRMs for Meaningful Use Stage 2 and Implementation Standards and Certification Criteria, both of which are now out for public comment.  AOD is still expected to cover accounting for access to information related to Treatment, Payment and Operations and require automated accounting.

  Several unofficial commentators have suggested that requirements in those rules are geared toward supporting automated auditing and the ability to produce an audit list, something that was very controversial when the AOD NPRM first came out last year. Stay tuned.
  
  

  Full story

  Comments (1)

• Guest Blog Post: HIPAA Responsibility - Whether You Want It Or Not

  March 27, 2012

  As the author of HealthPort’s HIPAA News and Updates blog, I often receive the opportunity to serve as a guest blogger about HIPAA topics on other healthcare IT sites. 

  Click here to check out my recent guest blog post on EMRandHIPAA.com where I discuss adherence to HIPAA by your business associates and best practices you can put in place to mitigate your risk.

  Full story

  Comments (2)

• (Sort of) Breaking News!

  February 22, 2012

  An official with the HHS Office for Civil Rights (OCR) has been quoted as saying that the long-overdue final versions of both the HIPAA modification and the breach notification rules are “targeted” to be released in March.
   
  In an interview with Healthcare Info Security, Sue McAndrew, OCR’s Deputy Director for health information privacy, said that OCR “is making every effort to publish the final rules on all of the remaining HITECH Act provisions.”
   
  An HHS document known as the “unified agenda” listed both the March date and also a June target date for OCR’s final version of the Accounting of Disclosures rule, which may or may not still contain the controversial proposed rule on access reporting.

  
  

  
  

  Full story

  Comments (1)

• Ensure that HIPAA compliance, privacy and security are maintained at your facility

  February 15, 2012

  With the rise of patients requesting medical records electronically, there are definitely some things that healthcare facilities need to keep in mind to ensure HIPAA compliance and that privacy and security are maintained.  In the recent online issue of Becker’s Hospital Review, I along with colleague Steve Emery share five considerations for hospitals when providing patients with electronic access to their medical records.  Click here to read the article in its entirety and learn what you need to do to maintain compliance. 

  Full story

  Comments (1)

• HIPAA Audits Are Beginning

  January 10, 2012

  In what is sure to be bad news for some covered entities, the government has begun its long-promised on-site audit program. The initial group of 150 contains only covered entities selected for audit. Future audits will also be conducted at the offices of business associates.
   
  The compliance audits will be conducted by KPMG, the consulting firm hired by the Department of Health and Human Services’ Office for Civil Rights (“OCR”). The first 20 providers, comprising eight health plans, two claims clearinghouses, three hospitals, three physician offices, a lab, a dental office, a nursing facility and a pharmacy, will be visited beginning this month, with the next 130 planned for later months this year.
   
  The audit program, mandated in the HITECH Act portion of ARRA, has a stated objective of finding opportunities for improving compliance.  According to OCR, selection of audit candidates is based on these factors, among others:    
         
  ·         Whether the entity is public or private
  ·         Size of the entity (OCR appears to want a cross-section of sizes)
  ·         Affiliation with other healthcare organizations
  ·         Type of entity and relationship to patient care
  ·         Past and present interaction with OCR concerning HIPAA enforcement and breach notification
  ·         Geographic factors
   
  

  A summary of the audit program can be found on OCR’s website under “What’s New.”

  NOTE: If you are a HealthPort customer or partner, please let us know if you've been selected for an audit.

  Full story

  Comments (0)

2. 1
3. 2
4. 3
5. Next page