HIPAA News & Updates 


Jan McDavidAs the leading provider of release of information services, HealthPort is committed to remaining proactive when implementing HIPAA standards in all products that we offer. Jan McDavid, HealthPort's compliance officer and general counsel, is an expert on HIPAA compliance and takes a hands-on approach to ensure that we remain on the cutting edge of security rules and regulations.

With posts to the HIPAA blog, Jan is committed to providing an informational resource to the healthcare community that includes news, tips and updates on HIPAA related information.

  • HIPAA Audits Are Beginning

    January 10, 2012

    In what is sure to be bad news for some covered entities, the government has begun its long-promised on-site audit program. The initial group of 150 contains only covered entities selected for audit. Future audits will also be conducted at the offices of business associates.
     
    The compliance audits will be conducted by KPMG, the consulting firm hired by the Department of Health and Human Services’ Office for Civil Rights (“OCR”). The first 20 providers, comprising eight health plans, two claims clearinghouses, three hospitals, three physician offices, a lab, a dental office, a nursing facility and a pharmacy, will be visited beginning this month, with the next 130 planned for later months this year.
     
    The audit program, mandated in the HITECH Act portion of ARRA, has a stated objective of finding opportunities for improving compliance.  According to OCR, selection of audit candidates is based on these factors, among others:    
           
    ·         Whether the entity is public or private
    ·         Size of the entity (OCR appears to want a cross-section of sizes)
    ·         Affiliation with other healthcare organizations
    ·         Type of entity and relationship to patient care
    ·         Past and present interaction with OCR concerning HIPAA enforcement and breach notification
    ·         Geographic factors
     

    A summary of the audit program can be found on OCR’s website under “What’s New.”

    NOTE: If you are a HealthPort customer or partner, please let us know if you've been selected for an audit.

    Full story

    Comments (0)

  • Jan McDavid Talks HIPAA Breach Notification Rules

    November 16, 2011

    Over the past month, I’ve served as a guest blogger on emrandhippa.com, an Open Forum for EMR, EHR, HIT and HIPAA Related Information, where I’ve authored a 4 part series of blog posts on the HIPAA Breach Notification Rules.

    Click here to read all of the HIPAA Breach Notification Rules guest posts and feel free to add a comment or two!

    Full story

    Comments (1)

  • Breaking News – The (newest) Auditors Are Coming!

    November 09, 2011

    This month, the HHS Office for Civil Rights begins HIPAA audits to assess covered entities' compliance with the privacy, security and breach notification rules. KPMG, the consultancy firm which is the contractor for these audits, has developed audit protocols and will conduct up to 150 audits within roughly the next year.

    The audits will start with 20 "initial" audits to test the protocols. "The results of the initial audits will inform how the rest of the audits will be conducted," according to a new OCR Web page with information on the program. OCR will focus on auditing covered entities of various sizes and functions initially, with business associates being included in future audits. "We expect covered entities to provide the auditors their full cooperation and support, and remind them of their cooperation obligations under the HIPAA Enforcement Rule."

    OCR will notify in writing those covered entities selected for audit (OCR does not explain how entities will be selected). The notification will explain the program and describe initial document and information requests, which should be provided within 10 business days. Selected covered entities can expect a site visit between 30 and 90 days after notification.

    OCR will use KPMG’s audit reports to determine the types of technical assistance that should be developed and what types of corrective actions are most effective. "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem," according to the office. "OCR will not post any listing of audited entities or the findings of an individual audit which clearly identifies the audited entity."

    Click here to learn more.

    Full story

    Comments (0)

  • HIPAA/HITECH Final Rule Likely In 2012

    November 01, 2011

    The release of final rules on HIPAA and HITECH, promised to be published by HHS’s Office of Civil Rights (OCR) in 2011, now look to be further away than we thought.
     
    On October 25, OCR’s Deputy Director for Health Information Privacy, Susan McAndrew, told the audience at the Workgroup for Electronic Data Interchange conference that, “We are wrapping up on the omnibus final rule and I am hoping to have it sometime soon.”
     

    The new rule, which will finalize many changes to HIPAA, was widely expected to be released sooner. The proposed rule was released in July 2010 and, a few months later, OCR said it would be finalized in the Spring of 2011. After missing that deadline, OCR said that the date had been pushed to the end of 2011. Now, McAndrew says it could be extended again, to early 2012. (Readers may recall, however, that the Final Rule released in 2000 was released on December 28 of that year, so don’t rule out a last-minute 2011 release.)

    The omnibus rule should finalize four previous proposed and interim final rules, covering:

    • breach notification
    • HIPAA enforcement
    • HIPAA Privacy Rule and Security Rule changes mandated by the HITECH Act
    • HIPAA changes required by the Genetic Information Nondiscrimination Act (GINA)
    Typically, covered entities have 180 days from a rule's effective date to comply.
     
    OCR also reported receiving 435 public comments about its proposed rule for accounting of disclosures of PHI,
    which allows patients to request information about who has accessed their personal health information in electronic form, in addition to requesting a full accounting of disclosures. McAndrew said that comments on the proposed rule indicate that the health care industry “has not embraced the access report provision.”

    Full story

    Comments (0)

  • Keeping Compliant: Managing Rising Risk in Physician Practices

    October 28, 2011

    My colleagues and fellow HealthPort experts, Lori Brocato, Audit Product Manager, and Steve Emery, Director of Product Management, and I served as co-authors of the article, “Keeping Compliant: Managing Rising Risk in Physician Practices” which appears in the November issue of the Journal of AHIMA.  In the article, Lori, Steve and I discuss the unique compliance challenges physician practices and clinics face including workflow changes, staffing resources and technology.  Click here to read the article in its entirety.

    Full story

    Comments (0)

  • OCR Releases Notice of Proposed Rulemaking Announcing Expansion of the Accounting of Disclosures Rule

    August 15, 2011

    In May, just before Memorial Day weekend, OCR released a Notice of Proposed Rulemaking (NPRM), or preliminary rule, expanding the Accounting of Disclosures (AOD) rule. This preliminary rule, originally due out in 2010, adds a new “Access Report” to the existing AOD requirement (of presenting patients, upon request, with a list of those who have requested the patient’s medical records for the last seven years).

    The Access Report, if finalized, will require a covered entity to provide the patient, upon request, with a list of every individual, including workforce members and those outside the covered entity, who has accessed the patient’s electronic PHI from a designated record set for the past three years. Comments about the rule were accepted until August 1.

    In the worst case, the Access Report would list hundreds of people who could have access to the records. With an in-patient stay, depending on the controls each covered entity uses within the facility, this could mean everyone from the admissions office to every department in the facility - names of nurses, doctors, respiratory therapists, physical therapists, records clerks, employees within the business office, legal department, risk management department, and all others with access for the previous three years would have to be provided in that scenario if the patient requests an Access Report. 

    OCR states that the Access Report is intended to “provide individuals with information about disclosures through an EHR for treatment, payment and health care operations”1 which previously were exempted from the AOD. In addition, patients would be informed of the opportunity to obtain an Access Report through a revised Notice of Privacy Practices from each healthcare provider. 

    The American Health Information Management Association (AHIMA), among other trade associations, submitted comments expressing their displeasure with the preliminary rule as written.  They generally disagreed with the NPRM’s supposition that, “these changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates.”  

    After a comment review period, OCR will issue its responses to comments in the Commentary to the final rule, and will publish an effective date. You can expect to have the final rule effective sometime in the spring of 2012, so stay tuned.

    You may access the NPRM by clicking here. 

    1Notice of Proposed Rulemaking, RIN 0991-AB62, Section III, published May 27, 2011.

    Full story

    Comments (3)

  • What's the relationship between HIPAA/HITECH and Meaningful Use?

    June 09, 2011

    Are they parent/child? Are they neighbors? Actually, they’re more like siblings. Each of them was born to the parent known as the “American Recovery and Reinvestment Act” (“ARRA”) which the President signed in 2009.

    ARRA had two major provisions - one was the HITECH Act, which amended HIPAA (the usual subject of this blog!).

    The other was Meaningful Use, sometimes called the Stimulus Bill, which exists in parallel with HITECH. Although there is some relationship between them, each part of ARRA leads its own life.

    While HITECH concerns itself with the rules surrounding electronic records and their various delivery mechanisms, Meaningful Use is set up to establish milestones that providers must meet in order to qualify for stimulus money. 

    After achieving a certified electronic health record (EHR) system, each eligible provider or hospital can file, beginning in 2011, for money, once they can prove the “meaningful use” of their new technology. There are significant hurdles that each such provider must overcome in order to qualify for these Meaningful Use funds, including a minimum of 15 required objectives (14 for hospitals) plus five optional ones. One of the required objectives has a dotted line to HITECH – requiring that medical records requested by a patient to be delivered electronically from an EHR are so delivered within three business days of receipt of the request. This 3-business-day turnaround falls upon HIM departments – or their ROI providers – to ensure.  HealthPort can work with you to help meet this requirement.

    Full story

    Comments (4)

  • Breaking News-HIPAA/HITECH Act Accounting for Disclosures Notice of Proposed Rule Making Released

    May 27, 2011

    The Department of Health and Human Services just announced that the HIPAA/HITECH Act Accounting of Disclosures Notice of Proposed Rule Making is now on display at the Federal Register, and is scheduled for publication in the Federal Register on May 31, 2011.

    Below is an excerpt from the notice:

    “Pursuant to both the HITECH Act and its more general authority under HIPAA, the Department proposes to expand the accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set. Under its more general authority under HIPAA, the Department also proposes changes to the existing accounting requirements to improve their workability and effectiveness."

    The comment period is open until July 30, 2011. The HealthPort Legal Department will study the proposed rule and send comments if we feel it is necessary, and we encourage you to do the same.

    Full story

    Comments (3)

  • Privacy, Please

    April 19, 2011

    Throughout the month of April, HealthPort joins the American Health Information Management Association (AHIMA) for a month-long focus on Health Information Privacy and Security. As a result of the current electronic and regulatory environment, healthcare facilities across the country are working towards optimal privacy and security by assessing the compliance of their processes, in an effort to reduce opportunities for breaches of protected health information and avoid the costs associated with them.

    The release of information process, in particular, should be an area of focus as organizations seek to minimize risk and maintain efficiency and compliance at the same time. Understanding the many steps involved will ensure that none are missed and that protected health information isn’t compromised. Adopted from the Association of Health Information Outsourcing Services, click here to access the 32 steps involved in the release of information process and feel free to leave a comment about how a solid release of information process can aid in maintaining the privacy and security of health information.

    Full story

    Comments (2)

  • Government Imposes HIPAA Fines* - $4.3 Million and $1 Million Fines Get Attention

    March 11, 2011

    Two weeks ago, the feds got serious about HIPAA enforcement, fining a two-location clinic $4.3 million, and a hospital $1 million, for privacy breaches.

    In the first instance, the clinic failed to provide copies of medical records to 41 patients who requested them and, although the patients complained to HHS, according to the report, the clinic failed to cooperate with the investigation, and continued to refuse to provide the records. The penalty was increased for each day the clinic did not cooperate.

    The second instance was the accidental loss of unencrypted mobile media containing 192 medical records by a hospital employee.

    Taken together, these fines represent $22,746 per patient record breached, in addition to the costs of increased reporting to HHS, increased scrutiny by HHS, measures to protect patients from identity theft, and hits to the reputation of each facility. Costs will end up being re-paid by -- who else? – patients.

    Lesson learned? The government has gotten serious about HIPAA and its HITECH amendments. If there is any area of either law in which you or your business associate is not 100% compliant, you’d better find a way – quickly – to get there.

    *Most previous infractions resulted in settlements, some of which included fines, with cooperative healthcare providers and insurers

    .

    Full story

    Comments (3)

  2. 1
  3. 2
  4. Next page
Request
a Consultation
Sign-Up
for HealthPort Blogs
HIPAA News & Updates
Meaningful Use Updates
Audit Insights Blog
ROI 101 Blog
Contact

Contact
Email Customer Care

Let Us Assist You

Health Information Insights

Billing Inquiries

Company

Careers

Contact Us