To my readers, colleagues and friends,
Many thanks for your support over these last few years. It has been my pleasure to work with you to create step-by-step compliance programs, and to help untangle some of the regulatory noise around HIPAA/HITECH and state law. I hope that this blog and SMK Consulting Services have helped lend some clarity and little humor to the process.
SMK Consulting Services will be taking an indefinite hiatus, as I have accepted a new position as Director of Healthcare Privacy and Special Projects for Maine's Department of Health and Human Services. I am looking forward to serving as a resource and growing in this challenging new role.
With my best wishes for continued success, happiness and patience with the ever-changing face of health care and compliance,
Stacey
Saturday, May 11, 2013
Thursday, March 28, 2013
A Little is Not Enough
The final HITECH rule became effective yesterday. Many people in the healthcare industry are scrambling to get into compliance.
Yet, recently, I had a conversation with a small practice manager who wanted to execute a business associate agreement with a consultant. While I commended him for getting that item into place, I asked about the practice's overall HIPAA/HITECH and state law compliance in general. Needless to say, there was no privacy officer, a few (old) policies, an outdated Notice of Privacy, no training and no system of reviewing or auditing access to their newly installed electronic record system. There was absolutely no knowledge of the breach notification mandates. The manager nevertheless seemed satisfied with his efforts in this area.
I often find that, in the midst of all the regulatory noise, there still remains a real lack of awareness of many basic requirements of HIPAA under the new HITECH updates, and of privacy and security compliance in general. Whether the lack of knowledge comes from sheer overwhelm or denial, it is hard to say.
But doing nothing will get you into far greater trouble than taking step-by-step action. The Office of Civil Rights will now be acting both on complaints and on audit findings. Failure to be in compliance could cost a practice a 6-7 figure civil monetary penalty. This is nothing to ignore.
Doing just a little is not enough. Both a culture and a system of compliance are required.
So, contact a knowledge expert, bring in a compliance educator, learn your requirements and put them into place. Your practice, regardless of size, needs someone dedicated to ensuring and efforcing these protections and safeguards, with internal sanctions for violations of your policy standards.
Just as you focus on healthcare treatment and services, you also must care for and secure your patient’s, client’s or resident’s protected health information and be prepared to honor your patient’s information privacy rights. Go on, get to it!
Monday, March 4, 2013
Honoring Requests for Restrictions - An Overview
Since the early days of HIPAA, covered entities have been required to alert patients to their right to request restrictions on the use or disclosure of their protected health information (PHI) in their Notice of Privacy Practices, yet covered entities have not been required to honor the request. Now, under the HITECH Omnibus Final Rule, a covered entity must agree to an individual's request to restrict disclosures of PHI to a health plan if:
- (1) the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and
- (2) the PHI pertains solely to healthcare items or services for which the individual, or another person on behalf of the individual, has paid in full.
Certain providers, and certain states, already have been accommodating patient requests to withhold sensitive information from health plans, either by law or custom, permitting the patient to pay out of pocket for treatment or services.
There is a fair amount of patient education inherent in this new right. Under HITECH, providers are encouraged to engage in a dialogue with patients to ensure they understand that previously restricted PHI may still be disclosed to the health plan in follow up care unless the patient makes another formal request and pays out of pocket in full (assuming the disclosure is not required by law.) A patient will need to be made aware that s/he will need to make that same request, and pay in full, with other providers as well.
The HITECH guidance discusses that where a provider is able to "unbundle" a group of items of service to honor the request for restriction, it should do so. However, if the provider is unable to unbundle a group of items or services, the provider must inform the patient, and allow the patient to restrict and pay out of pocket for the entire "bundle."
The HITECH guidance also informs us that where the patient is covered by a government payor like Medicaid, and both a) the submission of a claim is required and b) there is no exception or procedure that allows the patient to pay for the service, then the submission of the claim is considered "required by law" and the restriction does not apply. The guidance suggests that under Medicare, the patient/beneficiary is permitted to pay out of pocket, subject to the Medicare limitations noted in Section 40 of the Medicare Benefit Policy (Internet) Manual.
Finally, for now, the HITECH Final Rule eliminates a covered entity’s ability to terminate its agreement to this type of required restriction.
Just one item on your HITECH to-do list, but one that you can certain accomplish. Don't forget to put this updated patient right into your Notice of Privacy Practices, (another HITECH mandate)!
Monday, February 4, 2013
Everything Old is New Again
Providing the individual with a Notice of Privacy Practices (NPP) has been mandated since the effective date of the original HIPAA Privacy Rule. A foundational element in the healthcare privacy world, the NPP is intended to provide information about how the covered entity (including the provider or health plan) uses and discloses the patient’s protected health information (PHI), and the various rights of the individual regarding that PHI, including the right to access, copy, add an amendment, receive communications at a confidential or alternate location, and to request a restriction. This is nothing new.
The HITECH Omnibus Final Rule, some 10 years later, is mandating additional items to be included in the NPP. You must make these changes by September 23, 2013. The provisions include:
· A description of uses and disclosures that require authorization, a statement that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and the right of the individual to revoke that authorization (so long as the covered entity has not already acted on it);
· Where applicable, that the covered entity intends to contact an individual for fundraising purposes, and that the individual has the right to opt out of receiving such communications;
· If the covered entity is a health plan, then its NPP must state that the covered entity is prohibited from using or disclosing genetic information for underwriting purposes;
· A statement that the covered entity is required by law to maintain the privacy of PHI, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;
· That an individual has the right to restrict disclosure of PHI to a health plan where the individual or personal representative pays out-of-pocket in full for the health care item or service, so long as the restriction is for payment or business operations, and not required by law (as may be the case with certain government payers. Note that many states require, and many providers have a already created, a mechanism for patients who seek to keep sensitive information confidential through out of pocket payments.)
· And while this is not HITECH mandated, I like to add that where a provider is disclosing PHI to a regional or statewide health information network, that this material disclosure of PHI be included in the NPP as well (although this notice does not substitute for the required, separate information and opt-out form that may apply, as it does in Maine.)
Please, please, please, POST your NPP. Even though you do NOT have to print and give the new NPP to everyone who seeks treatment, the HITECH preample specifically reaffirms that old requirement that you post the NPP in a prominent location. I cannot tell you how often I find a compliance failure with this very basic (10 year old) requirement. The failure to post your NPP is a ridiculously easy “gotcha” for the auditors. Don’t give it to them. Find some wall space, put up the NPP, and don’t forget to consider whether the individual in the wheelchair can read the content on that wall.
The HITECH Omnibus Rule does allow you to post an abbreviated NPP, so long as there are copies of the full NPP immediately near or below (such as on a table), and the individual does not have to affirmatively ask the receptionist for a copy. Post the new notice to your website, if you have one (this is mandated for health plans.) Physically provide the updated notice to your new patients, and make your good faith effort to obtain the patient or personal representative’s signature for receipt. The recipient does not have to sign, but you need to document your attempt either way.
And finally, for the moment, remember: not only does the HIPAA Privacy Rule require that the NPP be written in plain language, but now HITECH reaffirms HIPAA’s commitment to equal access and understanding of the information in the NPP. Make sure your NPP complies with laws around requirements for accomodating those with disabilities, mandated by Section 504 of the Rehabilitation Act of 1973, the Americans with Disabilities Act of 1990, and Title VI of the Civil Rights Act. How will you communicate the information in the NPP to those with limited English proficiency, or for those who are visually impaired? Some providers create their NPP in braille, large print, audio and a variety of languages, as the community requires. Consider what your practice or organization needs.
We are simply shining up the old rule, which should provide some relief to those feeling a bit overwhelmed by the new requirements and changes.
But unlike 10 years ago, there was no HIPAA audit team on the ground checking up on you. Now there is. Extra reason for you to get your NPP, and other HIPAA/HITECH documents, in order.
Friday, January 25, 2013
One HITECH Highlight
Like many people in my area of healthcare law and compliance, we are up to our ears in the 563 page HITECH Final Omnibus Rule, parsing and analyzing. I will be writing a number of pieces on this hefty bit of your-tax-dollars-at-work, but let me start with this one point: A Patient's Right to Transmission of the EHR. As you probably know, patients have the absolute right to an electronic copy of their electronic record, and there is much discussion about what that looks like, what media to use (the regulators won't tell you) and how to get paid for honoring that request. (And, if your practice is in a hybrid state, the patient's request for the record requires a more extensive response, as you ensure that you have produced the appropriate paper and electronic records in their respective formats.)
For practices and healthcare organizations alike, this small section of the large rule has enormous operational impact. But here is the part of the rule I like best: the federal regulators actually agreed with me on something.
Last year, at the HIPAA Summit in Washington, D.C., and the year before that, at the NIST/OCR conference, also in Washington, D.C., I asked Susan McAndrew, OCR's Deputy Director for Health Information Privacy, essentially the same question: I inquired about how small practices, without secure email capability, were going to comply with the Interim Final Rule's mandate that they transmit an EHR electronically to a specific recipient, and at the same time, avoid a compliance violation and enforcement risk. My feeling was that providers without secure email were caught between a rock and a hard place - at risk for sending unsecure email, at risk for refusing to comply with the patient's right to transmit his/her EHR for fear of regulatory reprisal. The patients should be able to assume the risk inherent in the email transmission, but would the regulators agree to back off of the provider's HIPAA compliance responsibilities?
In essence, the answer is yes. The guidance to the HITECH Omnibus Rule states that if a patient or personal representative requests that a provider transmit his/her electronic record to him/herself or someone else, and the provider is only able to do so through unencrypted email technology, then the provider needs to make sure that the individual understands the risks inherent in the email transmission. If, knowing this risk of sending the record over unsecure email, the individual nonetheless wants the provider to honor the request, then the provider is not subject to enforcement in the event the transmitted ePHI is subsequently compromised. Further, the provider may rely upon the email address the patient/personal representative has provided. The provider should obtain a written email request and waiver/understanding of the discussion of the risks. Again, as long as the email address was typed in correctly based upon the written request, the provider is not subject to enforcement if something goes wrong after hitting "send."
Score one for common sense. Those many providers who refused to use email for fear of enforcement can breathe a little easier now.
Much more to follow.
For practices and healthcare organizations alike, this small section of the large rule has enormous operational impact. But here is the part of the rule I like best: the federal regulators actually agreed with me on something.
Last year, at the HIPAA Summit in Washington, D.C., and the year before that, at the NIST/OCR conference, also in Washington, D.C., I asked Susan McAndrew, OCR's Deputy Director for Health Information Privacy, essentially the same question: I inquired about how small practices, without secure email capability, were going to comply with the Interim Final Rule's mandate that they transmit an EHR electronically to a specific recipient, and at the same time, avoid a compliance violation and enforcement risk. My feeling was that providers without secure email were caught between a rock and a hard place - at risk for sending unsecure email, at risk for refusing to comply with the patient's right to transmit his/her EHR for fear of regulatory reprisal. The patients should be able to assume the risk inherent in the email transmission, but would the regulators agree to back off of the provider's HIPAA compliance responsibilities?
In essence, the answer is yes. The guidance to the HITECH Omnibus Rule states that if a patient or personal representative requests that a provider transmit his/her electronic record to him/herself or someone else, and the provider is only able to do so through unencrypted email technology, then the provider needs to make sure that the individual understands the risks inherent in the email transmission. If, knowing this risk of sending the record over unsecure email, the individual nonetheless wants the provider to honor the request, then the provider is not subject to enforcement in the event the transmitted ePHI is subsequently compromised. Further, the provider may rely upon the email address the patient/personal representative has provided. The provider should obtain a written email request and waiver/understanding of the discussion of the risks. Again, as long as the email address was typed in correctly based upon the written request, the provider is not subject to enforcement if something goes wrong after hitting "send."
Score one for common sense. Those many providers who refused to use email for fear of enforcement can breathe a little easier now.
Much more to follow.
Thursday, January 10, 2013
Are You Mobile?
The Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the National Learning Consortium, have joined forces to bring you an accessible educational tool around mobile device security. There are brief sources to read and to watch online. I like the common sense approach and the list of suggested mobile device protections. I also find it amusing that there is a waiver at the end of each page (i.e., following these steps does not guarantee that the regulators will find you in compliance.) Well, it certainly can't hurt.
This resource is important in light of the January 2, 2013 press release regarding Hospice of North Idaho or “HONI,” which became nationally known not for its compassionate end-of-life care, but as the first organization to settle a HIPAA Security Rule/HITECH violation regarding a breach impacting less than 500 individuals.
HONI reported to DHHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. OCR investigated and discovered that HONI had not conducted a risk analysis to find the gaps in its PHI safeguards, and failed to have policies or procedures in place to address mobile device protection as required by the HIPAA Security Rule. They were hit with a $50,000 penalty and a corrective action plan. The monetary penalty might have been far greater, but HONI got right to work improving its compliance program and processes. That type of immediate action and accountability impresses the OCR, and may lessen the severity of an enforcement penalty.
This resource is important in light of the January 2, 2013 press release regarding Hospice of North Idaho or “HONI,” which became nationally known not for its compassionate end-of-life care, but as the first organization to settle a HIPAA Security Rule/HITECH violation regarding a breach impacting less than 500 individuals.
OCR Director Leon Rodriguez said: “This action [against HONI] sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” He also stated that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable” (which gives the ePHI a “safe harbor” under the breach notification rule. The provider would not need to report the loss or exposure as a breach.)
This is only the beginning. Although the OCR claims that only a small percentage of reported breaches are investigated, who wants to be one of the few? Protection of the ePHI on your mobile devices, including laptops, tablets, smartphones and flash drives, is a reasonable place to start.
Subscribe to:
Posts (Atom)