Med Law Blog

The American Medical Association has created a resource for physicians to understand the HIPAA Privacy and Security Rules and their changes as a result of the 2009 economic stimulus package. 

This resource outlines new requirements:

1. Protection of patient information;
2. How to comply with patients' requests to access their information; and
3. Administrative protections physicians must have in place.

It also provides the compliance schedule and all relevant compliance deadlines.

The web address is as follows: www.ama-assn.org/ama1/pub/upload/mm/368/hipaa-guidance.pdf.

| Posted By Michael Cassidy In HIPAA and HIT | 1 Comments | Permalink

Contributed by Lee Kim, Esquire

lkim@tuckerlaw.com or 412.594.3915

The mention of the HIPAA security rules often provokes an irrational fear in people who are not so technically inclined, but there is a difference between knowing the legal compliance requirements and being an information technology specialist. Here is a simple summary of your security obligations and otherwise recommended practices under the HIPAA security rule. Please note: the HIPAA security rules apply to both covered entities and business associates. Covered entities are obligated to follow the HIPAA security rules and business associates will be obligated to follow them as of February 17, 2010. 

In order to have an effective HIPAA security compliance program, the following technical safeguards must be implemented under the current HIPAA Security Rules by both covered entities and business associates:

1)      Audits on access to electronic protected health information (“ePHI”) under 45 C.F.R. §312(b).

a.      The audits may be manual or automated. The purpose of the audits is to ensure that authorized individuals or entities are accessing the ePHI.

2)      Person/entity authentication under 45 C.F.R. §312(d).

a.      Procedures must be implemented to ensure that the individual or entity accessing the ePHI is authorized to do so (e.g., passwords, swipe cards, etc.).

3)      Integrity of ePHI under 45 C.F.R. §312(c)(1).*

a.      Electronic mechanisms should be implemented to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

                                                               i.      Regardless of whether the ePHI is being retrieved, transmitted, or stored, technical safeguards must be in place to ensure that there is no alteration nor destruction of the data (e.g., digitally signed ePHI, checksum or other error correction technology to ensure that ePHI is stored properly, etc.).

4)      Secure transmission of ePHI under 45 C.F.R. §312(e)(1).*

a.      A technical security measure must be implemented to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (e.g., VPN, SSL, encryption, etc.).

5)      Encryption of ePHI under 45 C.F.R. §312(e)(2)(ii).*

* The entity should assess whether the technical safeguard is reasonable and appropriate in the operating environment and whether it is likely to contribute to protecting the entity’s ePHI. If the safeguard is reasonable and appropriate, then it should be implemented. If not, the entity should document why it would not be reasonable and appropriate and implement an equivalent alternative measure, if deemed to be reasonable and appropriate.

Please feel free to contact me if you would like assistance in applying the HIPAA security rules to your current situation as a covered entity or a business associate. I may be reached at <lkim@tuckerlaw.com> or by calling 412-594-3915.

| Posted By Michael Cassidy In HIPAA and HIT | 0 Comments | Permalink

Contributed by Paul Welk, Esq.

pwelk@tuckerlaw.com, 412.594.5536

A federal judge in Arkansas sentenced a physician to one year of probation, a $5,000 fine and 50 hours of community service educating professionals on HIPAA; an account representative to one year of probation and a $2,500 fine; and an emergency unit coordinator to one year of probation and a $1,500 fine, all in connection with HIPAA violations related to viewing electronic medical records of a high profile patient at St. Vincent Infirmary Medical Center without a legitimate reason. Additionally, the physician was suspended for two weeks and ordered to complete additional HIPAA training while both the account representative and emergency unit coordinator were terminated from employment. The case was investigated by the Little Rock, Arkansas Division of the FBI and prosecuted by the US Attorney's Office. 

| Posted By Michael Cassidy In HIPAA and HIT | 0 Comments | Permalink

Posted now are:

·         A CMS fact sheet and questions/answers pertaining to the incentive programs

·         Link to press release pertaining to the process of defining meaningful use (Comments are due June 26, 2009.)

·         Resources on Health IT and privacy & security (HIPAA)

| Posted By Michael Cassidy In HIPAA and HIT , Long Term Care | 0 Comments | Permalink

HIOs and Regional Health Information Networks (RHINs) are being created to facilitate the exchange of information among providers. HIOs and RHINs are typically not statutorily governed by HIPAA, other than perhaps as Business Associates. The HHS guidance, issued in conjunction with The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, covers HIPPA issues in the following six areas:

1.         Data correction

2.         Openness and transparency

3.         Individual choice

4.         Collection use and disclosure

5.         Data safeguards

6.         Accountability

Link: http://www.hhs.gov/ocr/hipaa/hit/.

| Posted By Michael Cassidy In HIPAA and HIT | 0 Comments | Permalink

The U.S. Department of Health and Human Services ("HHS") recently entered into a Resolution Agreement with Providence Health & Services ("Providence") of Seattle to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy and Security Rules. Under the Resolution Agreement, Providence agrees to pay $100,000 and implement a corrective action plan to insure that identifiable electronic patient information is appropriately safeguarded. Additionally, Providence has agreed to revise its policies and procedures regarding physical and technical safeguards governing the offsite transport and storage of electronic media containing patient information; train its workforce members on such safeguards; conduct audits and site visits of its facilities; and submit compliance reports to HHS for a period of three years. The Resolution Agreement relates to the loss of electronic backup media and laptop computers in 2005 and 2006.

For additional information, please see the HHS Press Release and the full text of the Resolution Agreement.

Paul Welk
412-594-5536
pwelk@tuckerlaw.com

| Posted By Michael Cassidy In HIPAA and HIT | 0 Comments | Permalink

The U. S. Department of Health and Human Services Office for Civil Rights recently issued helpful guidance for health care providers relative to communicating with a patient's family, friends or others involved in the patient's care. The guidance contains a number of commonly asked HIPAA questions as well as a helpful chart relative to disclosures. This guidance, along with a well drafted HIPAA Compliance Plan, can assist health care providers in complying with the requirements of the HIPAA Privacy Rule. 

Paul Welk
412-594-5536
pwelk@tuckerlaw.com

| Posted By Michael Cassidy In HIPAA and HIT | 0 Comments | Permalink