HIPAA Regulations

HIPAA Privacy Complaints

HIPPA Complaint

HIPAA Journal published an article online this week addressing client HIPAA violation complaints and whether or not health care providers are equipped to properly address these complaints. According to the article, in order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly. Also, patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices.

For more information and to view the full article visit HIPAA Journal’s website here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net.

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net or follow us on Facebook at https://www.facebook.com/hipaanews.

Ensuring Availability of HIPAA During Natural Disasters

This week Mondaq published an article online regarding the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.

According to the article, OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time. More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities. Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

For the full article visit Mondaq’s website here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net or follow us on Facebook at https://www.facebook.com/hipaanews

$400,000 HIPAA Breach Penalty In Denver, Colorado

MSP Mentor recently posted an article stating a network of public health clinics in the Denver, Colorado have been fined $400,000 for HIPAA data breaches. The breaches occurred through phishing (aka email hacking), gaining electronic health records of over 3,000 patients.

“Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) found that MCPN violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cybersecurity measures and procedures.” To view the entire article, visit here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net 

 

 

American Health Information Management Association (AHIMA) Reviews Patient Data Access

According to Patient Engagement HIT, American Health Information Management Association (AHIMA) recently posted data guiding patients through the appropriate process of obtaining their medical records from their providers and navigating through HIPPA privacy regulations.

“Per HIPAA, patients may ask to view and obtain a copy of their health records, receive records in paper or electronic copies, and have records sent to another entity for treatment, billing, or operations purposes, explained Mary Butler, the author of the slideshow and associate editor of the Journal of AHIMA.

Patients can request medical record access at their practice’s health information management (HIM) department. They should come prepared with their photo ID and will be asked to sign a waiver verifying their identity.”

Check out the full article here: http://patientengagementhit.com/news/ahima-reviews-the-basics-of-hipaa-compliant-patient-data-access 

For daily HIPPA news please visit our HIPAA News sidebar.

 

 

HIPAA’s New Rules for 2013 – Are You Impacted?

Good write-up by Varonis discussing the finalized regulatory rules for HIPAA:

What has changed

With the finalized rules (which by the way run over 500 pages) not only do business associates come under HIPAA, but a new class of consultants and subcontractors who perform workon behalf of the business associates also have HIPAA obligations.

In effect, the final rules say that any company that has access to e-PHI is treated just like a hospital or HMO. By the way, HIPAA/HITECH’s Breach Notification Rule, which originally required health companies and their business associates to report e-PHI disclosures, is now extended to medical data subcontractors as well.

The ultimate intent is to close off any holes in security and enforcement when the business associates themselves outsource data processing to others.

Read entire article: http://blog.varonis.com/hipaas-new-rules-reach-far-beyond-healthcare-providers-are-you-impacted/

After 2.5 years, HHS finally finalizes modifications to HIPAA rules

Excellent and detailed write-up of the new HIPAA rules that take effect on September 23, 2013:

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) issued the highly anticipated omnibus final rule (the “Final Rule”) to modify the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Following the enactment of HITECH, HHS issued interim final rules to implement the breach notification requirements and certain of the enforcement provisions of HITECH (collectively, the “Interim Rules”), and in July of 2010 HHS issued a proposed rule to implement modifications to the privacy and security provisions of HIPAA. Since that time, Covered Entities and their Business Associates and subcontractors have been awaiting the Final Rule to confirm the extent to which these modifications, which are aimed primarily at strengthening the privacy and security protections for protected health information (“PHI”) and tightening the HIPAA enforcement provisions, will impact their operations, contractual relationships and potential exposure for HIPAA liability.

Read all the gory details here: http://www.lexology.com/library/detail.aspx?g=40defc09-2337-435e-be56-2bef662a67e7

10 Affordable Health Care Act changes to be aware of for 2013

2013 HIPAA ChecklistWith 2013 right around the corner, you should be aware of the following 10 items for your checklist to make sure you’re ready for the Affordable Health Care Act.

Effective in 2013:

The following list itemizes the changes that generally will become effective in 2013.  The effective date depends upon a number of factors, including whether the health plan is grandfathered, the first day of the plan year, and the number of employees.

  • Women’s Preventive Health Care Mandates               
    Applicable To: Non-grandfathered plans only
    Effective:        Plan years beginning on or after August 1, 2012 (January 1, 2013 for calendar year plan years)
    Details:           Plans are required to provide in-network coverage with no cost sharing for preventive care such as coverage for contraceptives, contraceptive counseling, breastfeeding support, supplies and counseling, and screening for domestic violence.
  • Reduction in the Maximum Employee Contributions to a Health Flexible Spending Accounts
    Applicable To: Only health flexible spending accounts (generally offered under a cafeteria plan)
    Effective:        January 1, 2013 for calendar year plan years
    Details:           The maximum amount that an employee can contribute to a health flexible spending account on a pre-tax basis cannot exceed $2,500 per taxable year.  While the reduced limit is effective January 1, 2013 (or the first day of the plan year beginning after January 1, 2013 for plans with fiscal years), employers have until December 31, 2014, to adopt amendments to reflect this reduced limit.
  • Annual Benefit Limits
    Applicable To: Health plans other than health flexible spending accounts, health reimbursement accounts, and medical savings accounts
    Effective:        Generally only for the 2013 plan year (see below for changes in 2014)
    Details:           The annual limit on the dollar value of essential health benefits cannot be less than $2 million.
  • Reporting the Cost of Group Health Insurance Coverage on Forms W-2
    Applicable To: Employers that issued at least 250 Forms W-2 for 2012 (transition relief applies to exclude employers that issued fewer than 250 Forms W-2 for 2012, and certain types of plans)
    Effective:        For the 2012 W-2s to be issued by January 31, 2013
    Details:           The Forms W-2 issued by employers in early 2013 must report the value of any health coverage provided to each employee in 2012, regardless of who pays the premium for that coverage.  Employers should take steps to ensure that payroll departments or payroll providers are prepared for the new reporting requirement.
  • Summary of Benefits and Coverage and Notices of Material Modification
    Effective:          For open enrollment periods beginning on or after September 23, 2012 and for plan years beginning after that date
    Details:             Employer health plans must provide a Summary of Benefits and Coverage (SBC) to all plan participants, as well as to all employees who are eligible to participate.  If the employer makes a mid-year change in the plan provisions that would change the terms of the SBC, the plan also must provide a Notice of Material Modifications at least 60 days before the change takes effect.
  • Additional Medicare Tax Withholding
    Effective:          January 1, 2013
    Details:             An employer is required to withhold an additional 0.9% Medicare tax on an employee’s compensation in excess of $200,000.  The additional tax does not have an employer matching requirement.
  • Notice of Exchange Availability
    Applicable To: Employers subject to the Fair Labor Standards Act
    Effective:        Required by March 1, 2013
    Details:           Employers must provide a notice to employees concerning the availability of health coverage through the state-wide exchanges.  The notices will explain some of the benefits and consequences to employees if they choose to purchase a qualified health plan through the state exchange instead of electing coverage under an employer-sponsored health plan.  Employers are still waiting for additional guidance regarding these requirements, and some are predicting that this requirement may be postponed.
  • Taxation of the Retiree Drug Subsidy
    Effective:          January 1, 2013
    Details:             Employers who were providing retirees with prescription drug coverage that was generous enough to qualify for a federal tax subsidy will no longer be allowed to deduct all of those expenses.
  • Patient-Centered Outcomes Research Comparative Effectiveness Fee
    Applicable To: Plan sponsors maintaining a self-insured plan (insurers will pay this for fully-insured plans)
    Effective:        First payment is due by July 31, 2013
    Details:           Plan sponsors must begin to pay a fee (the “PCORI Fee”) to the Internal Revenue Service per average covered life ($1 for the first year, $2 for the second year, and increased as permitted in future years) per plan using Form 720.  These fees will be used to fund the new nonprofit corporation, the Patient-Centered Outcomes Research Institute, to support clinical effective ness research.  Some rules permit the limited aggregation of  plans.
  • Certification of Compliance to Health and Human Services (HHS)
    Effective:          By December 31, 2013
    Details:             Group health plans must file a certification statement with HHS certifying that their data and information systems for the plan are in compliance with the HIPAA standards and operating rules for health plan eligibility, electronic funds transfer, health claim status, health care payments, and remittance advice transactions.

 

Read more here, including 2014 preparedness items:
http://www.jdsupra.com/legalnews/2013-and-2014-under-the-affordable-care-00701/

Maryland’s Cignet Health Hit with $4.3 Million Fine for HIPAA Violations

The Obama administration has promised to be tougher when it comes to enforcing HIPAA laws. This week a Maryland health service company gained the dubious honor of being the first company or entity to be assessed a Department of Health and Human Services CMP – Civil Money Penalty. And with that penalty assessed at $4.3 million, obviously this should be a sign to all connected with HIPAA transactions that yes, this administration does mean business.

Cignet Health failed to honor the access to medical records requests of 41 of their patients between September 2008 and October of 2009. The company’s failure to cooperate with the subsequent investigation by HHS OCR (Office of Civil Rights) officials earned them another $3 million in fines at the end of the day. According to the official press release about the matter it was the HHS’s position that Cignet had displayed a willful neglect to the basic privacy rules laid down by HIPAA.

“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this administration,” Health and Human Services Secretary Kathleen Sebelius said in a statement.

Common Misconceptions About HIPAA Heard at Smaller Medical Faculties

If you are a fully trained HIPAA professional whose day to day existence revolves around maintaining compliance this post is not for you. If on the other hand you are a busy member of staff at a doctors office or other smaller medical facility it probably is, since even after all these years there is still a huge amount of confusion about what does and does not constitute a HIPAA violation. Here are some of the most common myths about HIPAA compliance that are heard in medical facilities across the country over and over again:

HIPAA only regulates electronically transmitted data – Oh if only it were so, the life of a HIPPA compliance officer (and anyone else in the medical field) would be so much easier. But no, HIPAA applies to all forms of communication: written, verbal and any form of electronic transmission, including personal e mail notes and social networking posts.

If improperly released information is not exploited, there is no violation of the law – In many of the cases of improperly released PI that have hit the headlines over the last several years no one had any way of telling how and if patient data had been been exploited after the release of information but they still got hit with the big fines and penalties. It is the act of improperly releasing the information that is the violation.

Dentists, optometrists, nurses, and pharmacists are exempted from HIPAA regulations – We actually heard this one – from an individual employed in one of the aforementioned professions -and were flabbergasted. HIPAA governs anyone and everyone who creates or handles patient records – right down to the high school kid who works part time filing charts. Hopefully the professional who was under this misguided impression has now taken a serious crash course in HIPAA compliance.

Little HIPAA violations don’t matter, no one will ever find out – This is unfortunately the mentality of many employees in smaller medical offices. In fact though all it takes is one patient complaint and the whole office will be under serious scrutiny. And just as a reminder, the maximum fines and penalties for failure to comply with the HIPAA laws are $250,000 and 10 years imprisonment. Not to mention the damage the resultant inevitable bad publicity will have on any practice in both the short and the long term.