HIPAA COMPLIANCE – HURLEY CAN HELP!

Two major components of HIPAA compliance for your business include training of your workforce and written HIPAA Policies & Procedures (P&Ps). Hurley has products that are easy to use and can help you succeed with achieving and maintaining these HIPAA compliance requirements for your organization.  All products have been updated to be consistent with the HIPAA Final Rule.

Unlike so many other HIPAA products available on the healthcare market, all of these products are specific for medical transcription services and your workforce.

WORKFORCE TRAINING: The training toolkit products are PowerPoint files with audio clips inserted throughout the presentation. Each training product comes with a toolkit that includes the PowerPoint file, a test on the material presented, the answer key for the test, a certification for proof of training, a PDF file of the PowerPoint slides, instructions for how to use these items, and a folder with Microsoft PowerPoint Viewer software for those who do not have PowerPoint software on their computer.

 There are 3 different training toolkit products to consider:

1. HIPAA has Changed - are you Compliant? If you have not provided any HIPAA training for the last several years, this is a product you should consider as it discusses the changes from the “original” HIPAA to the “new” HIPAA that has evolved from the enactment of the HITECH Act and the HIPAA Final Rule.

2. HIPAA on the Job! This training tool is an excellent refresher for your workforce as it offers many of the common situations that occur on the job and applies HIPAA principles for resolution. Some examples of topics discussed include destruction of hard drives with PHI, home office security tips, hidden risks with samples reports, faxing of PHI, and more!

3. All About Breaches and More! – This training product is designed to help your key staff members to better understand their role related to breaches and potential risks with HIPAA. Topics include breach mitigation, documentation, reporting, risk analysis related to the determination of patient notification from the compromise of their PHI, ways to reduce your risks related to common breaches, and more! This product is designed for your supervisors, managers, and directors.

Written HIPAA P&Ps packet: This product includes a packet of nearly 50 HIPAA P&Ps, their accompanying forms/templates and a complete table of contents, all customized for your organization. Some of the key policies include a business associate agreement, nondisclosure agreements, faxing of PHI, social media participation, de-identification of PHI, physician updates for system access, and lots more!

Contact Brenda at bjhurley@aol.com for purchasing these products or any questions related to them.

If you have been putting off these important HIPAA compliance requirements,
this is your opportunity to mark them off as done!

Check out my article recently published in the Advance for HIM Professionals:

http://health-information.advanceweb.com/Features/Articles/HIPAA-Final-Rule-Spells-Big-Changes.aspx

The HIPAA Final Rule is Here!

In the medical transcription (MT) industry, the most anticipated proposed change was that related to subcontractors.  The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors.  It states “A Business Associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous and for a single practitioner these new obligations could be overwhelming. 

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

·       A written BA agreement.  This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA.  HHS posted an updated sample of a BAA consistent with the Final Rule on their website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

·       Comply with the HIPAA Security Rule.  This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.

·       Maintain written HIPAA policies and procedures.

·       HIPAA training and proof of it.

·       Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.

·       If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.

·       Comply with all notification requirements related to the Data Breach Rule.

·       Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).

The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs.  Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA, and execute an updated BAA with each subcontractor.  Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written P&Ps and proof of their HIPAA training for your records.  BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.

You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor.  The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA regardless of whether they have or have not entered into a written BAA.

The effective date for the Final Rule is March 26, 2013, with the compliance (enforcement) date of September 23, 2013.  The only exception to this would be for business associate agreements (BAAs) which are currently in place, and that deadline is September 23, 2014.  When existing BAAs are renewed or revised before September 22, 2014, they must then confirm to the Final Rule.  New BAAs will be required to follow the Final Rule so that all BAAs by September 23, 2014, are in full compliance with the Final Rule.

For those who are BAs and you think that no one will notice if you skimp on your path to HIPAA compliance, the Office of Civil Rights (OCR) announced in late 2012 that the random HIPAA audits will continue in 2013 and will be expanded to include BAs.  There is no place to hide, if you handle PHI, you have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to wait, HIPAA compliance is not an option.

HIPAA Rocks!

HIPAA was built around five basic principles:

• First and foremost, health information (PHI) should be used for healthcare purposes.  It should be easy to use for healthcare purposes, and difficult for other purposes. Those who receive health information (PHI) must take real and reasonable steps to safeguard it, ensuring that it is not improperly used.
• The second principle is that technical security safeguards must be used to protect computerized health information (PHI). This includes audit trails showing who accessed the data and the tracking of any improper use of the information.
• The third principle is the patient's right to access of their own information.  They should have the right to inspect, copy, and if needed, to correct it.
• The fourth principle is accountability.  Criminal penalties or fines and imprisonment can be imposed on those who have breached the security and protection of health information (PHI).  The penalties for violation are higher for those acts that are committed for monetary gain.
• The fifth principle is public responsibility.  There must be a balance between protections of personal privacy against national health and safety or law enforcement priorities. 

If you have any doubt that there is a need for comprehensive federal legislation to protect the individual's right to privacy of their health information, here are some additional statistics to consider.
 

A Gallup Poll taken before the implementation of HIPAA reported the following: 

• 77% of Americans feel their health information privacy is very important.
• 84% said they were very concerned that their health information when computerized might be available to others without their consent.
• Only 7% said they are willing to store or transmit their personal information over the Internet, and only 8% said they felt a website could be trusted with this information.
• 90% said they trusted their doctor to keep their information private and secure, 66% trusted a hospital, 42% trusted an insurance company, and 35% trusted a managed care company to do the same.

If patients do not trust the healthcare system, some may never seek treatment, others may not give complete information, and there will be some who will ask their doctor not to document their actual condition or history to avoid having it entered in their record.  This lack of trust and confidence in the healthcare system means that health information may not be complete or accurate and that conditions may go undetected or untreated.  Undoubtedly, the result of this could mean that the quality of the healthcare services provided to them will be compromised. 
 

As consumers of healthcare services, we should all welcome this high level of discretion and confidentiality for our personal health information and for our family's health information.  HIPAA rocks!

 

 

Faxing PHI comes with Potential Risks

Many organizations have discovered that the traditional faxing of (unsecured) patient reports carries the potential risk of a breach. In fact, as a compliance consultant, it is the number one cause of breaches for my clients. Granted these are usually small in number, usually 1 to 5 individuals affected, before the wrong number has been reported and the fax database has been corrected; but each one still requires a mitigation process to limit the potential of significant harm to the patient involved and, of course, the required formal breach documentation. While I continue to promote a change in the PHI delivery method from unsecure to secure, those same organizations continue to tolerate these breach occurrences to retain the status quo of unsecured PHI delivery via traditional (unsecured) faxing.

What will it take to make this change? Consider…
• A high-profile patient whose information is faxed to the wrong number that is instantly recognized by the unintended recipient and this report is now available via the tabloids.
• A family member of a high-level staff member within the healthcare organization whose information was breached via traditional fax of (unsecured) PHI that is used to embarrass their family.
• Your health information that is faxed to the gas station across town instead of the consultant you saw for a reason you would not want to explain.

Predictably, the first question that will be asked with each of these cases would be “How could this happen?”

There are many excellent secure technologies that can deliver PHI without the risks associated with traditional (unsecured) faxing. This should be the first choice for all organizations so they can provide the highest level of protection for all patient information. For example, the delivery of PHI via encrypted email, an encrypted document sent via efax, a VPN, or access through a secure web portal are all proven delivery methods that can maximize the security of the patient information being sent. When the traditional fax, however, is chosen over these secure delivery methods, there are best practices that truly must be employed in order to minimize its related potential risks. Let’s review some of those best practices and their resources.

In the book, HIPAA in Practice – The Health Information Manager’s Perspective, published by the American Health Information Management Association (AHIMA), pages 218-219, the faxing of health information is discussed. Here are some of the steps to follow listed within this section.

• Establish fax policies and procedures based on all applicable laws and regulations after consultant with legal counsel.
• Take reasonable steps to ensure the fax transmission is sent to the appropriate destination. Periodically remind staff members who receive faxes to notify you if their fax number changes. Have all users double check the fax numbers entered before pressing send.
• Include a confidentiality statement on the cover page.
• Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that a fax was misdirected.
• Place fax machines in secure areas.

Another book, Guide to the HIPAA Privacy Rule, published by Lippincott Williams & Wilkins, pages 68-69, includes some additional steps in its model policy for faxing health information.

• Fax numbers will be verified prior to transmission, to include contacting the person who is to receive the fax to assure they are available to receive it so that the faxed report will not be left unattended on the receiver’s fax machine.
• When receiving a fax containing PHI, the fax is to be removed from the machine immediately and processed. It is not to be left unattended on the fax machine.
• If a fax containing PHI is received in error, contact the sender immediately. This fax will be noted on the log sheet used to track incoming faxed documents. The documents received in error will be shredded immediately.

In a recent article in the Advance for Health Information Professionals, Can You Afford the Consequences of a Data Breach?, one of the individuals interviewed said she likens sending a fax (with PHI) as going to war – that you must prepare for battle because the consequences of a breach may mean harm to a patient and/or a staff member losing their job. It is serious and so easy to transpose numbers or press the wrong button on the keypad, their staff is required to circle the fax number on all requests. Once the number has been entered in to the fax machine, their procedure is to check the circled number twice before pressing the send button.

Stanford University, located in California, has shared their guidelines for faxing PHI. Of note, they have restricted the use of faxing PHI to only certain types of data.

• Fax PHI when other types of communication are not available or practical.
• Limit the PHI contained in the fax to the minimum necessary to accomplish the purpose of the communication.
• When faxing do not include sensitive PHI such as PHI related to alcohol abuse, drug abuse, mental health issues, HIV testing, antigens including hepatitis infection, sexually transmitted diseases, or presence of malignancy.
• Take reasonable precautions to ensure that the intended recipient is either available to receive the fax as it arrives or has exclusive access to the fax machine.
• If there is a reason to question the fax number, contact the recipient to confirm the number prior to faxing PHI.
• Use the standard fax coversheet that includes the confidentiality notice.
• Do not include any PHI on the coversheet.

Clearly, the faxing of PHI is associated with many risks. If your organization still uses this technology to deliver PHI, be sure to incorporate these best practices in order to proactively address their associated dangers and to minimize their potential risks. In addition, transitioning to newer, more secure delivery technologies should be strongly considered and included in your organization’s HIPAA security compliance assessment and risk mitigation plan in the future.


About the author: Brenda Hurley, CMT, AHDI-F, is a compliance consultant with over 40 years of experience in the medical transcription industry. She can be reached at bjhurley@aol.com.

Let's Be HIPAA Smart!

Within a busy medical transcription service organization, individually and collectively, we “handle” a lot of protected health information (PHI) in many different ways for our clients and the patients who entrust us all. Without occasional reminders related to the importance of securing PHI and being alert to potential risks for breach, it would be easy to become complacent while performing your daily routines. Let’s take a moment to get a short refresher on ways we all can be HIPAA smart!

Here are just a few examples as to how you can make a positive impact by protecting PHI:

1. Faxing of reports is often required by clients, but the technology is unsecure for PHI; therefore, it is imperative that the information gets to its intended recipient. When it does not, we have procedures to follow to report this to the client, and when deemed necessary, to the patient as well. So while faxing may seem to be a very common process, it should never be taken for granted.

- Keying in the fax number accurately is critical, so do so carefully.

- If the fax number is dictated, please verify the numbers provided by re- listening to the dictation. If there is any doubt, flag it for verification.

- When sending a fax to a new number, use a fax test sheet that would require the recipient to respond before sending any PHI.

2. Sample reports need to be de-identified. This also applies to portions of reports that are used for testing, training, QA reviews, and MT/editor feedback. Be sure that these reports have had all individually identifiable elements reports removed from them before saving them on your computer as samples. For a full list of these PHI elements, see below in the appendix section. Even if you believe that your samples are secured in your home office or on your PC, unless they are encrypted, they are not fully protected from potential breach.

3. Email and Instant Messaging. Do not include PHI within the body of an IM, an email or its reference line. Unless you are using an encrypted email service, emails and IMs are an unprotected technology. If you need to communicate any PHI via email, only use the job number or document ID to identify the patient. When this is inadequate for communication, call the intended recipient to discuss the issue.

4. Be proactive. We recognize that the human factor is critical to the success of our company in the service we provide as well as in the compliance we achieve. If you have suggestions for improving the protection of patient information, we would like to hear from you.

If you have any questions related to this HIPAA Smart reminder, contact your supervisor for answers!

Remember, compliance is everyone’s job!

Appendix: Individually identifiable elements as provided by HIPAA include:

· Name

· Geographic subdivision

· Dates, except year

· Phone number

· Fax number

· E-mail address

· Web URLs

· IP (internet protocol) address

· Social Security number

· Medical record number

· Health plan number

· Account number

· Driving certificate/license number

· Vehicle identifiers/registration number

· Biometric identifiers

· Photographic images (that could identify an individual)

· Medical device identifiers

· Other unique identifier (something so specific that the individual could be potentially identified).