Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
On Hospital Compliance
By Staff Reporters
The privacy regulations of HIPAA require that each hospital have an internal process to allow an individual to file a complaint concerning the covered entity’s compliance with privacy policies and procedures. This requires hospitals to designate a contact person to be responsible for receiving and documenting the complaint as well as the disposition.
A formal response to the person is not required as part of this rule; therefore it is estimated that each complaint, even though rare, will take ten minutes to document.
Recent Data
Recent data reveals that the most frequent complaints received either by hospitals or ultimately by DHHS include the following:
- impermissible use or disclosure of individual PHI (most occurrences were curiosity or accidental, yet were reported);
- lack of safeguards to protect PHI;
- refusal or failure to provide an individual with access to or a copy of his or her record;
- disclosure of more information than is minimally necessary; and
- failure to have the individual’s valid authorization for a disclosure that requires one.
Assessment
Most hospitals have documented and logged such complaints; have reviewed the situation; and have resolved the problem internally.
Conclusion
And so, your thoughts and comments on this ME-Pare appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, be sure to subscribe to the ME-P. It is fast, free and secure.
Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
Our Other Print Books and Related Information Sources:
Practice Management: http://www.springerpub.com/prod.aspx?prod_id=23759
Physician Financial Planning: http://www.jbpub.com/catalog/0763745790
Medical Risk Management: http://www.jbpub.com/catalog/9780763733421
Physician Advisors: www.CertifiedMedicalPlanner.org
Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.
Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos
Sponsors Welcomed: And, credible sponsors and like-minded advertisers are always welcomed.
Link: https://healthcarefinancials.wordpress.com/2007/11/11/advertise
Share this:
Filed under: Health Law & Policy, Sponsors | Tagged: DHHS, HIPAA, HIPAA complaints, Kathleen Sebelius, PHI, www.healthcarefinancials.com |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
OCR to Publish Security Breach Reports Online
The Office for Civil Rights [OC] at HHS is getting its own IT infrastructure in place to receive and publicize reports of health information security breaches in compliance with heightened privacy and security provisions in the American Recovery and Reinvestment Act [ARRA] of 2009.
The OCR just published in the Federal Register a six-page announcement of modifications to its Program Information Management System [PIMS] to accommodate the additional data gathering, report writing and release of information about breaches of protected information by “covered entities” and their “business associates” as defined by the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
Under the stimulus law, HIPAA-covered entities and their contractors are required to report to HHS immediately if a breach involves the records of 500 or more individuals.
Source: Joseph Conn, Health IT Strategist [4/15/10]
LikeLike
HIPAA Costs
The time cost for a hospital to maintain HIPAA compliance only tells a small part of the story. It has been estimated that the total cost for compliance is proportional to the size the organization, ranging from $100,000 for a small hospital, to $1MM or more for a large institution. A Google search for the term “HIPAA” returns over 9 million websites, with many representing consultants, training services, and software to help an organization to attain compliance.
Federal regulations set minimal requirements regarding privacy, and numerous state and local regulations add to the complexity of interpretation and compliance measures.
Brian J. Knabe MD
[Certified Medical Planner™ candidate]
http://www.CertifiedMedicalPlanner.com
LikeLike
First Prison Sentence for Medical Record Snooping
A former UCLA Health System researcher was sentenced to four months in prison for illegally perusing the medical records of co-workers and celebrities. Huping Zhou will be the first person in the U.S. to go to prison for violating the medical privacy provision of the Health Insurance Portability and Accountability Act of 1996, according to the U.S. attorney’s office in Los Angeles.
Zhou is licensed as a cardiothoracic surgeon in China and worked as a research assistant at one of UCLA’s facilities, which is not named in court documents. In October 2003, Zhou was notified that he would be terminated. Over the next three weeks, he abused his access to the computer system to look up health information of patients, most of them celebrities and people Zhou worked with, he admitted in a plea agreement with prosecutors.
Source: Gregg Blesch, Modern Healthcare [4/28/10]
LikeLike
HHS Proposes Changes to HIPAA Privacy Rule
HHS has proposed a new federal healthcare information privacy rule to amend the Health Insurance Portability and Accountability Act of 1996. Reflecting changes Congress sought last year in the stimulus law, the proposed rule would give patients the right to restrict certain disclosures and ban the sale of patient data without patient consent, according to HHS.
Also according to an HHS announcement made jointly by David Blumenthal, head of the Office of the National Coordinator for Health Information Technology, and Georgina Verdugo, director of the Office for Civil Rights, the proposed rule would:
* expand individuals’ rights to access their information
* restrict certain disclosures of protected health information to health plans
* extend the applicability of certain of the HIPAA privacy and security rule requirements to the business associates of covered entities
* establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and
* strengthen and expand OCR’s ability to enforce HIPAA’s privacy and security provisions.
A 60-day public comment period on the proposed rule opens July 14.
Source: Joseph Conn, Health IT Strategist [7/8/10]
LikeLike
Is HIPAA falling apart before our eyes?
Joseph Conn just posted: Confidence in meaningful-use readiness plunges – CHIME
http://www.modernhealthcare.com/article/20101209/NEWS/312099997/1153
“The percentage of chief information officers who are confident that their organizations will qualify by April 2011 for federal incentive payments for the purchase of electronic health-record systems plunged to 15%, down by nearly one-half from 28% of responding CIOs in a similar survey released in August, according to the College of Healthcare Information Management Executives.”
Darrell K. Pruitt DDS
LikeLike
How HIPAA [Financial] Costs Rise
[Want to see how HIPAA costs rise?]
Clearwater Compliance, a HIPAA/HITECH compliance consultancy posted a press release on DailyMarkets.com today that features their report titled “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.” (See: “Data Breach Costing Model Provides Compelling Support For ROI On Security Investments” – no byline).
http://www.dailymarkets.com/stock/2012/03/05/data-breach-costing-model-provides-compelling-support-for-roi-on-security-investments/
According to the ad, “Even with the increased focus on enforcement of HIPAA and HITECH requirements, the security efforts of organizations responsible for safeguarding PHI are simply not keeping pace with the growing risks of exposure of PHI. Those risks are a result of increasing electronic health record (EHR) adoption, the growing number of organizations handling PHI and the higher rewards of PHI theft. In order to deliver quality health care and ensure patient safety, organizations in the health care industry and their service providers require adequate processes and resources to protect PHI, the report asserts.”
According to their bio, Clearwater Compliance helps covered entities, business associates and their subcontractors solve these problems by meeting stringent HIPAA/HITECH Privacy, Security and Data Breach Notification requirements, including risk management software, services and solutions. For a fee.
The press release says that today, Mary Chaput, Clearwater Compliance’s Chief Financial Officer and Compliance Officer, is participating in a press event at the National Press Club and a Congressional staff briefing on Capitol Hill. For free. She is presenting to our lawmakers the study’s findings and best practices that Clearwater can help with if the money is right.
Ms. Chaput is quoted: “As the report clearly illustrates, preventive measures such as security technology, policies and procedures to protect PHI and security awareness training can be implemented to help mitigate risk and reduce either the probability or the impact of a PHI breach. But implementing these measures costs money, and, as the survey conducted by the PHI Project indicates, health care organizations are simply not committing sufficient resources to their security programs. This is the problem the PHI Project is attempting to solve through publication of this important report.”
If the PHI Project’s PR effort is successful, is that more likely to make the cost of HIPAA compliance for dentists increase or decrease?
D. Kellus Pruitt DDS
LikeLike
More on HIPAA Costs
Even though taxpayers fund Medicaid clients’ healthcare, as Americans, they still have the same rights to privacy as everyone else, don’t they?
“Medicaid Clients Notified of Potential HIPAA Breach” by Gwenda Bond was posted yesterday on SurfKY News.
http://surfky.com/index.php/news/kentucky/24461-medicaid-clients-notified-of-potential-hipaa-breach
“In mid-November, an employee of Carewise Health, a subcontractor of Hewlett-Packard Enterprise Services (HP ES), responded to a telephone computer scam, resulting in unauthorized remote access to a computer that contained a database with information on the Medicaid clients.”
“Potential” breach? Even if the qualifier could be measured, a computer stolen in a burglary or a lost laptop might be called “potential” because of remaining access hurdles. But this time, a hacker outwitted a poorly-supervised healthcare IT subcontractor working for Kentucky’s Cabinet for Health and Family Services (CHFS) – exposing patients’ healthcare information including social security numbers to an unknown number of untraceable people. To determine whether a breach has occurred or not, one should probably ask the opinions of those who have been notified that their medical and financial identities have been put at risk.
It looks to me like the danger was downgraded to “potential” not by the victims, but by Hewlett-Packard officials who were responsible for the blunder. It’s only natural that those who manage Medicaid’s HIT system in Kentucky would reflexively try to discount the harm. HP has a lot to lose. Aside from the HIPAA liability, the risk of a class-action lawsuit from Medicaid clients could last years. (I’m uncertain whether like Texas, Kentucky’s Attorney General can also sue for HIPAA violations as well). Regardless, the HIPAA Business Associate, is ducking for cover. That’s not unusual. Breaches caused by BAs like HP have affected 60% of all individuals whose PHI is disclosed in breach incidents.
Click to access day2-4_dholtzman_ocr-hitech-breach-notifcation-rule.pdf
Had the hacker’s target been a BA in the dental IT industry, and 500 or more of a dentist’s patients’ identities had been fumbled for whatever reason, an announcement of the breach would have to be published as a press release in the dentist’s community – damaging the innocent doctor’s practice and reputation forever. EDRs hardly seem worth such risk, and yet, according to former OCR official Adam Greene, sharing the proceeds from HIPAA fines with dental patients who report them stands a small chance of becoming a new way to stimulate the economy.
Greene tells Healthcare Info Security, “I’m not optimistic that we will see [Rules for distributing HIPAA settlements and penalties to harmed individuals] in 2013, but they could have a potentially large impact by incentivizing individuals to complain to HHS based on the prospect, however remote, that their complaint will lead to a settlement or fine for which they receive a percentage.” (See: “2013 Healthcare Regulatory Outlook – Overdue HIPAA Modifications Top the List” by Marianne Kolbasuk McGee, December 28, 2012).
http://www.healthcareinfosecurity.com/2013-healthcare-regulatory-outlook-a-5385/p-2
Once the HIPAA Rule gains popularity as a national lottery tool to distribute dentists’ wealth, maintaining dental patients’ identities on computers might encourage clever, opportunistic entrepreneurs to make dental appointments.
D. Kellus Pruitt DDS
LikeLike