Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
New Rules and Regulations for Covered Healthcare Entities
ADVERTISEMENT
Proposed regulations regarding HIPAA accounting of disclosures have been recently published and are open for public comments. If enacted in their current form, the new regulations will require Covered Entities to make significant revisions to their current HIPAA procedures and may require modifications to current computer systems.
The HI-TECH Act
Under the HITECH Act, regulations must be enacted that allow individuals to receive a much expanded accounting of disclosures of electronic health information, including disclosures made for treatment, payment and health care operations.
In order to accomplish this, the proposed regulations differentiate between “accountings of disclosures” and “access reports.” Accountings will continue to be a list of certain limited types of disclosures. Access reports will be similar to “audit trails” and must include information regarding each access to an individual’s electronic health information. Covered Entities must be able to provide, upon request, both accountings and access reports.
Covered Entities
The proposed regulations also include specific requirements, including the following:
- Accountings and access reports must be available in regard to disclosures or access, as applicable, for 3 years and must be provided within 30 days of the request.
- Accountings and access reports will be required only for health information maintained in designated record sets (e.g., medical records, billing records).
- Accountings and access reports must include information about disclosures of, and access to, information maintained by business associates.
- There are additional exceptions to the types of disclosures that must be included on an accounting (e.g., exceptions will include disclosures about abuse and to medical examiners).
Conclusion
And so, your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
Our Other Print Books and Related Information Sources:
Health Dictionary Series: http://www.springerpub.com/Search/marcinko
Practice Management: http://www.springerpub.com/product/9780826105752
Physician Financial Planning: http://www.jbpub.com/catalog/0763745790
Medical Risk Management: http://www.jbpub.com/catalog/9780763733421
Healthcare Organizations: www.HealthcareFinancials.com
Physician Advisors: www.CertifiedMedicalPlanner.com
Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.
Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos
Sponsors Welcomed: And, credible sponsors and like-minded advertisers are always welcomed.
Link: https://healthcarefinancials.wordpress.com/2007/11/11/advertise
Share this:
Filed under: Health Law & Policy, Information Technology | Tagged: covered entities, HI-TECH Act, HIPAA, PHI, protected health information |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
To really prove to an auditor from KPMG that your HIPAA sanctions are in place, someone has to take a hit for the team.
Yesterday, InsuranceNewsNet.com posted “U.S. Department Of Health And Human Services Audits Set To Begin Soon” (no byline).
http://insurancenewsnet.com/article.aspx?id=271036
Attorney Adam H. Greene, who formerly worked at HHS’ Office for Civil Rights and now focuses his practice on HIPAA compliance, suggested that “entities that have never imposed an internal HIPAA-related sanction may have a problem.” He adds that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.”
So, Doc, got an employee in mind?
D. Kellus Pruitt DDS
LikeLike
We’ve been had
New HIPAA rules won’t enhance privacy, but they will burden physicians
http://www.kevinmd.com/blog/2011/09/hipaa-rules-enhance-privacy-burden-physicians.html
Darrell
LikeLike
HIPAA in the “Real” World
The things I hate about HIPAA are its inconsistencies, and its overall effect.
For instance, there are many of restrictions on sending even the simplest of emails without major encryption, but nothing about faxes at all.
In fact, the law’s severe penalties created panic-like behavior in my office, where we worried about how a patient wandering into a back room might glance at a chart and see another patient’s name. OR, how we even blanked out names on X-ray films!
Dr. David Edward Marcinko MBA
http://www.HealthcareFinancials.com
LikeLike
You’ve got that right – Dr. Marcinko!
A couple of years ago, a serious discussion on a HIPAA listserv revolved around replacing written allergy warnings on the outside of patients’ charts with color coded labels to prevent passers-by from accidentally catching a glance at protected health information.
D. Kellus Pruitt DDS
LikeLike
Sanctioned an employee yet?
If you are considering ignoring the reporting deadline simply because your practice hasn’t experienced any breaches of patients’ identities in 2011, let me first of all tell you congratulations on your spotless privacy record. Though that’s certainly an admirable accomplishment all dentists should strive for, this is not the time or the environment to take a bow. Like dental school, this is a time to blend in.
Even the most secure practices should be aware that since the frequency of data breaches from healthcare organizations has reached epidemic proportions, ambitious KPMG auditors working on commission for OCR are well aware that virtually all dentists with electronic records have suffered reportable data breaches in 2011. You can imagine the amount of unwanted special attention a HIPAA success story in dentistry could attract these days.
If you haven’t listed any breaches of 500 or fewer of your patients’ identities yet, between now and Wednesday, you might want to help a formerly careless employee or two recall how you sanctioned them for something like allowing a UPS delivery person to accidentally glance at a patient’s digital medical history. Or, maybe for leaving an unattended computer within reach of a patient (I think HIPAA actually protects a dentist from having to reveal the patient’s name). Anything would be preferable to a blank page under your NPI number, and it helps if you get your stories straight with staff members who learned a darn good lesson from the experience.
You’ll certainly be unpopular around the office for a while, but according to attorney and former OCR official Adam Greene, “… entities that have never imposed an internal HIPAA-related sanction may have a problem.” He added that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.”
http://insurancenewsnet.com/article.aspx?id=271036
Regardless what triggers a HIPAA audit, suppose a humorless KPMG employee with bad breath just happens to be having a really bad day, and predictably doesn’t like dentists much at all. Dentists should do everything possible to avoid the risk of obscene fines for willful neglect which easily can bring an end to an honest dental practice. If you are a HIPAA covered entity, take the former OCR official’s advice and sanction someone if you haven’t already done so, and do it before Wednesday.
I ask you. If I wasn’t here to warn of these liabilities, who would? The ADA? … You mean the same professional organization which joined with discount dentistry brokers like Delta Dental and BCBSTX to persuade uninformed dentists to volunteer for NPI numbers?
Who’s your daddy?
D. Kellus Pruitt DDS
LikeLike
Blue Cross and Blue Shield of TN to Pay $1.5 Million in HIPAA Settlement
In the first enforcement action stemming from the HITECH Act breach notification rule, Blue Cross and Blue Shield of Tennessee has agreed to pay federal regulators $1.5 million and enter into a corrective action plan after 57 hard drives were stolen from the insurer.
Blue Cross told government authorities that the computer drives contained unencrypted private health information for more than one million people, including names, Social Security numbers, dates of birth, diagnosis codes, and health plan ID numbers, according to an announcement by HHS’ Office for Civil Rights.
Source: Joe Carlson, Modern Healthcare [3/13/12]
LikeLike
Of email Compliance
Is sending “secure” email to patients who use Gmail – or other providers – HIPAA compliant?
Douglas
LikeLike
It’s a very risky for a physician to simply email health-related issues with their patients for several justified security reasons.
However, an ad for RPost just appeared that you might be interested in reading: “Physician Groups Turn to RPost for HIPAA Compliance, Electronic Signatures, and Registered Email Legal Delivery Proof.”
http://world.einnews.com/pr_news/94357377/physician-groups-turn-to-rpost-for-hipaa-compliance-electronic-signatures-and-registered-email-legal-delivery-proof
“RPost has set the standard for legal electronic messaging and document services with its patented Registered Email® services for delivery proof, compliant message encryption and legal electronic signatures.”
Hope this helps.
Darrell DK
LikeLike
Can you trust your practice to your Business Associates’ hiring habits?
“32,000 patient records exposed on contractor’s unsecured website – Cogent dealing with second HIPAA breach.” by Susan D. Hall, FierceHealthIT, August 12, 2013.
http://www.fiercehealthit.com/story/32000-patient-records-exposed-contractors-unsecured-website/2013-08-12
An employee of medical transcription contractor Cogent, who left a critical firewall down for 7 weeks between May 5 and June 24, is responsible for permanently damaging thousands (?) of physicians’ practices across the nation by causing a breach of their patients’ Protected Health Information (PHI). According to HIPAA, Cogent is a “Business Associate” of physicians, who are “Covered Entities.” Even though BAs are to blame for 58% of all breaches of patients’ records, far too many of the 32,000 notified patients across 48 states won’t understand the difference. According to the Ponemon Institute at least 20% will immediately leave the practice – giving their hapless doctors no chance to explain. Is that fair?
A Cogent employee simply goofed. A human error. Yet not even the very best cyber-insurance policy can repair the doctors’ reputations in their communities for even one breach. Note that this is Cogent’s second. I wonder how many doctors have had to notify their patients twice. How many will be willing risk identity theft a third time?
HIPAA-covered dentists’ practices are at the mercy of their BAs’ hiring practices as well. Doesn’t that make you nervous, Doc?
De-identify now. If dental patients’ identities are unavailable, they are impossible to steal.
D. Kellus Pruitt DDS
LikeLike