Vitruvian MedPro Blog

09
Dec
2013

HIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

As of September, 23rd of 2013, covered entities should have updated their HIPAA Compliance programs to comply with the final HIPAA Omnibus rules. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their compliance programs to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their compliance to meet the new requirements run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to Leon Rodriguez, director at the HHS Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.

An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review and update business associate agreements. A business associate is an entity who has access to protected health information when providing a service to a covered entity. Business associates play roles such as: receive, store, maintain or transmit protected health information (PHI) on behalf of a covered entity. Good examples to help illustrate who are a business associates are: a medical billing companies, an information technology companies, shredding companies, copy machine companies, etc. Covered entities have until September, 23rd of 2014 in order to update their business associate agreements to comply with the final HIPAA Omnibus rule. Business associate agreements that have not been modified or renewed between March, 26, 2013 and September 23, 2013 will be considered compliant until the need to be renewed or until September 22nd, 2014.

The American Medical Association states that the kinds of individuals and entities that can be treated as business associates has expanded with the Omnibus Rules. These organizations include: patient safety organizations, health information exchanges (HIE) systems and EMR or HER companies. Medical practices need to determine who they need to enter a business associate agreement with.

Covered entities must ensure that the business associates that they work with are HIPAA compliant. As part of the final omnibus rules, business associates are liable for any violations that occur and they are responsible for any subcontractors that they work with. Business associates need to conduct a thorough risk analysis and must comply with the security and breach notification rules.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

05
Nov
2013

HIPAA OMNIBUS RULES AND THE PRIVACY AND SECURITY RULES

Covered entities should have updated their privacy and security rules to comply with the final HIPAA Omnibus rules as of September 23rd, 2013. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their privacy and security rules to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their privacy and security rules run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to the health of the Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.

An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review the privacy and security rules. Some areas that must be reviewed and updated are: breach notification procedures, disclosures of Protected Health Information (PHI), marketing, the sale of PHI, fundraising and access rights to PHI.

The way to address breach notifications has changed with the final rules. Covered entities must notify patients whenever there is a breach to PHI. Breaches to PHI must be notified unless the covered entity can demonstrate that the PHI has not been compromised or that the chances of PHI being compromised are very small. The rules for breach notifications also apply to business associates. By conducting a risk assessment, covered entities and business associates can determine what is considered a breach and how to react to a breach. To illustrate, a common recommended practice to guard PHI is to encrypt all the electronic devices that have access to and store PHI. When an encrypted device gets stolen or lost, it can be assumed that the breach is unlikely to happen and a breach notification is not necessary.

Disclosures of PHI are an important aspect of the final omnibus rules. Patients have now the right to request that medical practices do not disclose their PHI for a specific service or treatment received to their health plans if they have paid for this particular visit out of pocket. So, covered entities must address its patients request to not disclose specific treatment PHI to health plans when the patients pay cash for the treatment. Covered entities must inform patients of treatments that need to be disclosed regardless of payment in instances where it is required by law.

There are cases where the covered entities have marketing agreements with providers of medical services such as pharmaceutical companies and medical device manufacturers where they are compensated for sharing treatment information for marketing purposes. As part of the final Omnibus rules, covered entities must get patient authorization when treatment communication are shared for marketing purposes. The American Medical Association states that Physician may tell patients about a third party product without the patient’s authorization when the physician does not get compensated for the information, when the physician tell the patient in person, when the patient is already being prescribed a medication, when the communication is done to promote health and when the communication involves a government program.

Covered entities must review their policies in the cases where they receive compensation for providing PHI to an external entity. Covered entities can’t sale PHI without their patient’s written authorization. As part of the final Omnibus Rules, covered entities that are compensated for the sale of PHI, must be authorized by their patients before they can disclose their PHI. Patients must be made aware when covered entities sale their PHI to external parties.

In cases where a covered entity engages in sending fundraising communications, they must update the fundraising forms so that patients can choose to opt out of receiving fundraising communications.

Patients have the right to request a copy of their PHI. Covered entities that use an EMR system to store patient information are now required to provide patients with their PHI EMR stored data upon request. Covered entities must provide the patients with their requested PHI within 30 days after the patient has made the request. Covered entities can request a 30-day extension. Covered entities must provide access to their EMR in the electronic format that the patient requests. The costs of obtaining the PHI information may be charged to the individual who is requesting the records.
Finally, covered entities must ensure that their staff is trained on all the new policies and procedures. The training must be completed on a yearly basis and it must be documented.

The new rules must be taken seriously as they have the potential for $1.5 million in fines and can put a covered entity out of business

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

01
Nov
2013

BEST PRACTICES FOR REDUCING PATIENT NO SHOWS

In today’s health care environment patients have more responsibility for paying their medical bills. In the new environment, patients are responsible for paying higher copays and have high deductibles. With the decrease in reimbursements from the insurance companies, medical practices must run a tight schedule in order to maximize the revenue that they generate. An important aspect of practice management is to ensure that patients show up for their scheduled visits. It is not uncommon for patients to not show up for their visits without providing notice to the medical practice. A no show from a patient means a loss of revenue that can be important to the financial well-being of the practice. Moreover, a patient no show prevents the medical practice from collecting copays from patients and sending a claim to the insurance company.

In order to reduce patient no-show, medical practice must put in place a process to discourage patient from missing scheduled appointments. This process can be broken down into four simple steps.

The first step in the process is for the medical practice to develop a patient no show policy and make patients aware of it. The practice must make an effort to stick to the rules in the no show policy at all times to ensure that patient no shows are minimized. The patient no show policy should be as simple as having rules for cancellations, missed appointments.

The second step in the process is for the practice to communicate the no show policy with its patients. The no show policy should documented the practice’s policy regarding no shows along with consequences of missed appointment. Some practices charge a certain amount for missed appointments. The policy is to be reviewed and signed by the patient. Patients must provide enough notice to the practice if they need to cancel an appointment.

The third step in the process is for the practice to make calls to patients scheduled to be seen 24 hours before their scheduled appointment. Calls can help catch cancellations giving the medical practice enough time to schedule the cancelled slot with another patient.

The fourth and final step in the process is to communicate with patients that failed to show for their appointment. Communicating with patient that have missed appointments helps build rapport and trust. At the same time, it allows the practice to check any unusual situations behind the appointment have been missed.

It is important that practices communicate with their patient the importance of showing up or making arrangements in the case that an appointment needs to be missed. Opening a dialog with patients regarding the importance of showing up will improve a practice’s bottom line.

To recap, some best practices for preventing no shows are:

1. Develop a no show policy and make patients aware of it.
2. Communicate the no show policy to all patients.
3. Make appointment reminder calls to all patients 24 hours before their appointment.
4. Communicate with patients that fail to show up for their scheduled appointments.

At Vitruvian MedPro Consulting, we are more than medical billers. We are certified medical reimbursement specialists by the American Medical Billing Association. We can help medical practices at any stage of the revenue cycle management process. Our goal is to help medical practices improve cash flow and focus on patient care.

Please visit our medical billing page to learn more about our services at: Medical Billing Services

We are currently offering a free practice analysis to help medical practitioners determine whether it makes sense to outsource their billing. Gives us a call at 781-454-7406 and schedule your free demo.

At Vitruvian MedPro, a Brookline, Massachusetts medical billing and practice management company, we work with independently owned medical practices on any aspect of their revenue cycle management. Besides medical billing, we help medical practices with their coding, account receivables and HIPAA compliance. We make sure that practices receive the highest reimbursements from the insurance companies.

26
Sep
2013

THE MEDICAL BILLING PROCESS NEEDS A GOOD PATIENT COLLECTION SYSTEM

Medical Billing is one of the most important functions of a medical practice. Medical Billing is part of the revenue cycle management process of a practice. So, medical billing is much more than submitting claims to insurance companies and waiting to be paid for those claims. The revenue cycle management of a medical practice is a complex process that involves: insurance verification, patient demographic entry, medical coding, charge entry, claims submission, payment posting, patient collections, denial management and reporting. In order to ensure financial success, medical practices must put in place a solid revenue cycle process. Putting in place the steps that the practice staff needs to ensure that every step of the revenue cycle management process is worked will save the medical practice money and will increase revenue in the long run.

At the center of the revenue cycle management process, is patient collections. Current trends in medical insurance are putting more responsibility on patients due to higher co-pays and higher deductibles which patients are responsible for. Also, patients that have no health insurance are responsible for paying the medical services they receive. A good patient collections process will make the revenue cycle management process runs smoothly. Moreover, having a good patient collections process will ensure that the medical practice gets the money patients are responsible to pay.

One of the best practices that medical practices should implement is to set patient collection expectations up front before the patient gets seen or during the patient’s visit. Not discussing patient collection responsibilities up front can damage the relationship between the medical practice and the patient when a bill is sent to the patient after the visit. It is not uncommon for patients to dispute and fight a medical bill when they are not made aware of their responsibilities up front. Sharing patient payment responsibilities up front will set ground rules and will make patients be aware of their responsibilities after they receive care.

Medical practices must make sure that they obtain patient insurance coverage and eligibility before the patient shows up for a visit. Providing patients with the copay and deductible responsibilities will set payment expectations up front and will prepare the patient to receive statements from the practice. A good practice management system can provide eligibility and coverage information to the practice on the spot saving the practice staff time from calling the patient’s insurance company. Ass an added benefit to the practice processes, a printed copy of the insurance coverage and eligibility information can be provided to patients from the get go as a way to engage them in the collection process.

Medical practices must also make sure that once patients are aware of their coverage and eligibility benefits, they collect patient co-payments at the time the patient walks in for a visit. It is good practice to let patients know in advance how much they will be expected to pay when they come in for a visit and how much they will be expected to pay after the insurance processes the claim.

To conclude, in order to improve their patient collections, medical practices should:

1. Educate and guide patients on their insurance coverage and eligibility.
2. Inform patients of their financial responsibilities at the time of check-in, prior to coming to a visit or when booking the next visit.
3. Make sure that your practice has an up to date practice management system that will allow you to check benefits and track patient balances.

At Vitruvian MedPro Consulting, we are more than medical billers. We are certified medical reimbursement specialists by the American Medical Billing Association. We can help medical practices at any stage of the revenue cycle management process. Our goal is to help medical practices improve cash flow and focus on patient care.

Please visit our medical billing page to learn more about our services at: Medical Billing Services

We are currently offering a free practice analysis to help medical practitioners determine whether it makes sense to outsource their billing. Gives us a call at 781-454-7406 and schedule your free demo.

At Vitruvian MedPro, a Brookline, Massachusetts medical billing and practice management company, we work with independently owned medical practices on any aspect of their revenue cycle management. Besides medical billing, we help medical practices with their coding, account receivables and HIPAA compliance. We make sure that practices receive the highest reimbursements from the insurance companies.

19
Sep
2013

Covered Entities and Business Associates HIPAA Omnibus Rules Requirements

Under the HIPAA / HITECH Omnibus Rules, covered entities need to update their HIPAA compliance programs by September 23rd. One of the major changes under the HIPAA / HITECH Omnibus Rules is related to business associates. Business associates are not considered to be covered entities but have access to patient information. Under HIPAA, business associates can be IT companies, pharmacy benefit managers, insurance brokers, copy machine vendors, shredding companies, etc. Business associates come in contact with protected health information (HIT). Under the HIPAA / HITECH Omnibus Rules, business associates must comply with the HIPAA Security Rule, and many aspects of the HIPAA Privacy Rule. Covered entities must make sure that their business associates comply with all the HIPAA regulations. Just like covered entities, business associates are subject to being audited by the Department of Health and Human Services (HHS).

As part of the HIPAA/HITECH Omnibus Rules, covered entities and business associates must comply with the following or can be found in willful neglect:

1. Develop or Update their Security Policies and Procedures. The HIPAA security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity or a business associate. Conducting a risk assessment is the first thing covered entities and business associates must do in order to update their security policies and procedures. A security breach is the highest risk covered entities and business associates need to think about. A security breach can cost a practice more than $1,000,000.00. Covered entities and business associates can protect themselves from a security breach by following the recommendations of a risk analysis.

2. Develop or Update their Privacy Policies and Procedures. The privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or a business associate in any form or media, whether electronic, paper, or oral when combined with treatment, payment, or operations information. There are new changes that have been put in place under the new HIPAA / HITECH Omnibus Rules. The privacy rule has put in place a standard to determine whether a security breach has taken place.

3. Update their current business associate agreement. Business associates must put in place a business associate agreement with all their sub-contractors. Covered entities do not need to have an updated business associate agreement until September 22, 2014.

4. Put in place or update HIPAA Notice of Privacy Practices (NPP). Covered entities and business associates are required to update their NPP with the latest HIPAA / HITECH Omnibus rules changes by September 23, 2013. The updated NPP will provide patients an update on all their rights and all the restrictions under the Omnibus Rules. The NPP must be posted on the covered entities web site. NPP must be posted in the office and must be made available to all patients.

5. Conduct HIPAA yearly training. Training of the staff in the office must be conducted on a yearly basis and it must be documented. Covered entities and business associates are not expected to know every single detail of HIPAA regulations, but must have a general knowledge of HIPAA and where to find resources in the case a HIPAA related matter needs to be addressed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

06
Sep
2013

HIPAA Omnibus Rule Notice of Privacy Practices Must be Updated this Month

September 23, 2013 is the date that medical practices and other covered entities must update their Notice of Privacy Practices (NPP) to patients in order to be compliant with the HIPAA Omnibus rule enacted in March 2013. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it. The new notice must include:

1. Reasons that Protected Health Information (PHI) can and cannot be disclosed to others.
2. Information for opting-out of communication related to fundraising activities, if the provider does any fundraising.
3. The ability to restrict PHI from payer disclosure when patients pay in cash instead of having the charges filed with insurance. Information about being contacted if there is a breach of PHI due to unsecured records.
4. Expanded rights to electronic copies of medical records (where applicable).

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

30
Aug
2013

UNDER HIPAA Willful Neglect Now Has Minimum Mandatory Fines

Under the final Omnibus Rule that will start being enforced on September 23, 2013 things have changed. The department of Health and Human Services (HHS) Office of Civil Rights (OCR) is going to start enforcing the final Omnibus Rules. The fines have increased for those practices that are not following the new regulations. The OCR will determine whether a medical practice is complying with the new HIPAA rules and regulations. The days of informal resolutions are gone. Minimum mandatory fines for “willful Neglect” start at $10,000.

What is considered “willful neglect”? Medical practices that do not perform a yearly risk assessment or that do not have an updated policies and procedures manual for the HIPAA privacy and security rules are considered in “willful neglect”. Practices that are not aware of, and have not documented their adherence to the HIPAA definition of minimum necessarty could face penalties of up to $125,000. Medical practices must start paying attention to the ins and outs of HIPAA regulations. Not being up to date with the new regulations can ruin all the hard work that has been invested in building a practice. The government sees HIPAA as a set of rules that medical practices must put in place in order to guarantee their patients access to their medical records and provide good security measures to protect patient information.

At Vitruvian MedPro, working with HITECH asscociates HIPAA — compliance simplified — is our mission and is accomplished using our 8 step, full turnkey HIPAA Compliance Kit. Starting with a Security Risk Assessment the HIPAA Compliance Kit also gives you the tools and documents you need for Business Associates, a set of customizable policies and procedures, staff and HIPAA Compliance Officer Training, a Breach Response Plan, Contingency Plan that meets the requirements of the HIPAA Privacy Rule, complete set of HIPAA documents including the required updated Notice of Privacy Practices, and a Risk Management Plan.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

29
Aug
2013

SHOULD A MASSACHUSETTS MEDICAL PRACTICE OUTSOURCE ITS BILLING

Many practice managers and medical providers do not like to hear the work “outsource” when it comes to their medical billing. One of the main concerns with outsourcing is about losing control and having to let practice staff go. However, many medical practices find themselves overwhelmed with their day to day operations and experience issues with their billing and patient collections. In cases where the medical practices is not receiving the reimbursements they should be receiving from the insurance companies and are falling behind with their collections, outsourcing their medical billing may be the way to go.

With today’s advances in technology, outsourcing does not mean losing any control over the practice billing. Medical billing companies can offer medical practices real time access to their practice management systems providing a practice managers and medical providers instant access to their data. Medical billing companies can also use the medical practice’s EMR billing module to do the billing for the practice.

At Vitruvian MedPro, a Massachusetts medical billing company and practice management consulting company, we offer a cloud based solution that allows medical practices real time access to their data from any computer with internet access. At the same time, we partner with our clients and maintain constant communication with the daily activities related to medical claim submission and patient collection.

Medical practices that outsource their billing can focus their time on providing top notch patient care and on growing the practice. Also, by outsourcing practices do not have to worry about costs associated with maintain a practice management system and dealing with the technology issues associated with running a billing department.

A recent Medical Group Management Association survey showed that medical practices that outsource their billing to medical billing companies typically see improved performance across multiple dimensions. The survey focused on practices that outsource their medical billing functions. The survey reported the following results for practices that switched from doing their medical billing in-house billing to outsourcing to a medical billing company:

– 73% saw a reduction in their A/R
– 73% realized higher collections
– 59% decreased the volume of lost/denied claims
– 59% enjoyed significantly better reporting and practice performance insights
– 46% achieved higher staff productivity

The breadth of the performance improvements uncovered by the MGMA survey (with three-quarters of all practices seeing sizable performance improvements) adds fact-based credibility to the notion that a well-selected and highly-qualified medical billing company provides substantial performance improvement for medical practices. Our average clients enjoy a 15 to 25 percent increase in collections while noticing that their A/R time drops below 35 days.

A copy of this survey is available from the MGMA’s website at www.mgma.com

At Vitruvian MedPro Consulting, we are more than medical billers. We are certified medical reimbursement specialists by the American Medical Billing Association. We can help medical practices at any stage of the revenue cycle management process. Our goal is to help medical practices improve cash flow and focus on patient care.

Please visit our medical billing page to learn more about our services at: Medical Billing Services

We are currently offering a free practice analysis to help medical practitioners determine whether it makes sense to outsource their billing. Gives us a call at 781-454-7406 and schedule your free demo.

At Vitruvian MedPro, a Brookline, Massachusetts medical billing and practice management company, we work with independently owned medical practices on any aspect of their revenue cycle management. Besides medical billing, we help medical practices with their coding, account receivables and HIPAA compliance. We make sure that practices receive the highest reimbursements from the insurance companies.

24
Aug
2013

At $1.2M, HIPAA photocopy breach proves costly

HITECH notification rule leads to settlement after CBS News story

The U.S. Department of Health and Human Services (HHS) has settled with Affinity Health Plan, a New York-based managed care plan, for HIPAA violations to the tune of $1,215,780 after a photocopier containing patient information was compromised.

Affinity filed a breach report with the HHS Office for Civil Rights on April 15, 2012. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.

Affinity officials were informed by CBS Evening News that, as part of an investigatory report, the television network had purchased a photocopier, previously leased by Affinity, that contained confidential medical information on its hard drive. Affinity estimated that up to 344,579 individuals may have been affected by this breach.

An HHS Office for Civil Rights investigation indicated that Affinity disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.

Moreover, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.

“HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI.

Covered entities must make sure that they review their business associate agreements and update them to comply with the final Omnibus Rules. HIPAA violations could have been prevented in this case if both side were aware of PHI being stored within the photocopy machine. Conducting a risk analysis is a must for all covered entities so that they know what they need to do in order to be fully HIPAA compliant.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

14
Aug
2013

COVERED ENTITIES MUST UPDATE NOTICE OF PRIVACY PRACTICES BY SEPT 23 2013

The changes to the Omnibus Rules that are going into effect on Sept 23 2013 require that all medical practices must update their Notice of Privacy Practices (NPP) by Sept 23 2013.

According to our friends at the American Medical Billing Association (AMBA) there are 5 significant changes that need attention:

1) You must update information on your use and disclosure of PHI that requires authorization:

a. Most uses and disclosure of psychotherapy notes
b. Uses and disclosures for marketing purposes
c. Disclosures that constitute a sale of PHI

2) Separate statements for certain uses and disclosures:

a. Intention to send patients treatment communications while receiving remuneration
b. Intention to contact individuals to raise capital or funds
c. Individual’s right to opt out of such communications

3) Enhanced patient rights:

a. Inclusion that you, as a Covered Entity (CE), must agree to a patient’s restriction of release or disclosure of
PHI to a health plan where the patient pays out of their own pocket for a service
b. Include statements about a patient’s right to receive electronic medical records (if you are capable of providing
such), along with other updated patient rights

4) Include information about how and when you will inform patients in the event of a breach of unsecured PHI

5) Appointment reminders and other alternatives

a. You no longer need to include a statement about notifying patients to remind them of an appointment, treatment
alternatives or other services that may be of interest to the patient

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro