HHS

23
Jul
2013

HIPAA Compliance KitHIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

Covered entities (healthcare providers) have until Sept. 23, 2013 to implement all the policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).

The OCR department of Health and Human Services (HHS) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. HHS has made it clear that penalties can range between $100 to $1,500,000.00, depending on the type of violation that the covered entity has committed.

One of the most important changes that come with the final omnibus rule are with covered entities relations with their business associates. These rules affect the working relations that exist between a covered entity and its business associates. Business associates are those vendors that have access to a covered entity’s Protected Health Information (PHI). With the new rules, business associates are responsible to secure PHI just like covered entities are. In other words, business associates need to be HIPAA Compliant and can face the same kind of penalties covered entities face. With the Omnibus Rules, vendors that have access to PHI need to comply with all the HIPAA regulations.

Even though a covered entity’s business associates are required to be HIPAA compliant, in the case of a breach on the part of the business associate, the covered entity is responsible for sending notifications to its patients and for reporting the breach to HHS.

Covered entities must review all their business associate contracts to make sure that these are updated to meet all the omnibus requirements. Business associates such as health information technology companies and consultants have put in place business associate agreements that does not make them responsible for the loss of patient data. With the final omnibus rules, business associates need to sign agreements that abide by the final omnibus rules. Medical practices must make sure that all their business associate agreements are updated and signed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we provide updated business associate agreements. We also help medical practices Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

12
Jul
2013

Omnibus Rules Patient Rights

The final HIPAA omnibus rule that will start being enforced on Sept. 23, 2013 has some requirements that medical practices need to put in effect in order to safeguard Protected Health Information (PHI). The final omnibus rules has included new regulations that relate to patient rights that practices need to abide to.

In order to comply with the omnibus rules patient rights, the new regulations require covered entities to:

1. Allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider.

2. Permit patients to request their health information in electronic form. The new regulations require that practices comply with the request within 30 days with one 30-day extension permitted.

3. Medical practices are required to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients. Medical practices are also required to post the updated notice of privacy practices in the office and on their web sites.

Medical practices that do not comply with the new regulations can be found to be in willful neglect if they are reported to the department of Health and Human Services (HHS) office of civil rights (OCR).

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.

11
Jul
2013

The Final Omnibus Rule Sept 23, 2013 is an important date for Medical Practices as this is the day when the government will start enforcing the Omnibus Rules changes made to the Health Insurance Portability and Accountability Act (HIPAA). The changes that were made as part of the Omnibus Rule relate to how medical practices are securing Protected Health Information (PHI), whether medical practices have updated the Business Associate (BA) agreements and what medical practices need to communicate with their patients in terms of their privacy rights.

The new changes under the final Omnibus Rule Sept 23, 2013 were put in effect in March of 2013. However, covered entities were given 6 months to review their HIPAA plans and comply. The department on Health and Human Services (HHS) updated the HIPAA regulations under the final Omnibus Rule as a way to account for the wider use of electronic health records by medical providers.

In order to comply with the new regulations medical practices are required to:

1.Perform a risk analysis to find out vulnerabilities with PHI. Medical practices are expected to document that they have completed a risk analysis. Practices that complete a risk analysis will have a risk management report that provides the vulnerabilities of their electronic PHI.

2.Encrypt devices that store PHI so that this information can’t be used in case that the devices are lost or stolen.
3.Develop and review policies and procedures that the medical practice will need to follow in the case that PHI is breached (lost, stolen or inappropriately disclosed).

4.Review the BA agreements with their current vendors. Updated BA agreements are required for all vendors that have access to PHI. Medical practices need to ensure that their BAs have put in place all the required safeguards to secure PHI.

The breach of PHI brings hefty fines to medical practices that are found in willful neglect. The fines range from $100 to $50,000. The fines can go higher depending on the size of the medical practice and the type of breach.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.

10
Jul
2013

According to the department of Health and Human Service (HHS), “a major goal of the HIPAA Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing”.

The Privacy Rule prohibits a medical practice from using or disclosing “protected health information” or PHI unless the disclosure is required or permitted. For purposes of determining compliance with the Privacy Rule, the only two required disclosures of PHI are disclosures to the patient and disclosures to the Department of HHS, or one of its agencies.

The principal permitted uses and disclosures include treatment, payment and healthcare operations (TPO), and uses and disclosures pursuant to a HIPAA compliant patient authorization. TPO encompasses the use and disclosure of PHI for treatment of patients, and disclosing PHI to other health care providers for their purposes, uses and disclosures necessary to obtain payment for services provided to patients; and uses and disclosures necessary for operations of our practice, including quality management, peer review, compliance, business management and obtaining legal advice.

The final category of permitted uses and disclosures is uses and disclosures pursuant to a HIPAA compliant authorization. The authorization must be specific as to the identity of the person, state the reason for disclosure, and specify the date that the authorization will terminate. The form must also notify the patient of their right to revoke the authorization.

With several exceptions, uses and disclosures of PHI are subject the “minimum necessary rule,” which limits the use, disclosure or receipt of PHI to that amount of information that is reasonably necessary to accomplish the purpose of use, disclosure or receipt. The most notable exceptions to the minimum necessary rule permit complete use and disclosure of PHI for treatment purposes, and permit full disclosure of PHI at the request of the patient or his/her representative.

For more information on the HIPAA Privacy Rule visit the HHS site at HIPAA Privacy Rule

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

01
Jul
2013

12 Common HIPAA Violations

1. Lack of yearly training of all employees.

2. Lack of an enforced Sanctions Policy.

3. Your Notice of Privacy Practices does not contain all of the required disclosures.

4. You do not have a procedure, documentation or process for a patient filing a privacy complaint with the office.

5. Staff did not apply “Minimum Necessary” standards.

6. Practice does not follow the uses and disclosures as listed in your Notice of Privacy Practices.

7. Practice has not been updated to meet HITECH Act requirements.

8. All staff members are not assigned a unique identifier for system access.
HIPAA Compliance Officer does not review audit log or network access reports.

9. Practice does not have in place policies and procedures to ensure an accurate and
complete Accounting of Disclosures and a sample of your report to patients.

10. There is no documented Confidential Communications process in place.

11. The office does not have a documented list of all users (employees) with their job
description and level of access.

12. HIPAA required documentation is not kept for a period of 6 years. (Not to be confused
with medical records retention.

Be assured the Office of Civil Rights and State Attorney Generals take each and every violation of HIPAA very seriously. Every complaint to HHS is required under federal law to be investigated, so any complaint by your patient will get your practice’s HIPAA compliance reviewed. If you are found to be in “Willful Neglect” you will have to pay hefty fines that start at $50,000 and can go as high as $250,000. What you may consider a small violation can cost you big both in money and in time. Investigations commonly take as long as 2 years to resolve.
Schedule a “Quick Compliance Review” and in 15 minutes or less we can access your
compliance status. If you know you are not in compliant we can outline your plan to get
compliant. 15 Minutes with us or 2 years with an Office of Civil Rights
Attorney/investigator.

Visit our HIPAA Compliance page for more information at http://www.vitruvianmedpro.com/services/hipaa-compliance-kit/

27
Jun
2013

Covered entities are health care providers, health plans and health care clearing houses that must comply with the HIPAA rules. Under the HIPAA Rules, health care providers, health plans, and health care clearing houses who electronically transmit patient health information that are connected to the Health and Human Services (HHS) adopted transaction standard are considered covered entities. The HIPAA Privacy Rule applies only to covered entities. The HHS department states that organizations, agencies and individuals that are considered HIPAA covered entities are responsible to comply with all the rules and requirements to protect the privacy and security of health information. Covered entities must provide individuals they work with certain rights with respect to their health information.

Heath care providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies are considered covered entities. Health plans such as health insurance companies, HMOs, company health plans, and government programs that pay for health care (i.e. Medicare, Medicaid, the military and the veterans health programs) are considered covered entities. Health Care Clearinghouses such as entities that process nonstandard health information they receive from another entity into a standard or vice versa are considered covered entities.

Under HIPAA, covered entities must comply with the Privacy Rule, the Transaction and Code Set Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

Vitruvian MedPro’s HIPAA compliance kit helps covered entities with the most updated HIPAA compliance plan that covers all the requirements that have been put in place in the final Omnibus Rule.

For more information on covered entities visit the HHS site at Covered Entities

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

26
Jun
2013

The department of Health and Human Services (HHS) defines a Business Associate as a person or an entity that performs certain functions or activities that involve the use or disclosure of patient protected health information (PHI) on behalf of a covered entity. A business associate is not an employee of a covered entity, but someone who provides services to a covered entity. Some example of business associates are a covered health care provider, a health plan, or a health care clearinghouse. The HHS describes functions or activities such as the payment of health care operation activities as what may make a person or entity a business associate.

Some business associate activities include: claim processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management and re-pricing. Some business associate services are legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial.
Most health care providers and health plans do not carry all their health care activities and functions by themselves and require to outsource those activities and functions to other persons or entities also known as business associates. The HIPAA Privacy Rule applies only to covered entities and it allows health care providers and health plans to disclose PHI to business associates as long as the health care providers or health plans are properly assured that the business associates will use the PHI only for the purpose for which it was contracted by the covered entity. Business associates are responsible for safeguarding PHI from misuse and will help the covered entities they work with comply with some of the covered entities responsibilities under the Privacy Rule. A covered entity may disclose PHI to a business associate only to help the covered entity carry out its health care functions.

As part of the final omnibus rule, the Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates that the business associates will appropriately safeguard the PHI it receives or creates on behalf of the covered entity. The covered entity must perform it due diligence and make sure that its business associates are HIPAA compliant. According to the HHS, satisfactory assurances must be made in writing between the covered entity and the business associate.

Vitruvian MedPro’s HIPAA compliance kit helps covered entities with the most updated business associates agreements that cover all the requirements that have been put in place in the final Omnibus Rule.

For more information on business associates visit the HHS site at Business Associate Definition .

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .