HIPAA Rules and the HITECH Act – an Update
Compliance officers are awaiting the Office of Civil Rights (OCR) final rules on Breach Notification, Enforcement, and the modification to Privacy and Security Rules of HIPAA HITECH. The OCR states they expect to release all of the final rules at the same time in 2011 instead of staggering the dates. Know that the deadline for the final rule for HIPAA HITECH is March so expect a flurry of activity soon. We will be preparing a summary when the final rule is released.
Also, expect the proposed rule on accounting of disclosures of electronic health records (EHR) sometime during 2011. OCR is expected to expand the HIPAA accounting provisions to include treatment, payment, and disclosures when they occur via EHR.
The OCR will be releasing a detailed audit plan for 2011. Compliance officers can prepare for the audit plan by looking at who handles PHI and how that PHI is handled within the organization. Tracking the initiation of information from point of entry to the organization system and monitoring the intersection of technology and human touch may show weaknesses within the system. Look at personnel equipment and processes. An agency’s greatest risk is human so watch processes. Could any of those processes be moved from manual to technological processes to reduce risk?
Compliance officers need to keep compliance in front of personnel. Finding fun ways to do that can be challenging but well worth the effort. For most organizations, some of their greatest risks are those tied to PHI.
Build security into hardware and software to the greatest extent possible. Make security provisions operate automatically where possible. Can employees access the internet? Can they download programs from the net? Can they access your agency information system using their personal laptops? When replacing manual processes with technology, validate the process and the fact that it does not increase risk. Technology for the sake of technology needs to be monitored also.
Build a meaningful audit system foundation that has value for the organization. It is mandated by the OCR. As to when audits of organizations will begin has not been announced. But remember, not having an audit program can be costly as the OCR states the fine is up to $1.5 million.
Recently, our firm received a call from a home health agency that knew of an agency using smartphones to take photos of wounds to be sent to the home health office. We had a rigorous discussion re the agency’s policies and procedures for protection of PHI; security of the iPhone and photos of a patient’s wound, as well as retention of the photos on the phone, and what if the employee leaves the firm? Who owns the phone and the pictures? And, ask yourself what would the patient think of all of this?
It is expected that smartphones will be utilized in the future for transmission of PHI, but how and what is transmitted needs to be addressed first. These new models of sharing PHI can be exciting to some and downright scary to others. (others being compliance officers).
Tags: HIPAA HI TECH, Legislation