Posts Tagged ‘HIPAA HITECH’

HIPAA Rules and the HITECH Act- Patient Privacy

Tuesday, April 30th, 2013

Compliance officers were awaiting the Office of Civil Rights (OCR) final rules on Breach Notification, Enforcement, and the modification to Privacy and Security Rules of HIPAA HITECH. Now that we have the regulations, it is time to review the basics in this ezine and additional requirements in the next article. HIPAA may be one of your largest potential liabilities for your agency.

Key Definitions

Protected Health Information (PHI)

  • Individually identifiable health information
  • Transmitted or maintained in any form
  • Created or received by a covered entity, business associate, or employer

Covered Entity

  • Health Care Providers
  • Insurers
  • Clearinghouses
  • Covered entities may only use and disclose PHI according to Privacy Rule provisions


  • Treatment and  payment sources
  • Individual has opportunity to agree or object
  • Limited data set (facially de-identified, requires data use agreement between parties
  • With authorization

HIPAA Privacy Rule controls privacy unless a state law is stricter.


  • CE may disclose PHI for treatment activities to another healthcare provider


  • CE may disclose PHI to another CE or healthcare provider for the CE payment

Health Care Operations

  • CE may disclose PHI to another CE for specific activities such as QI


  • Individual may authorize the release of the PHI in writing with the signature and data provided

Compliance Officers need to keep HIPAA and compliance in front of personnel. Finding ways to do that can be challenging but well worth the effort. For most organizations, some of their greatest risks are those tied to PHI.

Build security into hardware, software, and processes to the greatest extent possible. Make security provisions operate automatically where possible. When replacing manual processes with technology, validate the process and the fact that it does not increase risk. Technology for the sake of technology needs to be monitored also. Review your processes. Educate personnel to be privacy alert.

Build a meaningful HIPAA and Compliance audit system foundation that has value for the organization. It is mandated by the OCR.  Agency audits of organizations  began last year.  Remember, not having an audit program can be costly, the OCR state fine can go up to $1.5 million.

Required elements of a Patient Authorization

When reviewing the patient authorization, be certain it includes:

  • A description of the PHHI to be used or disclosed. Be specific
  • The persons authorized to use or disclose the PHI
  • The person or agency  to whom the CE may disclose the PHI
  • The purpose of the disclosure use
  • The patient’s right to revoke the authorization
  • The consequences if the patient refuses to sign
  • An expiration date of the form
  • Signed and dated by the patient
  • PHI may be re-disclosed by a third party and if a business associate, subject to the same HIPAA regulations
  • Must be written in clear language

HIPAA continues to pose a growing liability for agencies. Review agency policies, procedures, and processes now. More to follow on that topic


Tuesday, April 30th, 2013

At a recent HIPAA seminar, the Office of Civil Rights (OCR) identified that they are evaluating HIPAA audit models. The present model requests certain records, reviews, cites errors/omissions and calls for corrective action. Privacy and security of Protected Health Information (PHI) is of primary concern especially in light of social media and mandated Electronic Medical Record creation in healthcare.

Presently, organizations are reviewing their privacy and security programs. How compliant is your Compliance and HIPAA programs? Perhaps you should conduct a gap analysis.

Getting started

To conduct a review and analysis of your agency’s compliance program you must know if your program covers the required elements?

  • Complete written policies and procedure
  • Designation of a Corporate Compliance Officer
  • A training and education program regarding confidentiality, commitment to preventing fraud and abuse, and other elements of compliance
  • Communication lines to the Corporate Compliance Officer
  • Identification of compliance risk areas and a plan to mitigate risk
  • Responding to non compliance issues
  • Policy of non-intimidation and non-retaliation against employees who identify non compliance
  • Disciplinary policies regarding non compliant behavior

Consider the re-signing of the organization privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Identify who will conduct regular internal audits. Conduct this present review and analysis as if it were a surveyor visit, only this time, you get to be the surveyor.

Audit the HIPAA Program

As part of the compliance audit process, be certain to evaluate the HIPAA program. Are there plan objectives? Is an audit and monitoring system in place? Who has the responsibility for completion?  Identify the audit checklist. Is it inclusive? Is there a documentation process to record findings?

Are there annual goals to improve on privacy and security in the organization? How are audit findings reviewed? How does follow up occur?

The Audit

The following checklist should be considered a guideline (not necessarily all inclusive) and would require agency individual application.

  • Is the Compliance plan, particularly the HIPAA portion, in compliance with the HIPAA Security Rule? Has an assessment been conducted regarding environmental/operational impact on PHI?
  • Can the organization identify how it protects access to information? Is there a policy re access to PHI and “need to know?”
  • Can patients obtain their information in a timely manner? Can information be provided in electronic format, as required by HITECH. Has a security risk analysis been conducted?
  • Have security measures been implemented to reduce the risk? What are those measures?
  • Have the Compliance, Privacy, and Security risk analysis available for an OCR audit or questions from an accrediting surveyor.
  • At the very least, for privacy, look at the following:
  • Can patients/guests view PHI? See computer screens? Is there any place on the premises that PHI is readily available?
  • Are PHI posted on wall boards where those who have “no need to know” have access to the info?
  • Is PHI left on desks? Are computer screens left on when the user steps away?
  • Are recycling bins used? Is there a BAA with that recycling vendor?
  • Are all BAAs in place with all vendors and in compliance with HIPAA HITECH?
  • Communication:
  • Is PHI faxed? Is there a confidentiality/disclosure statement on each fax coversheet?
  • Does the online system require level logins?
  • Are screen savers activated in a short period of time?
  • Are emails used with PHI? Are the emails encrypted?
  • Are phone calls used to give and receive PHI? How is the individuals receiving or giving info identified and confirmed?
  • Responsibility:
  • Can each employee identify when PHI enters there area of responsibility?
  • Who handles PHI? Where is it stored? What is the back up process? What is the length of storage? Is it secure? How do you know it is secure?
  • Have all employees been trained in privacy? Has security at the specific employee level been conducted? Is compliance training mandatory? Is it conducted annually?
  • Is there a protocol for new employees? Is there a protocol regarding confidentiality upon employee departure?
  • Are BAAs in place holding contractors accountable for PHI protection. Have you seen their policies, procedures, and processes?
  • Reports:
  • Are reports created that have confidential information? Are they circulated to only those with “need to know”
  • Have the reports been reviewed to reduce the amount of sensitive information, if possible? Could de-identified information be substituted?
  • Is transmission of report information secure?
  • Security:
  • Is there a written policy to protect PHI? Is there policies re computer screens in view with PHI? Are there policies re passwords?
  • Are there policies re storage of data and how backup tapes and storage devices are accounted for and monitored?
  • Has every station been evaluated as to protection of PHI and view and accessibility to information by those who do not have clearance to that station.
  • How are SmartPhones used? Are they ever used to capture pictures of patient wounds?
  • Technical Security:
  • Does the technical team periodically verify the technological security is in place and working appropriately? Can the technical team identify if an unauthorized user has accessed PHI? What safeguards are in place to protect against unauthorized access?
  • Is technology in place to verify identity of users?
  • Are passwords and IDs routinely changed per a schedule?

OCR Investigations and Review:

If you have a breach that triggers an investigation by OCR, be certain to promptly respond as to what happened, how it happened, what was done to mitigate outcomes, and what has been implemented to prevent a future occurrence.  Be certain to identify the fact you have a full Compliance Program in place. Identify that all employees have routine education re Compliance and HIPAA.

If documents are requested, your counsel may request confidentiality for those documented being sent to OCR. Create and maintain a log of events, completes with dates, times, and people involved throughout the entire investigation process. Save all electronic documents. Keep statements by all employees involved in the incident and the investigation. Obtain counsel’s advice as to phone conversations with OCR as written correspondence maintains an investigation trail.

Focus on internal compliance. If there is a HIPAA breach, there must be remediation/education regarding the process and the prevention of a reoccurrence.


  • Keep your plan objectives current.
  • Identify who is responsible for the audits and establish times and how findings will be transmitted.
  • Have corrective action plans in place.
  • Include documentation of audits, results, and remediation/corrective action/education
  • Report findings to the BOD, leadership, and counsel.
  • If there is an OCR audit/investigation have a team established to quickly respond, pull data, analyze, and report.
  • Have an ongoing risk analysis performed as specified by policy. Be certain the risk analysis encompasses the technical requirements of the Security Rule.
  • Be certain the Risk Analysis is well documented. Be certain the plan for mitigation of any adverse findings is in place.

Like the clinical documentation rule, “if it wasn’t documented you did not do it,” so it is true here also. Document each step of the plan. If ever there is an audit, the fact a full compliance plan is in place in your agency including a HIPAA Privacy and Security review, can speak volumes about you and your organization.