<img style="float: right; margin-left: 3px;" src="https://opedge.com/Content/OldArticles/images/2010-09_06/09-06_01.jpg" alt="" /> Implementing policies and procedures to meet compliance requirements is not a new practice for healthcare providers. Since the introduction of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), providers, health plans, and clearinghouses have had to make significant changes to their business practices to meet these demanding compliance requirements. HIPAA requires covered entities to be compliant for each component as follows: <ul> <li>Standard electronic transactions: Compliance required as of October 16, 2002.</li> <li>Privacy: Compliance required as of April 14, 2003.</li> <li>First of four unique identifiers-standard unique employer identifier: Compliance required as of July 30, 2004.</li> <li>Security: Compliance required as of April 21, 2005.</li> <li>Second of four unique identifiers-National Provider Identifier (NPI): Healthcare providers were required to register and receive their NPI for identification purposes within the standard electronic transaction by May 23, 2007.</li> </ul> Providers should be well aware of HIPAA requirements and be in full compliance. However, when my company does compliance reviews for practices, we often find that providers have done one or more of three things: <ol> <li>Issued a "Notice of Privacy Practices" to their patients that was not originally created by their organization and may not reflect their usage and disclosures appropriately.</li> <li>Created an "Authorization for the Release of Protected Health Information."</li> <li>Incorporated a "hear nothing, seek nothing, speak nothing practice" within their facility to avoid disclosing information incorrectly, inadvertently, or against the use and disclosures under the HIPAA rule.</li> </ol> What we don't see is a true compliance plan, a previous compliance audit, or the necessary compliance documentation to prevent penalties for <i>willful neglect.</i> Under HIPAA §160.401 <i>willful neglect</i> means "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." There are steps you can take to avoid these penalties. Compare your organization's compliance readiness against our Privacy and Security checklist to see if you have completed the appropriate steps. <h4>Privacy</h4> Organizations should understand how protected health information (PHI) is used and disclosed throughout the entire facility whether the information is in paper or electronic (e-PHI) form. This means documenting from whom they receive the PHI and how the information is received, modified, stored, accessed, transmitted, and destroyed. The organization should also understand where PHI goes within the organization as well as to whom it is transmitted or disclosed. Once you understand the PHI trail, there are many steps you can take to achieve optimum compliance. What follows are some key steps that every healthcare organization should take to ensure they are operating within the compliance rules: <ul> <li>Document everyday activities as well as the job functions of every employee of the facility; these must match the facility's documented policies and procedures.</li> <li>Create and disburse a "Notice of Privacy Practices" to every patient. The intent of this notice is to inform your patients about how you use and disclose PHI as well as their rights as they pertain to their own PHI. If you used a template to complete this notice, you should make sure it reflects how your organization actually uses and discloses information. Specific notice requirements under HIPAA §164.520 must be included.</li> <li>Create and implement an "accounting of disclosures" practice. This includes maintaining a log sheet for disclosures that individuals made but did not authorize. The regulations for the accounting of disclosures will be changing as part of the modifications to privacy under the Health Information Technology for Economic and Clinical Health (HITECH) Act.</li> <li>Create forms that will allow individuals to log complaints regarding privacy-related issues. Follow the procedure now required under the HITECH provisions of the American Recovery and Reinvestment Act for reporting privacy breaches to the Office of Civil Rights.</li> <li>Execute business-associate agreements with all individuals or organizations that perform covered functions or activities for you or on your behalf to ensure and provide satisfactory assurances that they follow the same compliance standards as your organization when they conduct business for you or on your behalf.</li> </ul> Every healthcare organization should also be aware of the following key changes to how privacy must be treated under the American Recovery and Reinvestment Act of 2009. <ul> <li>Business associates and covered entities are responsible for executing the business-associate agreements.</li> <li>Notification requirements regarding breaches of unsecured PHI have been increased. These requirements apply to notifications of the individual, the media, and the Secretary and/or Office of Civil Rights. The extent of these notifications depends on the type of breach and how many individuals were affected. Currently, this is an interim final rule.</li> <li>Regional office privacy advisors have been established to educate providers about initiatives related to the use of health information.</li> <li>Privacy provisions and penalties now also apply to business associates of covered entities. The original rule did not apply penalties to business associates.</li> <li>Restrictions on certain disclosures and the sale of health information, accounting of certain PHI disclosures, and access to certain information in electronic format will be established. Further guidance is expected in the fall of 2010.</li> <li>Rules for using PHI for the purposes of marketing and fundraising have been proposed in the Notice of Proposed Rulemaking (NPRM) modifications to the HIPAA Privacy, Security and Enforcement Rules under the HITECH Act published July 14, 2010. A 60-day comment period will be allowed.</li> <li>Penalties will be increased for wrongful disclosures-intentional or unintentional-that are due to willful neglect.</li> </ul> <h4>Security</h4> Most organizations use computers daily to create, access, store, or transmit e-PHI. Healthcare organizations are responsible for protecting the confidentiality, integrity, and availability of this data. Security comprises five elements: <ol> <li><b>Administrative safeguards:</b> This requires organizations to conduct a risk assessment to determine what risks, threats, or vulnerabilities there may be for the confidentiality, integrity, or availability of the e-PHI. A security official should be appointed as well.</li> <li><b>Physical safeguards:</b> This requires organizations to evaluate their facility for areas that may be vulnerable to the theft, damage, or exposure of e-PHI. This includes the physical security of the building-doors, locks, offices, e-PHI storage areas, and physical workstations.</li> <li><b>Technical safeguards:</b> This requires organizations to secure electronic data through encryption or another means to ensure the information cannot be read, accessed, or corrupted by an unauthorized individual.</li> <li><b>Organizational requirements:</b> Standard security language should be incorporated into all business-associate agreements.</li> <li><b>Policies, procedures, and documentation requirements:</b> The processes that your organization follows to access, create, modify, transmit, store, and destroy e-PHI, and the policies and procedures that govern these processes should be documented and that documentation should be reviewed annually. Compliance-review documentation also must be created and reviewed annually. This documentation describes the standard, the implementation specification, how your organization complies with this standard, the risk, the threat or vulnerability the organization may have for lack of compliance with the standard, and the implementation plan for obtaining compliance processes.</li> </ol> The American Recovery and Reinvestment Act also made the following changes to the HIPAA security rule: <ul> <li>Compliance requirements for business associates have been extended to include HIPAA security sections of administrative, physical, and technical safeguards, as well as policy, procedure, and documentation requirements.</li> <li>The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of the breach notification requirements under section 13402 of Title XIII (HITECH) of the American Recovery Reinvestment Act have been specified. This guidance includes the mechanisms that would be required in order for e-PHI to be considered secured. Without these mechanisms in place, all electronic data would be considered unsecured and all breach notification requirements would apply.</li> </ul> All practices are required to complete the following items for security compliance: <ul> <li>Conduct a technical and non-technical risk assessment. This process requires the organization to review the policies, procedures, practices, and technical mechanisms that are in place to protect the confidentiality, integrity, and availability of e-PHI. The technical assessment should include an in-depth review of your computer systems, hardware, and software, as well as protective measures such as firewalls, encryption, decryption, and other security mechanisms that may be in place.</li> <li>Analyze the access that has been granted to individuals; how access is determined for each role; what access is granted to the systems, facilities, and workstations; how access is monitored; and who can modify or terminate the access as required.</li> <li>Conduct security awareness training to educate all employees about security reminders, protection from malicious software, log-in monitoring, and password management.</li> <li>Put in place a confidentiality agreement with all employees who have access to PHI or e-PHI to ensure that they understand the ramifications of improper or unauthorized access, use, or disclosure of PHI or e-PHI.</li> <li>Create an evaluation and management plan to manage the risks and compliance findings throughout the process.</li> <li>Create a disaster-recovery and continuity plan to ensure critical data and systems required to operate the business can be retrieved and activated in the event of an emergency or system loss.</li> </ul> If your organization has not completed these tasks, I highly recommend that you conduct the required assessments to avoid penalties upon an audit or review by the Office of Civil Rights. The enforcement rule requires the government to begin randomly selecting and auditing organizations for compliance. According to the Secretary of Health and Human Services, penalties for non-compliance or willful neglect will no longer be waived. More legislation is on the way. The NPRM for the Modifications to Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act will be published in the <i>Federal Register</i> soon. Prepare your organization for the changes yet to come this year by making compliance a priority. The lack of compliance could mean significant penalties to your practice. <i>Christine Duprey is the co-founder of CARIS Innovation, Abrams, Wisconsin. She can be reached at 920.826.5300 or at <script language="javascript">linkEmail('chris','carisinnovation.com');</script></i>
<img style="float: right; margin-left: 3px;" src="https://opedge.com/Content/OldArticles/images/2010-09_06/09-06_01.jpg" alt="" /> Implementing policies and procedures to meet compliance requirements is not a new practice for healthcare providers. Since the introduction of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), providers, health plans, and clearinghouses have had to make significant changes to their business practices to meet these demanding compliance requirements. HIPAA requires covered entities to be compliant for each component as follows: <ul> <li>Standard electronic transactions: Compliance required as of October 16, 2002.</li> <li>Privacy: Compliance required as of April 14, 2003.</li> <li>First of four unique identifiers-standard unique employer identifier: Compliance required as of July 30, 2004.</li> <li>Security: Compliance required as of April 21, 2005.</li> <li>Second of four unique identifiers-National Provider Identifier (NPI): Healthcare providers were required to register and receive their NPI for identification purposes within the standard electronic transaction by May 23, 2007.</li> </ul> Providers should be well aware of HIPAA requirements and be in full compliance. However, when my company does compliance reviews for practices, we often find that providers have done one or more of three things: <ol> <li>Issued a "Notice of Privacy Practices" to their patients that was not originally created by their organization and may not reflect their usage and disclosures appropriately.</li> <li>Created an "Authorization for the Release of Protected Health Information."</li> <li>Incorporated a "hear nothing, seek nothing, speak nothing practice" within their facility to avoid disclosing information incorrectly, inadvertently, or against the use and disclosures under the HIPAA rule.</li> </ol> What we don't see is a true compliance plan, a previous compliance audit, or the necessary compliance documentation to prevent penalties for <i>willful neglect.</i> Under HIPAA §160.401 <i>willful neglect</i> means "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." There are steps you can take to avoid these penalties. Compare your organization's compliance readiness against our Privacy and Security checklist to see if you have completed the appropriate steps. <h4>Privacy</h4> Organizations should understand how protected health information (PHI) is used and disclosed throughout the entire facility whether the information is in paper or electronic (e-PHI) form. This means documenting from whom they receive the PHI and how the information is received, modified, stored, accessed, transmitted, and destroyed. The organization should also understand where PHI goes within the organization as well as to whom it is transmitted or disclosed. Once you understand the PHI trail, there are many steps you can take to achieve optimum compliance. What follows are some key steps that every healthcare organization should take to ensure they are operating within the compliance rules: <ul> <li>Document everyday activities as well as the job functions of every employee of the facility; these must match the facility's documented policies and procedures.</li> <li>Create and disburse a "Notice of Privacy Practices" to every patient. The intent of this notice is to inform your patients about how you use and disclose PHI as well as their rights as they pertain to their own PHI. If you used a template to complete this notice, you should make sure it reflects how your organization actually uses and discloses information. Specific notice requirements under HIPAA §164.520 must be included.</li> <li>Create and implement an "accounting of disclosures" practice. This includes maintaining a log sheet for disclosures that individuals made but did not authorize. The regulations for the accounting of disclosures will be changing as part of the modifications to privacy under the Health Information Technology for Economic and Clinical Health (HITECH) Act.</li> <li>Create forms that will allow individuals to log complaints regarding privacy-related issues. Follow the procedure now required under the HITECH provisions of the American Recovery and Reinvestment Act for reporting privacy breaches to the Office of Civil Rights.</li> <li>Execute business-associate agreements with all individuals or organizations that perform covered functions or activities for you or on your behalf to ensure and provide satisfactory assurances that they follow the same compliance standards as your organization when they conduct business for you or on your behalf.</li> </ul> Every healthcare organization should also be aware of the following key changes to how privacy must be treated under the American Recovery and Reinvestment Act of 2009. <ul> <li>Business associates and covered entities are responsible for executing the business-associate agreements.</li> <li>Notification requirements regarding breaches of unsecured PHI have been increased. These requirements apply to notifications of the individual, the media, and the Secretary and/or Office of Civil Rights. The extent of these notifications depends on the type of breach and how many individuals were affected. Currently, this is an interim final rule.</li> <li>Regional office privacy advisors have been established to educate providers about initiatives related to the use of health information.</li> <li>Privacy provisions and penalties now also apply to business associates of covered entities. The original rule did not apply penalties to business associates.</li> <li>Restrictions on certain disclosures and the sale of health information, accounting of certain PHI disclosures, and access to certain information in electronic format will be established. Further guidance is expected in the fall of 2010.</li> <li>Rules for using PHI for the purposes of marketing and fundraising have been proposed in the Notice of Proposed Rulemaking (NPRM) modifications to the HIPAA Privacy, Security and Enforcement Rules under the HITECH Act published July 14, 2010. A 60-day comment period will be allowed.</li> <li>Penalties will be increased for wrongful disclosures-intentional or unintentional-that are due to willful neglect.</li> </ul> <h4>Security</h4> Most organizations use computers daily to create, access, store, or transmit e-PHI. Healthcare organizations are responsible for protecting the confidentiality, integrity, and availability of this data. Security comprises five elements: <ol> <li><b>Administrative safeguards:</b> This requires organizations to conduct a risk assessment to determine what risks, threats, or vulnerabilities there may be for the confidentiality, integrity, or availability of the e-PHI. A security official should be appointed as well.</li> <li><b>Physical safeguards:</b> This requires organizations to evaluate their facility for areas that may be vulnerable to the theft, damage, or exposure of e-PHI. This includes the physical security of the building-doors, locks, offices, e-PHI storage areas, and physical workstations.</li> <li><b>Technical safeguards:</b> This requires organizations to secure electronic data through encryption or another means to ensure the information cannot be read, accessed, or corrupted by an unauthorized individual.</li> <li><b>Organizational requirements:</b> Standard security language should be incorporated into all business-associate agreements.</li> <li><b>Policies, procedures, and documentation requirements:</b> The processes that your organization follows to access, create, modify, transmit, store, and destroy e-PHI, and the policies and procedures that govern these processes should be documented and that documentation should be reviewed annually. Compliance-review documentation also must be created and reviewed annually. This documentation describes the standard, the implementation specification, how your organization complies with this standard, the risk, the threat or vulnerability the organization may have for lack of compliance with the standard, and the implementation plan for obtaining compliance processes.</li> </ol> The American Recovery and Reinvestment Act also made the following changes to the HIPAA security rule: <ul> <li>Compliance requirements for business associates have been extended to include HIPAA security sections of administrative, physical, and technical safeguards, as well as policy, procedure, and documentation requirements.</li> <li>The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of the breach notification requirements under section 13402 of Title XIII (HITECH) of the American Recovery Reinvestment Act have been specified. This guidance includes the mechanisms that would be required in order for e-PHI to be considered secured. Without these mechanisms in place, all electronic data would be considered unsecured and all breach notification requirements would apply.</li> </ul> All practices are required to complete the following items for security compliance: <ul> <li>Conduct a technical and non-technical risk assessment. This process requires the organization to review the policies, procedures, practices, and technical mechanisms that are in place to protect the confidentiality, integrity, and availability of e-PHI. The technical assessment should include an in-depth review of your computer systems, hardware, and software, as well as protective measures such as firewalls, encryption, decryption, and other security mechanisms that may be in place.</li> <li>Analyze the access that has been granted to individuals; how access is determined for each role; what access is granted to the systems, facilities, and workstations; how access is monitored; and who can modify or terminate the access as required.</li> <li>Conduct security awareness training to educate all employees about security reminders, protection from malicious software, log-in monitoring, and password management.</li> <li>Put in place a confidentiality agreement with all employees who have access to PHI or e-PHI to ensure that they understand the ramifications of improper or unauthorized access, use, or disclosure of PHI or e-PHI.</li> <li>Create an evaluation and management plan to manage the risks and compliance findings throughout the process.</li> <li>Create a disaster-recovery and continuity plan to ensure critical data and systems required to operate the business can be retrieved and activated in the event of an emergency or system loss.</li> </ul> If your organization has not completed these tasks, I highly recommend that you conduct the required assessments to avoid penalties upon an audit or review by the Office of Civil Rights. The enforcement rule requires the government to begin randomly selecting and auditing organizations for compliance. According to the Secretary of Health and Human Services, penalties for non-compliance or willful neglect will no longer be waived. More legislation is on the way. The NPRM for the Modifications to Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act will be published in the <i>Federal Register</i> soon. Prepare your organization for the changes yet to come this year by making compliance a priority. The lack of compliance could mean significant penalties to your practice. <i>Christine Duprey is the co-founder of CARIS Innovation, Abrams, Wisconsin. She can be reached at 920.826.5300 or at <script language="javascript">linkEmail('chris','carisinnovation.com');</script></i>