Credentialing

Practice Management

Managed Care

Education & Training

Billing & Reimbursement

Strategic Planning

 
O'Sullivan Consulting Group
3637 Medina Road, Suite 320
Medina, OH 44256
330.723.2111
info@osullivanconsult.com
Fax: 330.723.2188
About Us     Events    Client Profile        Consultant Profile     Newsletters     Contact Us

MED Management Monthly

COMMUNICATIONS

By: Charlie Colitre, President, Healthcare Compliance Consultants

 

Changes to HIPAA

 

New Requirements as a Result of the Stimulus Act

 

The American Recovery and Reinvestment Act of 2009 (the Stimulus Act) contains a series of new laws that dramatically expand the privacy and security provisions of HIPAA. Known as the HITECH Act (Health Information Technology and Clinical Health Act) it contains significant changes and additional requirements to HIPAA which all practices will need to incorporate into their HIPAA privacy and security written policies. 

 

One of these changes involves notification requirements for breaches of unsecured protected health information (PHI.)  Unsecured PHI is defined as PHI that is, “not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the (HHS) Secretary.” In layman’s terms for the most part, this means  PHI that is not encrypted in an approved manner.

 

Risk Assessment Required

Under the new Breach Notification Rules a Covered Entity must determine that a breach, “poses a significant risk of financial, reputational or other harm to the individual.” To do so a Covered Entity must conduct a risk assessment to determine in good faith whether it is necessary to notify the individual of the breech.  Factors to be considered in the risk assessment include the following:

 

  • Nature of the Data Elements Breached. As an example a person’s name in one context might be more sensitive than in another context.

 

  • Likelihood the Information is Accessible and Usable.
  • Likelihood the Breach May Lead to Harm.
  • Ability of the Covered Entity to Mitigate the Risk of Harm.

 

Notice Requirements

Notice must be made to affected individuals, “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” The notice must be in writing and sent by first class mail or by phone if there is the possibility of imminent misuse and must include:

 

  • A brief description of what occurred concerning the breach including the date of the breach and the date it was discovered;
  • A description of the types of  unsecured PHI that were disclosed in the breach;
  • A description of the steps the affected individual should take to protect himself or herself from potential harm caused by the breach;
  • A description of what the Covered Entity is doing to investigate and mitigate the breach and prevent further breaches; and
  • Instructions for the individual on how to contact the Covered Entity for questions or further information.

 

If the breach of unsecured PHI involves more than 500 persons the Covered Entity must notify the (HHS) Secretary and media outlets throughout the state within 60 days of discovery of the breach. In the current climate of concern over loss of PHI, the sooner the media and Secretary are notified the better.

 

In cases of breaches affecting less than 500 persons, the Covered Entity must maintain a record of the breach(s) and provide this data to the Secretary within 60 days after the end of the calendar year.

 

Enforcement and Penalties

The HITECH Act also increased penalties for HIPAA violations ranging from $100 to $50,000 per violation and $25,000 to $100,000 for additional violation in one year.

 

With the recent transfer of the HIPAA Security rule enforcement responsibilities from CMS to the DHHS Office of Civil Rights (OCR) both HIPAA Privacy and Security enforcement are under one roof. OCR has already stepped up enforcement from complaint driven to proactive. One provider has indicated that despite several attempts by its healthcare lawyers to respond to their inquiries concerning an alleged HIPAA infraction, OCR has insisted on an onsite visit during business hours to interview every doctor and staff member.

 

Both the HIPAA Privacy and Security rules require Covered Entities to have written policies and procedures in place. How well would your practice fare with a visit from OCR?

 

This article does not discuss all of the ramifications included in the Breach Notification Rules nor is it intended to render legal advice of any kind. Practices with specific questions should contact the writer or their healthcare attorney. Future articles will explore other aspects of the HITECH Act.

 

Charles E. Colitre, President, Healthcare Compliance Consultants, PO Box 19164, Akron, OH, 44319. 330.753.6131  complianceconsultants.biz

 

About Us  ||  Client Profile  ||  Consultant Profile  ||   Newsletters  ||  Contact Us
Credentialing ||  Practice Management || Managed Care || Education & Training
Billing & Reimbursement  || Strategic Planning  || Events  ||   Mailing List  

Site Designed and Maintained by MEC Systems, ©2008