Wolfson Consulting, Inc. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Medical Practice Management Consulting
Home     Contact Us     Site Map     Charges     Electronic Medical Records     Grand Rounds 4 20 09     Help with HIPAA     News and Information     Resume: Robert Wolfson      
NEWS & INFORMATION
 

  • Health Data Breach Rules Become Effective

Health Data Management Online; September 23, 2009

 New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months. Both rules were mandated under the American Recovery and Reinvestment Act.

A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement.

"Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule. "During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule."

A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.

The HHS rule also includes updated guidance on how to determine when information is "unsecured" and notification is required. If breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.

Because of industry concerns with the quick deadlines and ambiguities in the law, HHS in the rule granted an enforcement grace period. "We will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or Feb. 22, 2010," the HHS interim final rule states. "During this initial time period--after this rule has taken effect but before we are imposing sanctions--we expect covered entities to comply with this subpart and will work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance."

--Joseph Goedert

 

  • Baucus Wants Tighter HIPAA Standards

HDM Breaking News, September 21, 2009

The health care reform plan issued by Senate Finance Committee chair Sen. Max Baucus (D-Mont.) calls for mandated adoption of "operating rules" that would significantly tighten the standards of HIPAA administrative/financial transactions. It also would increase the number of transaction sets.

The "operating rules" referenced in the plan are those developed under the voluntary CORE initiative under way for several years. CORE is the Committee on Operating Rules for Information Exchange within CAQH, a Washington-based payer advocacy group. The initiative seeks to build industry consensus on tightening of the HIPAA standards to facilitate health care financial/administrative transactions and offer more information to providers.

CORE started with Phase I of an electronic eligibility/benefit determination transaction. The recently completed Phase II of CORE further tightened the eligibility/benefit determination transaction and included claims status. Participants now are developing prior authorization and remittance transactions in Phase III. A small number of insurers are core-certified. Providers will receive full benefits of CORE transactions when their billing system and claims clearinghouse are CORE-certified. America's Health Insurance Plans, a national trade association for health plans, earlier this year called for mandated use of the CORE transactions.

Baucus' plan is called a "Chairman's Mark," which is a detailed explanation of provisions that will be the basis of negotiations in the Senate. It is not yet formal legislation written in legislative language, but a 223-page plain-English document. The document details the history of the HIPAA transactions and their limitations, then states:

"The Chairman's Mark would establish a timeline for accelerating the development, adoption and implementation of a set of operating rules for each HIPAA transaction for which there is an existing standard. The operating rules would be consensus-based, and reflect the business rules around which health plans and providers would uniformly use the HIPAA standards. The Mark would add the electronic funds transfer (EFT) of health claims payments as a HIPAA transaction and provide for the adoption and enforcement of a standard for EFT."

Under the Baucus plan, health plans would be fined annually for not complying with new "HIPAA operating rules" by April 1, 2014. "For each day that a plan is non-certified or non-compliant, the Secretary of HHS would access a fee of $1 per covered life until certification is complete," according to the Chairman's Mark. "The fee would not exceed a maximum of $20 per covered life. The penalty would be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance."

Full text of the Chairman's Mark is available at the top of the home page at congress.gov.

--Joseph Goedertcongress.gov

 

  • "Providence Health" Agrees on Corrective Action Plan for Potential HIPAA Violations 
 

The U.S. Department of Health & Human Services (HHS) has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.
The Privacy and Security Rules are enforced by HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS). The Privacy and Security Rules require health plans, health care clearinghouses and most health care providers (covered entities) to safeguard the privacy of certain individually identifiable health information and meet additional security standards for patient information maintained in electronic form. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

The Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/enforcement/.

 
 
 
 
The Centers for Medicare & Medicaid Services (CMS) recently published guidelines to help smaller physician practices meet the security requirements of HIPAA. The guidelines addressed several topics, including:

• Administrative safeguards (e.g., workforce security, staff training, contingency planning);
• Physical safeguards (e.g., facility access controls, workstation use); and
• Technical safeguards (e.g., access controls, user authentication, data transmission security).
Click HERE to review the guidelines on the CMS website.
 
Below are some links to some of the educational materials:
  2. Implementation of Security Standards for Small Group Practices:  http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf
  3. Devices Providing Remote Access to Protected Health Information: e.g. Laptop Computers, Blackberry's and PDA's:   http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf
 
 
EHR NEWS
 
  • Survey: Physician Acceptance of EHRs Grows
 
Half of family physicians responding to a recent survey reported their practice uses or is implementing an electronic health records system, according to the American Academy of Family Physicians.
That compares with 30% of respondents to AAFP’s 2005 survey, and 10% in the inaugural 2003 survey. The Leawood, Kan.-based association conducted its 2007 survey in April, sending mail to about 4,000 active members and receiving 459 responses.
In 2007, 37% of respondents reported using an EHR with another 13% in the implementation process. Physicians most likely to have a fully implemented EHR are those who have practiced in an urban area for seven or fewer years, do not own their practice and work with at least two other physicians. Other survey results include:  

 

  •  25% of respondents have no plans to implement an EHR;
  •  53% of respondents without electronic records cited cost as the reason, while 42% were concerned with decreased productivity;
  •  60% of respondents implementing or planning to buy an EHR would use an e-mail or secure messaging feature within the application and 49% would be interested in using the EHR for practice-based research;
  •  Virtually all respondents implementing or planning to buy an EHR want to use it to manage patient medication and problem lists, display patient summaries and trigger alerts for preventive services.

 

References:

  1. Health Data Management, July 17, 2007:  Latest News: Doc Acceptance of EHRs Grows
  2. Adler KG, Edsall RL. Electronic Health Records: The 2007 FPM User-Satisfaction Survey. Fam Pract Management, April, 2007; Vol. 14, No. 4  Pg:47-51.