Healthcare compliances training and discussion blog

Archive for September, 2011

HIPAA vs The Cloud

HIPAA Compliance: The objective behind

Sensitivity in maintaining individual health record of every person is too significant and this is what gets ensured under HIPAA security compliance, which aims at protecting an individual’s information to be obtained, created, used and maintained electronically at a specific healthcare unit or hospital. As a result of this rule, the healthcare unit is responsible for taking every measure to keep this information confidential, secure, reliable and free from any electronic interference. But healthcare units usually find it tough to meet the expectations of this security rule & it requires a more technical approach in abiding by the directives of the security rule.

Healthcare unit’s responsibility in ensuring HIPAA security compliance

Under HIPAA security compliance, each of the three aspects, namely administrative, technical and physical, has to be adhered to by implementation specifications. These specifications specify the modus operandi for meeting the three aspects. A healthcare unit or hospital has to either implement a security measure to achieve this objective, execute the given implementation specifications or, may not put into practice either one of the two. But as part of HIPAA compliance, the body has to document whichever choice it wants to implement and this document should additionally comprise of basis of the evaluation on which this decision has been arrived at. Outcome of all this can be visibly noticed in the form of a challenge for IT professionals working in health sector.

Shouldering HIPAA compliance responsibility with cloud computing vendor

No surprise, emergence of cloud computing looked like easing the scenario but with enough caution, given that an outside agency in the form of cloud providing associate is involved besides the healthcare unit. Because of this vendor-client partnering, the ultimate responsibility to abide by HIPAA compliance resting with the healthcare unit gets pooled with the vendor, since implementation gets carried out at the vendor end. Thus, there is much room for the sensitive information getting trickled at the remote location where cloud model has been setup. In this situation, the healthcare unit will have to adhere to all the security aspects and implementation specifications as discussed above, so as to satisfy the HIPAA security rule. In the process, the healthcare unit will have to extend its interference and control at the cloud computing associate’s location in terms of integrity, encryption, data transfer & management, etc., which this body earlier left up to business associate due to contractual limitations or budget constraints.

Documentation of roles

Obviously, the healthcare unit has an opportunity this way to allot even responsibility to its cloud computing business associate and keep it under the scanner, as if HIPAA compliance is not just the healthcare unit’s liability, but is as much an accountability of that vendor. The documented modus operandi of this body can well include the extent to which it has involved vendor and along with, ask the vendor to document its procedures and practices in following the technical requirements and the HIPAA compliance as a whole.

While cloud computing can be the technical answer for healthcare IT professionals to successfully satisfy HIPAA security compliance, the organisations in healthcare can well ensure strict adherence of HIPAA rules by shouldering equal responsibility with their cloud computing business associates.

About emPower eLearning

emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit


Future of Obama education program cloudy

Two years ago, Race to the Top, the Obama administration’s signature education policy, was just a line in the massive federal stimulus bill. Now applications have been issued for the third round of the sweepstakes program, which has begun to establish itself as the nation’s de facto model for how students should learn and teachers should teach.

But after a lengthy planning process in legislatures around the country, many states only now are implementing the changes that won them money in the program’s first two rounds, and not everyone is happy with the results.

The program — in which states vie with one another for tens of millions of dollars in education grants — has faced criticism from teachers unions and state governments for its competitive nature and tight deadlines, as well as arguments that it amounts to federal interference in education policy.

One state, South Carolina, which was a finalist in the first two rounds of the program, decided in May that it no longer would participate because state education officials opposed a top-down approach to education from Washington.

Jay Ragley, the director for legislative and public affairs for state education superintendent Mick Zais, said that while state officials supported many of Race to the Top’s goals, they’d prefer change to be initiated at the state level.

Zais’ “reason for not participating was because there are strings attached to programs for federal money,” Ragley said. “And you must continue funding them after they run out.”

Ragley said officials didn’t want to start new programs that they’d have to shut down if they lost funding down the road.

In July 2009, Congress created Race to the Top as a way to inspire states to propose education revisions with the promise of millions of dollars in prize money. Education Secretary Arne Duncan’s program was meant to be a short-term boost of revenue, which was why the Obama administration included the money — $4.35 billion — as part of the $787 billion stimulus package known as the American Recovery and Reinvestment Act of 2009.

Duncan argued that investing in education would stimulate the economy by promoting long-term productivity. However, it was a long-term concept tucked into a stimulus package that was expected to produce immediate results.

There were four basic ideas: better preparing students for college, creating measurements for student and teacher improvement, recruiting the most effective teachers and reforming underperforming schools.

“Not every state will win and not every school district will be happy with the results,” Obama said at the time. “But America’s children, America’s economy and America itself will be better for it.”

Forty states and the District of Columbia applied for grant money in the program’s first phase. In March 2010, the administration announced the first two recipients: Tennessee, which won $500 million, and Delaware, which was granted $100 million, to carry out aggressive revisions over the next four years.

The two states just now are pushing past the planning stages and rolling out new programs. It’s been more than a year since the announcement of a second group of winners, totaling another $3.3 billion in grants. And with the stimulus funds having been spent, there’s no more money envisioned for the program.

Patients get direct access to lab results under government proposal

Patients across the country would be able to obtain their lab results directly from laboratories under new regulations proposed by the Department of Health and Human Services (HHS). The enhanced access to test results is designed to bypass laws in several states that require patients to get the data from their physicians.

The proposed rules would amend the patient privacy provisions of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under CLIA, labs may release results to the treating provider, the referring lab, and “authorized persons,” as defined by state law. The new amendment explicitly states that the patient is an authorized person under federal law.

“We believe that the advent of certain health reform concepts [for example, individualized medicine and an individual’s active involvement in his or her own healthcare] would be best served by revisiting the CLIA limitations on the disclosure of laboratory test results,” the notice of proposed rulemaking states.

The HIPAA privacy rule also impedes the ability of individuals to obtain their own test results. To avoid conflict with the CLIA rules, the HIPAA law granted CLIA labs an exception to the right that HIPAA confers on patients to access their own medical records. The new proposal would rescind that exemption.

HHS Secretary Kathleen Sebelius announced the proposed lab regulations Monday as part of a patient “empowerment” package that, according to the Secretary, will lead to better health and healthcare.

“When it comes to healthcare, information is power,” Sebelius said. “When patients have their lab results, they are more likely to ask the right questions, make better decisions and receive better care.”

Left unanswered was the question of how physicians feel about their patients being able to see lab results before they do. Many doctors prefer to view the results first so they can present important ones to their patients in a meaningful way.

Also unveiled at the HHS press conference was a personal health record privacy notice. This creates “an easy-to-read, standardized template allowing consumers to compare and make informed decisions based on their privacy and security policies and data practices about PHR products,” according to an HHS press release.

HHS has made consumer empowerment a cornerstone of its health IT policy. The Office of the National Coordinator for Health IT (ONC), an HHS agency, recently launched a new website that educates consumers about the benefits of health IT and provides health education materials.


Clinic says North Dakota Blues violate HIPAA law

Mid Dakota Clinic of Bismarck has opted out of a major initiative by Blue Cross Blue Shield of North Dakota that involves sharing patient records with an outside consultant and cites patient privacy concerns as the reason.

The program, MediQHome, is a “medical home” partnership between the health insurer and teams of medical providers aimed at better managing patients, especially those with chronic diseases, such as diabetes or asthma, to improve outcomes and reduce costs.

The initiative, which involves more than seven of every 10 primary care clinicians representing 75 percent of the North Dakota Blues’ members, requires providers to share patient information with an outside health quality consultant, MDdatacor, a firm located in suburban Atlanta.

Jeff Neuberger, the chief executive officer of Mid Dakota Clinic, said Friday that all patients should be contacted in advance to get their permission before their medical information is sent to a third party for review.

The clinic’s legal counsel, he said, concluded that failure to get individual patients’ express approval would violate a federal law protecting patient privacy, the Health Information Portability and Accountability Act, often called HIPAA.

“HIPAA doesn’t allow us to send information on everybody” without the patient’s permission, Neuberger said. “It’s very clear on that. We’ve said (to Blue Cross Blue Shield) you have no right to do that.”

The contract given to providers specifies they get “all appropriate” releases from patients, Neuberger said. But the contract language contradicts what Blue Cross Blue Shield executives have said about patient permission not being necessary, Neuberger said.

Representatives of Blue Cross Blue Shield of North Dakota said the information-sharing under the MediQHome program complies fully with HIPPA and protects patient privacy.

“We have remained 100 percent consistent with all providers that there is no requirement to receive permission from patients in order to participate in MediQHome,” Denise Kolpack, a Blue Cross Blue Shield vice president said in a statement to The Forum, highlighting “no requirement” in bold to emphasize the point.

She went on to say, however, that the contract includes language to allow a provider to participate in the health quality program “even if that provider has their own, stricter requirements around patient permissions and authorizations.”

Most of the major medical providers in North Dakota participate in the MediQHome program, which began in 2009, including Sanford Health and Essentia Health in Fargo.

The top lawyer for Sanford Health said the initiative both helps to improve patient care and complies fully with federal privacy laws.

“The partnership with BCBSND is one example of efforts we are undertaking as a health care system to improve quality and reduce the cost of health care overall for all consumers in our service area,” said Paul Richard, Sanford’s chief legal officer.

“All releases of patient information to MDdatacor by Sanford Health are in compliance with HIPPA,” he added, including a section of the law he said supported his position.

Kevin Pitzer, chief administrative officer of Essentia Health in Fargo, said the health system’s standard release of information form, for both hospital and clinic patients, includes authorization to release information of the kind it sends to MDdatacor.

“We do get permission from patients to release that information,” he said, adding that Essentia consulted both with in-house and outside legal counsel before embarking on the MediQHome program two years ago.

Participating medical providers send data on all their patients to MDdatacor “to identify clinical opportunities for improved health care delivery to all their patients with chronic diseases,” said Dr. David Hanekom, chief medical officer for Blue Cross Blue Shield of North Dakota.

Dr. Robert Roswick, medical director of Mid Dakota Clinic and a family practice physician, said it is improper – and illegal – to send medical information from all patients to the health quality consultant without prior patient approval.

He offered himself as an example of what he views as a breach of patient confidentiality.

A private pilot, Roswick must get annual physical checkups to keep his license current. He gets his exam at Trinity Health in Minot, which participates in MediQHome.

Aware of that, and the program’s protocol calling for providers to share information for all Blue Cross Blue Shield of North Dakota patients, he asked Trinity if his medical records were sent to the outside health quality consultant, MDdatacor.

The answer Roswick received from Trinity, after writing several letters, was yes. Roswick, who said he had not given his approval to do so, said the release was inappropriate and illegal – especially considering he is not covered by Blue Cross Blue Shield and does not have a chronic medical condition.

“It’s a blatant HIPAA violation,” Roswick said, adding that he has filed a complaint with the federal government and is still waiting for a response.

A spokesman for Trinity Health declined to comment on Roswick’s complaint.

“Patient privacy is important to us, and we strive to comply with all regulations involving patient privacy,” said Randy Schwan, a Trinity vice president.

Mid Dakota Clinic’s Neuberger and Roswick said medical providers in North Dakota have strong financial incentives to participate in MediQHome and therefore to send information of their patients covered by Blue Cross Blue Shield of North Dakota to MDdatacor, which could not be reached for comment Friday, for analysis.

In response, Hanekom said BCBSND is revamping their reimbursements to providers in a broad ongoing effort to reward better quality of care.

This article was originally posted at

Day-Long HIPAA Boot Camp Targets HIM Professionals

The 2011 annual convention of the American Health Information Management Association, Oct. 1-6 in Salt Lake City, features a series of in-depth post conference educational sessions on the 6th, including an eight-hour HIPAA Privacy and Security Boot Camp.

The camp is designed for health information management directors, other professionals with little or no privacy experience who is taking on a new role as a privacy officer or would like to, and existing privacy officers who want a better understanding of regulations and issues.

“I’m not going to assume they know too much,” says Kelly McLendon, the presenter and founder of HIXperts, a Titusville, Fla.-based consultancy. “I’m not going to leave anyone behind, but at the same time will go beyond the basics.”

McLendon will cover the tools of HIPAA privacy compliance, such as policy templates, spreadsheets and other forms for specific functions, such as cataloging records systems with protected health information. He’ll cover expected requirements in a final omnibus HIPAA rule expected this year covering the privacy, security, breach notification and enforcement rules, and also cover privacy regulations from the HHS Substance Abuse and Mental Health Services Administration.

“This is a very deep view of HIPAA for HIM and privacy professionals, but we will start from the basics and make sure everyone understands from the ground up,” McLendon says. More information on educational session 7004, “HIPAA Privacy and Security Boot Camp,” which starts at 9:00 a.m., is available at

This article was originally posted at

New round of US grants for education innovation

The federal government is trying to make it easier to apply for one of its grants for innovative ideas to improve education, but with budget cuts there’s a lot less money to give away this year.

In 2010, the U.S. Department of Education gave out $650 million to 49 school districts, charter organization, colleges, universities and other nonprofit organizations for entrepreneurial ideas with the potential of helping the nation’s schools. This year, there’s $150 million available for the second round of Investments in Innovation or i3 grants, the U.S. Department of Education announced Friday.

Nearly 1,700 groups applied for the 2010 grants, and Jim Shelton, assistant deputy secretary for innovation and improvement, is hoping for another flood of applications this summer. The department particularly wants to encourage innovation in rural education; science, technology, engineering and math learning; supporting effective teachers and principals; implementing high academic standards and quality tests, and turning around persistently low-performing schools.

“There’s a tremendous pent-up demand in the field to share innovations that people feel have national implications,” he said.

Grants of up to $25 million are being awarded for scaling up education programs with a chosen track record; grants of up to $15 million for growing a program with emerging evidence of success; and grants of up to $3 million for developing promising ideas. In 2010, grants for the same categories were given in amounts up to $50 million, $30 million and $5 million.

The program could have been completely eliminated, but Congress apparently recognized the program’s success at attracting creative ideas that could potentially benefit schools across the country, Shelton said.

“The kind of support this program got from the field made it an obvious choice,” he said.

The department is offering pre-application workshops and has streamlined the process and the application form to encourage more applications. They are due in August and awards will be made before the end of the year. Finalists will be chosen by independent peer review panels.

Finalists will then have to get additional dollars from another source, such as the local or state government or foundation money, equal to 5-15 percent of the grant, depending on how much is rewarded before they will get a check from the federal government. In 2010, every finalist was able to get that matching money, thanks in part to a foundation-led online grant clearinghouse.

For the second round of grants, the government promises to pay special attention to grants that help rural children and schools. Some money went to rural-focused projects in 2010, but Shelton is hoping to increase the number of rural grants in 2011.

An example of a rural project that got an i3 grant last year was a consortium of 15 school districts in Appalachia working with the Niswonger Foundation of Greeneville, Tenn., to create a college-going culture by using technology to bring more college-prep curriculum to the districts, and helping some schools partner with community colleges to offer dual-credit classes.

The Search Institute in Minneapolis included four locations in Maine in its i3 project to help schools work on non-academic barriers to learning such as truancy and drug use.

Extra points will also be given to applications that focus on improving productivity or technology, help students with disabilities and limited English proficiency, focus on early learning or increase college access and success.

The Criticality of Risk Assessments: FISMA, HIPAA, and other regs

 By Richard E. Mackey, Jr.
Dark Reading

One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments.What is a formal risk assessment?

Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk.

The benefits of formal risk assessments

Conducting formal assessments within a risk management program a number of benefits.

Formal assessments: 1. Require business and technical representatives to reason about risk in an objective, repeatable, way 2. Require consistent terminology and metrics to discuss and measure risk 3. Justify funding for needed controls 4. Identify controls that provide can be eliminated 5. Provide documentation of threats that were considered and risks that were identified 6. Require business and IT to acknowledge the responsibility for ownership of risk 7. Require organizations to track risks and reassess them over time and as conditions change

Why are risk assessments so important in compliance?

There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, it stands to reason that the controls may be different.

It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk based. This approach makes sense when one standard needs to apply to everyone.

Choosing a risk management framework

If your organization needs to comply with FISMA, your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management lifecycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization.

Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that help organizations meet their security and regulatory requirements.

This article was originally posted at

Tag Cloud