Healthcare compliances training and discussion blog

Archive for the ‘Health Compliance’ Category

Safeguard your confidential data by implementing HIPAA Privacy Rule’s De-Identification Standard


A legislative act passed in year 1996, called HIPAA or in other words the Health Insurance Portability & Accountability Act affected the health care administration. For years, we have researched upon the safety rule along with three types of security safeguards based mainly on technical and physical grounds.

Amongst the above mentioned three safety points, we delved at the administrative safeguards and its obligatory as well as addressable implementation specifications. In this article, we will examine the main key factors pertaining to the technical and physical safeguards of the security rule. The motive of this article is to simplify and state the main concepts of HIPAA Privacy Rule’s De-Identification Standard.

Physical Safeguards

Physical safeguard rule laid by the HIPAA Privacy Rule’s De-Identification Standarddeals with the strategies and procedures required to be implemented in order to control physical admission to systems or devices containing health information and facilities covering electronic records.

It is therefore mandatory to take maximum care when beginning and removing hardware and software that deals with secured Health Information (PHI) from the network. Utmost care must be taken in disposing off any equipment which is on the edge of retirement, so that PHI contained within such systems is not compromised.

  • Health data stored in the equipment must be controlled and monitored carefully.
  • Access to the hardware and software must be operated by proper trained and authenticated individuals.
  • Make sure that workstations must be situated away from high traffic areas to avoid direct view of the monitor screens to the public.
  • The main person taking the services of contractors and agents must assure that the contractors and agents are professionally trained and are aware of their duties and responsibilities.

Technical Safeguards

Technical security measures deals with factors that require to be executed when transmitting health information electronically over open networks in order to ensure that health information do not go into wrong hands.

  • Responsible entity must follow a strict procedure to make sure information integrity which includes digital signature, check sum, message confirmation.
  • Execute right methods to confirm that the entity entitle to access the electronic records is the one it claims to be. There are some signs to confirm the same that includes card systems, password systems, giving a return call, and hand showing signs
  • Drafting and maintaining all policies implemented and practices followed for HIPAA Privacy Rule’s De-Identification Standard that needs to be presented as and when required by the compliance auditors.

Implementation Specifications

We cannot ignore with the healthcare compliance, as it becomes essential to safeguard Protected Health Information.

It is required to employ a system that will take utmost care of the health information, for this our heath care providers like doctors, hospitals and health plans must be given a unique identifier. At present most of them are using either tax-id numbers or employer identification number.

The security and privacy rules have laid down certain provisions to assure that the personal records of people is not misused, secured and kept confidential, any person failing to follow the rule will be fined up to $250,000 and possible jail time for severe enough violations by HIPAA. HIPAA rule was indeed designed and created to ease the massive process of health care administration.

About emPower

emPower is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as O.SHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

How to understand the new HIPAA requirements to make sure you’re in compliance


The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at http://www.sbnonline.com/2012/03/how-to-understand-the-new-hipaa-requirements-to-make-sure-you%E2%80%99re-in-compliance/?full=1

 

Doctor’s office settles with OSHA


A local doctor’s office has agreed to pay a $10,500 fine as part of a settlement with the Occupational Safety and Health Administration.

The Kirkland Family Practice also agreed to correct violations involving exposure of employees to needles and other sharp devices, infection control and employee training, according to a settlement signed Aug. 18 by Dr. Clem Kirkland.

In July, OSHA cited the office, 5928 Springboro Pike, with eight violations calling for a potential $32,000 fine.

In the settlement, OSHA withdrew citations involving steps taken after an employee suffered a needle-stick in June 2011 and annual employee training. OSHA reclassified and reduced the fines for other violations.

In addition to the fines, Kirkland agreed to rewrite its exposure control plan, including “annual consideration and implementation of safer needle devices” and “identification of the appropriate disinfectant to be used in decontaminating contaminated work surfaces.”

Kirkland also agreed to hire inspectors for annual job safety and health inspections for the next two years and to report “how each item was abated or corrected” to OSHA.

Kirkland did not return calls.

Compliance Considerations for Accredited Office-Based Surgery Practices When Hiring Employees and Contractors


For New York State accredited office-based surgery practices (“OBS”), the terms of continued accreditation (varying with an OBS’ specific accrediting agency) often come with strict requirements and guidelines concerning the hiring and retention of employees and independent contractors.  Most unexpected (and often overlooked by OBS employers) are the requirements and guidelines that reach far beyond the customary licensure and/or certification requirements and expand into areas that an OBS employer might consider (understandably) to be “private business decisions” or “matters of professional judgment.” It is in these outlying areas that OBS employers must be well versed in order to avoid inadvertent compliance breaches.

When hiring new employees and/or independent contractors, OBS employers must review their accreditation manuals with a specific focus on the following categories of employees and/or contractors:

(a)          Registered Nurses: when hiring Registered Nurses, OBS employers must confirm, among other things, (i) instances of treatment requiring the presence of a Registered Nurse(s) (including pre and post operative care), (ii) licensure, continuing education and liability insurance requirements, (iii) requirements concerning maintenance of medical records and supporting documentation and (iv) reporting requirements concerning adverse events;
(b)          Physicians’ Assistants and/or Specialists’ Assistants: with regard to Physicians’ Assistants and/or Specialists’ Assistants, special attention must be give to rules and regulations concerning (i) the presence and/or supervision of a physician at the OBS facility, (ii) availability of and/or access to a physicians upon request of the patient, (iii) maintenance of medical record, auditing and quality control initiatives, (iv) licensure, continuing education and liability insurance and (v) reporting requirements concerning adverse events;
(c)           Anesthesiologists: in addition to the state and federal laws concerning and/or affecting financial and work relationships among physicians (i.e., Stark Laws, Anti-Kickback Statutes, False Claims Act), OBS employers must review all rules and regulations concerning: (i) the Anesthesiologist’s access and availability to patients, (ii) pre and post operative care directives, (iii) directives concerning maintenance and support of Anesthesia equipment, medication and/or supplies, (iv) maintenance of medical records, auditing and quality control initiatives, (v) board certification, licensure, continuing education, and liability insurance and (vi) reporting requirements concerning adverse events;
It is important to note that most of these “employment requirements” can be outlined as conditions of employment in an employment contract or independent contractor agreement between the OBS employer and the employee/contractor.  Documenting and outlining relevant accreditation-mandated employment requirements, in addition to clarifying the potential employee/contractor’s responsibilities and obligations, demonstrates a good faith effort to comply with all applicable accreditation mandates and delegates applicable accountability.

Tips on PCI DSS Compliance


Too many healthcare organizations have overlooked their obligation to comply with the Payment Card Industry Data Security Standard, says security expert Tom Walsh. Compliance with PCI DSS, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That’s because PCI DSS offers far more security specifics than HIPAA, including, for example, specific password requirements, he notes.

“If an organization can meet all of the requirements of PCI, it’s going to be in great shape when it comes to HIPAA security compliance,” Walsh contends. “The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA.”

Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a “self-assessment questionnaire.” All merchants are required to complete an “attestation of compliance.”

In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:

  • Creating a diagram that shows how credit transactions are handled;
  • Identifying all applications and systems involved and creating an inventory of all card reading devices;
  • Conducting an initial self-assessment and creating a plan to remediate any problems identified;
  • Creating a credit card handling policy and training staff annually on how to carry it out.

On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.

Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.

HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.

TOM WALSH: … To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. … In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.

The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They’ve been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.

…Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.

One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.

Security Controls

ANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA’s privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.

WALSH: Many organizations are worried about complying with HIPAA, and they’ve forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what’s called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place.

While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards.

Generally they’ll ask for … some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.

Now sometimes a breach may occur, and that is when these organizations will get involved, and then they’ll want to see proof that you’ve been compliant over the years. …

One of the things I’ve seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they’re compliant by going online to a website and completing their self-assessment questionnaire. …

The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. …

The other thing is, who gets these letters? Generally it’s not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren’t getting the word.

So as far as a compliance audit … you should be doing it on an annual basis. … In most cases, my clients, when they go through this, they’ll hold on to the result of it and won’t turn it over unless they are asked to produce it.

PCI Compliance

ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?

WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you’ve got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access … where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy … or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.

The next step would be to determine who really owns the PCI project. … They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in – are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.

Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time … may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?

Some simple things … that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.

HIPAA, PCI Overlap

ANDERSON: And is there any overlap between what HIPAA requires and what PCI requires? WALSH:Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn’t give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example … within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn’t specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it’s very detailed.

So, if an organization can meet all of the requirements of PCI, you’re going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it  would be a great help with HIPAA.

ANDERSON: Finally, you’ll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.

WALSH: In that webinar, I’m going to go into more detail about the PCI Data Security Standard. I’ll also be talking about some of the common mistakes that I’ve seen in healthcare organizations as far as addressing the standard. We’ll provide a more detailed action plan. …

This article was originally posted at  http://www.healthcareinfosecurity.com/articles.php?art_id=3581&pg=3

Cost Effective Health Compliance Training


emPower eLearning Solutions is the leading provider of effective online compliance and
competency training courses and learning management systems (LMS) to healthcare facilities.

As a health care management professional, you are not only responsible for providing exceptional care for your patients but also for making sure that the care they receive is delivered within guidelines set by the government and corporate entities. In order to manage your institution, you need to find ways to ensure healthcare security compliance tactics that are effective without draining your resources.

We understand the unique challenges you face trying to implement policies that ensure compliance while providing more effective care for your patients. That’s why emPower eLearning Solutions are dedicated to helping our clients discover new methods to train and educate their staff on ways to improve all aspects of their organization. From improving procedures to providing corporate health compliance training to bringing your hospital or institution in line with the policies of your parent company, we can help.

For More http://www.empowerbpo.com/home_health_aide.html

Tag Cloud