Healthcare compliances training and discussion blog

Posts tagged ‘HIPAA compliance’

Does the cloud provide an easier route to HIPAA compliance?


A lot of confusion has been raised regarding the compliance of cloud to the HIPAA. On the contrary, the healthcare community itself is not very sure of it and is looking at it as a double edged sword. The cloud presents you a shimmering picture of cost-effective option. It provides you a solution due to which analyzing massive data and the ability to store will become affordable. But the other side seems be bleaker as there are many who are yet to come to terms with this new rule-set of HIPAA, especially those that are now part of the recently published HIPPA omnibus rule. It is better to dig deeper on this to understand instead of merely speculating on the fringes whether to migrate or not to the cloud?

The omnibus rule that was put forth in the last month has further tightened the grip of HIPAA on those who are entrusted with responsibility of protecting the health information.The rule also has increased penalty on the business associates and covered entities, who fail to comply with the HIPAA. At present, there a lot of misconceptions as well as fear regarding use of the cloud. As a result many healthcare organizations and health service providers are shying away from switching over to the cloud. Not taking rescue under the in the latest cloud technology umbrella might result in loss a good deal in terms of both compliance and finances for organizations that wish to play safe.

Can Cloud Computing Really Rescue Health Care And Make It HIPAA Compliant?

Recent times has revealed to the health care sector the various weird and amazing ways in which data breaches can occur and do occur. Many times it occurs due to infrastructure loss, physical theft, or due to sheer negligence (when someone forgets a laptop or forgets to shutdown their PC).

The above scenario of data exploitation and data theft is easily manageable through use of cloud technology. Cloud computing can be more helpful in such cases because herein you can stop the breaches by using services of physical security policies such as the Amazon wherein all the things that can be carried out with the data can be published. Cloud technology is most certainly is far more efficient than what a single group running its infrastructure can accomplish after a lot of personal investment. Of course, reduction in the amount of health data breach is the first benefit of cloud computing.

Deft monitoring of security and the privacy of the infrastructure through automation is the second benefit of cloud. Basically, when the infrastructure program is being written, the infrastructure is coded and thousands of tests are conducted on various levels. Such through levels of tested programs provide a secure base that everything is done in order to automate the expected results and that the infrastructure automatically works the way in which you want it to. Hence, when things start showing changes in the infrastructure code you immediately smell smoke and try to find out the reason for it. Trying to search for the reason for changes in your infrastructure ultimately makes you provide more security to your data.

HIPAA omnibus rule has placed great emphasis on the factors that can risk the health data and the breach notifications. The cloud services developers provide you with the documentations that carry highly detailed processing systems due to which remaining HIPAA compliant as well as cost-efficient does not seem as uphill task. All the instructions that are part of the cloud computing program are written in plain and simple readable English which can be easily defined by anybody in the health business. This gives the HIPAA operators full knowledge about the compliance and non-compliance and related decision. It also helps even the non-technical staff to gain an insight into overall work pertaining to the HIPAA compliance owing to which the overall efficiency of an organization is certain to elevate.

Only six months are left for the covered entities and the partners to become HIPAA compliant and hence it is important that they take steps to understand these benefits of the new cloud computing.

Data breaches in health sector have been damaging the credibility of many health institutions and many times the culprits were left untracked as they were much smarter than the security system of the institutions. Shifting to the cloud is a major decision, which can be taken by the entities only when they thoroughly understand its contribution in lessening the burden of finance as well as maintaining to the strict rules of the HIPAA compliance.

One wonders, what is keeping these people at the fences when one way or the other they are not left with any other alternative than to migrate to the cloud!

About emPower
emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

Media Contact (emPower)
Jason Gaya
marketing@empowerbpo.com

$1.5M Fine Marks A New Era In HITECH Enforcement


Data breach at BlueCross BlueShield of Tennessee and subsequent penalty stands an example of the financial fallout from poor healthcare IT security practices

By Ericka Chickowski, Dark Reading
Contributing Writer

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.”It’s certainly a warning shot for the healthcare industry,” says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. “But is that a sufficient amount to act as a deterrent? It’s hard to tell at this point. It’s at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that’s just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, ‘Eh, it’s another one.'”

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn’t been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA Training) security requirements changes that financial equation for these organizations, he says.

“What I’m seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue,” he says. “But when it comes to making sure HIPAA requirements are up to date, that’s usually the last line item on the budget because it’s really a sunk cost. Now they’re going to have to look at the risk involved and wonder ‘Do I risk having a million dollar lawsuit if I don’t put the right security protocols in place?'”

The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.

“This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said Leon Rodriguez, director of HHS OCR. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. “One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don’t know for sure, but it seems like BlueCross BlueShield of Tenessee may not have done that evaluation. If they had done it, they might have said, ‘We’ve got these hard drives containing this unencrypted PHI and it’s in a locked closet but that’s not sufficient in this leased space,'” he says. “That’s probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.”

For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.

“Really, it’s all about making sure that if you have data servers in your office or workplace, they need to be locked down–they need to locks on them–and they need to be encrypted,” he says. “Those are two of the main things that are not commonplace but they should be.” Health Care Compliance

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

How to understand the new HIPAA requirements to make sure you’re in compliance


The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at http://www.sbnonline.com/2012/03/how-to-understand-the-new-hipaa-requirements-to-make-sure-you%E2%80%99re-in-compliance/?full=1

 

MGMA Calls for New Contingency Plan for HIPAA 5010 Transaction Standards


The Department of Health and Human Services should “immediately” issue an expanded contingency plan on the transition to the new Health Insurance Portability and Accountability Act (HIPAA) Version 5010 electronic transaction standards, since many practices and state Medicaid agencies are not ready for the transition, the Medical Group Management Association (MGMA) recommended Dec. 19.

According to the latest research from MGMA, many state Medicaid plans are unable to accept Version 5010 claims and “a significant number of practices” have not yet completed the software upgrades and health plan testing needed for the transition.

The new contingency measures should permit health plans to continue accepting HIPAA Version 4010 transactions and resolve Version 5010 claims that lack all the required data. Additionally, this contingency plan should last for a minimum of six months, MGMA said.

Currently, the compliance date for implementation of these standards is Jan. 1, 2012.

“We have been tracking the Version 5010 coordination between physician practices and their key trading partners throughout 2011 and it is clear that a significant number of these stakeholders are not ready to meet the January 1 compliance date,” Susan Turney, president and chief executive officer of MGMA, said in a statement. “Our main concern is that the failure to implement Version 5010 by the compliance date will impact payment to practices for the services they provide.”

“We oppose requiring the submission of a transition plan and timeline as a needless bureaucratic exercise that adds to the workload of the providers who have to produce them and the government employees who have to review them,” she said.

Implementation of Version 5010 is a prerequisite for using the updated International Classification of Diseases, 10th Revision (ICD-10) Clinical Modification diagnosis and ICD-10-PCS inpatient procedure code set in electronic health care transactions effective Oct. 1, 2013.

On Nov. 14, the Centers for Medicare & Medicaid Services announced that it would not initiate enforcement of the new HIPAA transaction standards until March 31, 2012 (see previous article).

Additional MGMA Findings

According to findings from a survey conducted by MGMA and the American College of Medical Practice Executives (ACMPE), 32 percent of study respondents reported that their organizations’ practice management system software has been upgraded to the HIPAA Version 5010 standards and that internal testing was complete.

Nearly 25 percent of those respondents indicated that either their software has not yet been upgraded or that testing is not even scheduled, the release said.

Additionally, less than 18 percent of respondents to the survey said they have completed testing with their Medicaid plans, and 79 percent of study respondents indicated that testing with all major commercial health plans remains incomplete.

Overall, the study found that less than 14 percent of respondents rate their 5010 implementation status as fully complete.

The learning cycle and the power of asynchronous learning activities


When grappling with the concept of learning I often talk about the importance of reflection.  However, another key concept is asynchronicity (I’m not entirely sure that’s a word).  I’ve reflected on this previously withinAsynchronous = Time and Space Learning.  In that post I talked about how learning is more likely to occur when given time and space.  I wanted to tease this out a bit more in relation to learning itself.

Learning is hard, really hard.  It’s a skill just to recognise when it’s happening and cultivate it effectively.  Often, the pain associated with it is viewed negatively.  But the pain needs to gritted out because this is an important stage of the process.  Marilyn Taylor characterised learning as a continuous process of disorientation, exploration, reorientation and equilibrium (see p53 of this).  It’s a cycle and the desired state is multiple loops through the cycle.  For every stage the flexibility, time and space offered by asynchronous learning activities is preferable to a purely synchronous involvement from formal education.  Of course, for synchronous learning events you always have the time afterwards to reflect.  But if you have a formal learning experience where everything is synchronous, the asynchronous times the learner has alone are not facilitated, not supported and without structured communication or collaboration when they need it the most.  You may be thinking “so what” but this is the point of formal education – to structure, facilitate and, in some senses, manufacture the learning.  When you structure in asynchronous learning activities through the various guises of learning technology tools and carefully facilitate such activities the stages of Taylor’s cycle are given the best chance of being rowed through by the learner.  It’s easy for learners to capsize in the first time they encourage the disorientation stage and they’ll keep doing this every time they encounter it.  Pretty soon they shy away from the mental states associated with the learning cycle.

I think this has contributed to the a vast mass of humans who don’t really know how to learn properly.  They grew up on a diet of synchronous learning and the difficult process of moving through the learning cycle wasn’t supported in any way.  The tragedy is they carry it through their adult life and have trouble becoming lifelong learners thus inhibiting their potential.  I am still honing my learning skills but I keep trying and am able to support the process through various social media tool (like this one).  BTW, learning overall is great.  The “ah ha” moments are worth the pain.  It’s a bit like going for a run but that metaphor can wait for another posting.

A couple of asterisks to this post.  There is, of course, a lot of literature out there on learning theories and models.  For this post, I chose one that describe a process I recognise.  Also, the statement: “there are vast mass of humans who don’t really know how to learn” is based on anecdotal evidence.  I think I have a somewhat informed decision but would welcome insights from others on this.

This article was originally posted at http://tpreskett.blogspot.com/2011/12/learning-cycle-and-power-of.html

WRITING FOR ELEARNING


Writing for eLearning represents an interesting challenge for people who aren’t used to writing for eLearning. This blog touches on some of the basics of writing for eLearning and provides some simple suggestions on how to make your prose more effective when it hits the web.

Remember that telling is not training.

As much as some people might want to cling to this notion, telling someone something once does not constitute training. Training, at a minimum, should include some sort of practice activities so learners get a chance to noodle around the new content as it makes connections with other ideas in their heads.

Use stories to make training more real.

I’m not saying that you should be out there trying to write the Great American Novel in the form of an eLearning class (although that is a pretty cool concept). Tell the story in terms of the learner’s universe. Don’t provide a list of tasks and expect learners to remember what they are and when to use them. Instead, use common work tasks learners already do, and present the new content in that context. It helps to include transitional materials that connect one part of a lesson with the next.

To do this sort of connecting (see the way I connected the preceding paragraph with this one?), use summaries at the end of lessons that say things like, “Now that you’ve completed the XYZ task, you’ve created the desired output. In the next lesson, you’ll see how to apply that output to the 123 task.” Or introduce new tasks by saying things like, “By the time you reach this point in the process, you should have the A, B, and C completed. In this lesson, you’ll see how to use those completed activities to…”

These are simple, rhetorical tricks, but they work.

So, use the existing work processes as the plot of your story, and then stitch the lessons together with connecting language as shown above.

Write simply.

Hemingway is reputed to have advised young writers to write simply. He urged them to appreciate the complexity of the world, but to write simply when expressing that complexity.

Suggestions to help you write simply:

  • Avoid using the word “utilize.” I’ve yet to come across any instances in the English language where the word “use” can’t replace the word “utilize.” And that goes for any word that ends in “ize.” As instructional designers, we need to write clearly and directly. If your prose starts to sound like an MBA wrote it, you’re in trouble.
  • Do what newspaper reporters do and write to an eighth to tenth grade reading level. I suggest taking all your copy from a course you’ve written and dropping it into Microsoft Word. If you’ve configured Word to display readability statistics after you complete a spell check, Word will provide you with some useful data about your writing, including a rough estimate of the reading level required to understand it and how easy it is to read.

Restrict yourself to no more than 100 words per page of content.

Frankly, I’d recommend no more than 80 words per page, but that can become restrictive. If you need more room, insert an extra page.

Tips to help you achieve this limit:

  • Outline your course before you begin to write it.
  • For each line in your outline, presume your course will need one screen of content. To cover your topic thoroughly, it may be helpful to let the OCD side of your personality take over when you outline your course. Don’t be shy about creating a monster outline because no one’s ever going to see it except you. The point is, the more thorough your outline, the more complete your course will be, and, if you find you’ve gone too crazy, it’s a lot easier to delete a line from an outline than it is to write the copy you need to cover a topic and then delete it.
  • Cover your topic in the space of that one screen.
  • If you need more than one screen to cover a topic, consider splitting your topic into two and use two pages to cover both new topics thoroughly.

Factor how fast people read when designing your course.

One source puts the average words per minute that average American adults read at 300 words per minute . This has a major impact on the design of your course, so factor that in when you consider how long you want your course to be. If this figure is accurate, it should take an average American adult 20 seconds to read a 100-word page of content.

However, if people are reading to think critically and learn, they’ll probably read a bit more slowly than that as they have to expend energy integrating your new content with what they already know.

Use an editor.

Abraham Lincoln is once reputed to have said that a man who represents himself has a fool for a client. There’s a corollary in there when it comes to editing your own work. You need fresh eyes on your content, someone who can spot when the Curse of Knowledge makes its way into your writing. For more on the Curse of Knowledge, please go to http://www.heathbrothers.com. You’ll be glad you did.

Not only will good editors edit your copy, but they’ll make recommendations on how to improve it. Learning from a good editor is one of the best ways to become a more effective writer.

The cool thing about these suggestions is that they’re technology independent. You can practice them irrespective of the technology you’re using to create your courseware.

This article was originally posted at http://blog.rwd.com/2011/10/writing-for-elearning/

HIPAA Activity on the Rise


HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

Tag Cloud