Healthcare compliances training and discussion blog

Posts tagged ‘HIPAA law’

How to understand the new HIPAA requirements to make sure you’re in compliance

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services ( and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at


Clinic says North Dakota Blues violate HIPAA law

Mid Dakota Clinic of Bismarck has opted out of a major initiative by Blue Cross Blue Shield of North Dakota that involves sharing patient records with an outside consultant and cites patient privacy concerns as the reason.

The program, MediQHome, is a “medical home” partnership between the health insurer and teams of medical providers aimed at better managing patients, especially those with chronic diseases, such as diabetes or asthma, to improve outcomes and reduce costs.

The initiative, which involves more than seven of every 10 primary care clinicians representing 75 percent of the North Dakota Blues’ members, requires providers to share patient information with an outside health quality consultant, MDdatacor, a firm located in suburban Atlanta.

Jeff Neuberger, the chief executive officer of Mid Dakota Clinic, said Friday that all patients should be contacted in advance to get their permission before their medical information is sent to a third party for review.

The clinic’s legal counsel, he said, concluded that failure to get individual patients’ express approval would violate a federal law protecting patient privacy, the Health Information Portability and Accountability Act, often called HIPAA.

“HIPAA doesn’t allow us to send information on everybody” without the patient’s permission, Neuberger said. “It’s very clear on that. We’ve said (to Blue Cross Blue Shield) you have no right to do that.”

The contract given to providers specifies they get “all appropriate” releases from patients, Neuberger said. But the contract language contradicts what Blue Cross Blue Shield executives have said about patient permission not being necessary, Neuberger said.

Representatives of Blue Cross Blue Shield of North Dakota said the information-sharing under the MediQHome program complies fully with HIPPA and protects patient privacy.

“We have remained 100 percent consistent with all providers that there is no requirement to receive permission from patients in order to participate in MediQHome,” Denise Kolpack, a Blue Cross Blue Shield vice president said in a statement to The Forum, highlighting “no requirement” in bold to emphasize the point.

She went on to say, however, that the contract includes language to allow a provider to participate in the health quality program “even if that provider has their own, stricter requirements around patient permissions and authorizations.”

Most of the major medical providers in North Dakota participate in the MediQHome program, which began in 2009, including Sanford Health and Essentia Health in Fargo.

The top lawyer for Sanford Health said the initiative both helps to improve patient care and complies fully with federal privacy laws.

“The partnership with BCBSND is one example of efforts we are undertaking as a health care system to improve quality and reduce the cost of health care overall for all consumers in our service area,” said Paul Richard, Sanford’s chief legal officer.

“All releases of patient information to MDdatacor by Sanford Health are in compliance with HIPPA,” he added, including a section of the law he said supported his position.

Kevin Pitzer, chief administrative officer of Essentia Health in Fargo, said the health system’s standard release of information form, for both hospital and clinic patients, includes authorization to release information of the kind it sends to MDdatacor.

“We do get permission from patients to release that information,” he said, adding that Essentia consulted both with in-house and outside legal counsel before embarking on the MediQHome program two years ago.

Participating medical providers send data on all their patients to MDdatacor “to identify clinical opportunities for improved health care delivery to all their patients with chronic diseases,” said Dr. David Hanekom, chief medical officer for Blue Cross Blue Shield of North Dakota.

Dr. Robert Roswick, medical director of Mid Dakota Clinic and a family practice physician, said it is improper – and illegal – to send medical information from all patients to the health quality consultant without prior patient approval.

He offered himself as an example of what he views as a breach of patient confidentiality.

A private pilot, Roswick must get annual physical checkups to keep his license current. He gets his exam at Trinity Health in Minot, which participates in MediQHome.

Aware of that, and the program’s protocol calling for providers to share information for all Blue Cross Blue Shield of North Dakota patients, he asked Trinity if his medical records were sent to the outside health quality consultant, MDdatacor.

The answer Roswick received from Trinity, after writing several letters, was yes. Roswick, who said he had not given his approval to do so, said the release was inappropriate and illegal – especially considering he is not covered by Blue Cross Blue Shield and does not have a chronic medical condition.

“It’s a blatant HIPAA violation,” Roswick said, adding that he has filed a complaint with the federal government and is still waiting for a response.

A spokesman for Trinity Health declined to comment on Roswick’s complaint.

“Patient privacy is important to us, and we strive to comply with all regulations involving patient privacy,” said Randy Schwan, a Trinity vice president.

Mid Dakota Clinic’s Neuberger and Roswick said medical providers in North Dakota have strong financial incentives to participate in MediQHome and therefore to send information of their patients covered by Blue Cross Blue Shield of North Dakota to MDdatacor, which could not be reached for comment Friday, for analysis.

In response, Hanekom said BCBSND is revamping their reimbursements to providers in a broad ongoing effort to reward better quality of care.

This article was originally posted at

HIPAA Law-Selecting the Right User Authentication System

The main objective of the HIPAA law is to streamline health insurance system and provide continuous coverage to the people who change or loose their jobs. To do this effectively, special emphasis is laid on complete conversion of patient health records from paper to electronic format. This will make it convenient for the covered health providers and their business associates, to safely manage the voluminous patient health information in a cost-effective manner.

The HIPAA law advocates a very strong security policy, which guarantees the protection of the confidential health information from unauthorized access on the net. Password enabled access, is the most common type of the security system. But such a system is not reliable as the passwords can be easily hacked. Also when there are many passwords to remember, it becomes very cumbersome for the user to remember all of them. The patient or user writes them down on paper and this is an unsafe practice because if it falls in wrong hands it can result in financial losses for patient and the health service provider.

The smart card system provides a better option as it works on combination of the security card and a pin number. But there is a loophole in it. Incase of loss of smart card or if the pin number is cracked open by hacker, the secrecy of patient health information can be severely compromised. Further Smart card based authentication systems are costly and hence it becomes expensive for the small health providers to install.

A strong user authentication, which provides exceptionally strong defense against unauthorized access or intrusion, should be incorporated into the computer networks. Biometric authentication offers the best available solution to health service providers, as it integrates unique characteristics of the patient or the user, like fingerprints, iris scan, voice prints, signatures and keystrokes dynamics with a user password to create a highly secure access system. As this technology uses costly equipments, the health providers need to spend more, compared to other available options.

Under HIPAA law, all the covered entities like hospitals, clinics, clearing houses and other health service providers are responsible and accountable for the safety of the patient health information. Hence it is necessary, to put in place an impenetrable security wall, in form of reliable user authentication, which successfully neutralizes any intrusion. This protects the health organization from non compliance of HIPAA law due to poor network security.

User authentication fortifies the computer network against unauthorized access.

Jason Gaya

Read more on HIPAA at,

HIPAA Law: Ensuring Secure Transmission of Patient Health Information Through Fax

Fax machine is a great asset, which organizations count on, to quickly send and receive information. It plays a significant role in managing well, the communication needs of the office. But with arrival of HIPAA law, it is mandatory for the covered entities and their business associates to install HIPAA complaint faxing systems so that protected health information of patients is not leaked out or exposed to unauthorized people during the transmission process.

As non-compliance of HIPAA law can invite penalties and criminal prosecution, it necessary to put in place few safeguards that make the daily use of the Fax machine, safe and secure.

  • Fax systems, which support email encryption, should be installed. The protected health information system should be encrypted before it is faxed. This will protect the information from unauthorized access, because only receiver has the key to decrypt the message back into original form.
  • The fax machine should be configured in such a way that no copies of received faxes are saved.
  • The Fax should have inbuilt copying system, which can print as many as copies needed. This eliminates the need of using an external document copier, like Photostat machine and prevents the exposure of the confidential patient health information to unauthorized persons.
  • The Fax machine should be placed in a secure place and accessed by only authorized personnel. On receipt of the Fax, the message should be delivered straightaway to the intended recipient.
  • The Fax numbers which are used regularly should be properly saved, and the speed dialing option should be used to prevent misdialing of the numbers.
  • There should be a sound policy in place, which manages efficiently the storage, duplication and disposal of the faxed protected health information, as per HIPAA law. The policy should also be able to address effectively, the wrong delivery of the PHI.
  • Before faxing to a new recipient, the number should be checked by sending a test message. This will ensure dispatch of crucial PHI to the intended receiver only.

Fax machine is integral part of the office communication system. Covered entities like clinics, hospitals, clearing houses, insurance companies and other health provider depend on it for their daily communication needs. With the advent of HIPAA law, the fax machine should be installed and used in a very secure manner.

HIPAA compliant fax machine should be used and have special encryption features, which allows the sender to encrypt the protected health information and send it as an email through the net. The PHI is encrypted into sequence of codes and transmitted to the fax machine of receiver also connected to the internet. The receiver has a key which decodes the encrypted email and prints back the information in the original form. Thus the message is faxed in a safe and secure manner over the net. These precautions help the health organizations to store and exchange the protected health information of the patient as per HIPAA law.

HIPAA compliant Fax helps in quick and safe transfer of patient health information.

Jason Gaya

Read more on HIPAA, at

Tag Cloud