We are covered, our EMR is Certified. Really??

When asked, almost any small practice owner would respond that he doesn't have to worry about HIPAA compliance, their EMR (common terminology in vogue for practice management systems) is certified. Most don't even know what HITECH or Omnibus rules are. If you try to explain, they take it as someone trying to eek out a few bucks from their already over-burdened cash flow.

Well, let's go through a list of items that would really make a covered entity compliant with HIPAA and related regulatory obligations. This should give one a fair idea if merely having a certified EMR would suffice to be considered HIPAA compliant. The following list has been updated to reflect implications of the recently modified HIPAA/HITECH rules that became effective March 26, 2013 and all CE's are required to be compliant by September 23, 2013:

• The very first requirement for HIPAA compliance is to have a Risk Assessment/Analysis study conducted to identify security and privacy vulnerabilities in your business environment, which extends beyond your place of business as almost all systems provides remote and mobile access. Any audit or inquiry will begin by asking you to provide a copy of you risk assessment report. The risk analysis is an ongoing process and you need to be proactively monitoring your environment for any new or upgraded risks that you should mitigate.
• The Notice of Privacy Practices (NPP or NOPP) needs to be updated. You probably got a template over from somewhere and have been using that. The terms need to be updated with latest requirements that cam into effect this year (2013). You can get some recently updated NPP samples from the websites of VA, Stanford University Hospitals, etc. and develop yours accordingly/
• Your business associates (BA's) have now become covered entities and you need to update your Business Associate Agreements to cover these requirements. Any agreements signed before the March 23, 2013 effective date can be update within next 18 months, but any new BAA's dated after this deadline need to be updated by September 23, 2013. 
• Update your policies and procedures, and train your work force to be aware or the privacy and security requirements. All staff including the higher management are required to undergo training and tested and documented at least once annually , as well as at the time of initial employment. The key words here are training, testing and documentation.
• Your computer environment must be protected by firewall to prevent unauthorized access, anti-virus protection to avoid theft or loss of protected health information and backup system to recovery within reasonable time from any disaster. 
• Mobile Devices are being utilized more and more to access and update information to EMRs, either locally (on premises) or remotely (off premises). Some protective measures to consider include use of complex passwords to access the devices, enable data encryption (both during transmission and local storage - local cache), file sharing apps should be disabled, use only secured Wi-Fi connection - never use public Wi-Fi hot spots, enable remote locking and wiping of the devices to guard against lost or stolen devices.
• The Omnibus rule (new updates in 2013) dis-allows transmission of information on specific patient procedures/treatment to the health plans if the patient pays out of pocket for that service. Your process for coding and billing should be set up to take care of such cases.
• Physical access to your facilities should be well controlled to protect against unauthorized access to PHI. In addition track the backup copies of your data, hard copy information, thumb/external hard drives, CD's/DVD's, tapes and other portable storage media should be properly accounted for. Remember to wipe computers, devices and even your networked copiers/printers before disposing them off as they may have PHI that can be accessed by unauthorized persons.
•  You should be able to produce logs of who logged into your EMR/EHR, when and where the logged in from, and which data or files did they access. Review these logs periodically and in case of any discrepancies, record and take appropriate actions based on violations.
• Be prepared for Disasters, natural and physical failures, and quick recovery to ensure continuous access to patient data.

I urge you to go over the above recommendations once more to really understand what's involved in being HIPAA/HITECH compliant and realize that merely having a Certified EMR/EHR does not make you compliant. Remember, OCR (Office of Civil Rights), OIG (Office of Inspector General) and various federal and state agencies are becoming ever more proactive in enforcing the rules, and larger penalties and sanctions are resulting from these actions. 

You can either invest your time to do it yourself or invest in a good consultant to take care of this for you. Either way, it is a necessary investment that is a part of running your healthcare business as required by the law.

PHI - What does it mean?

PHI stands for Protected Health Information. It can be formally defined as:

"Any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual."

Informally, it includes any part of a patient's medical record or payment history.

Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers, must be treated with special care:

1.Names

2.All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

3.Dates (other than year) directly related to an individual

4.Phone numbers

5.Fax numbers

6.Email addresses

7.Social Security numbers

8.Medical record numbers

9.Health insurance beneficiary numbers

10.Account numbers

11.Certificate/license numbers

12.Vehicle identifiers and serial numbers, including license plate numbers;

13.Device identifiers and serial numbers;

14.Web Uniform Resource Locators (URLs)

15.Internet Protocol (IP) address numbers

16.Biometric identifiers, including finger, retinal and voice prints

17.Full face photographic images and any comparable images

18.Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

By removing certain pieces of information *based on the above listed 18 items), health information can be de-identified and, hence, can be used and shared publically , but still governed by the Common Rule, which is specifically applicable to biomedical and behavioral research involving human subjects in SUA. Removing these 18 elements is also known as the "Safe Harbor Method".

HIPAA Privacy Rule covers PHI in any medium, while HIPAA Security rule covers Electronic PHI or ePHI.

De-Identifying PHI:

The de-identification standard is covered under HIPAA Privacy Rule [45 CFR 164.514]. Some basic information regarding this rule is stated below:

(a) Standard:  de-identification of protected health information.  Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

(b) Implementation specifications:  requirements for de-identification of protected health information.  A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i)   Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination; or

(2)

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

(c) Implementation specifications:  re-identification.  A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation.  The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security.  The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”

© 2012 Health Compliance Consultants

HIPAA /HITECH Acts - New Final Rule 2013 - What changed?

DISCLAIMER: This article should not be taken as legal advice, instead it is a basic introduction to some changes that have been promulgated to the HIPAA/HITECH Acts final rules.

A Significant modification to the existing HIPAA/HITECH Rules was made which came into effect on March 26, 2013. The Covered Entities have until September 23, 2013 to become compliant with the revised rules. Let's start with some changes that are going to make the heaviest impact:

Business Associates are now considered Covered Entities and full force of HIPAA/HITECH Act have been enforced on them as well. This requires the Business Associates Agreements to be updated to reflect this change. The BAA's that had been implemented prior to this final rule became effective can be revised within the next 18 months as opposed to all new BAAs have to be in place for new Business Associates after the effective date to be updated within 6 months (the Sept. 23, 2013 cut off date).

Breach Notification standards have been revised. The Harm Standard, as it was commonly known, has been redefined with a new name or title "adverse to the individual". Each potential breach needs to be evaluated or assessed based on four factors: 1. what information was breached? 2.to whom the information was released? 3. was it actually accessed, used, or disclosed, and 4. what mitigating steps were taken on the incidence. This standard does not only provide some guidance regarding if a breach is reportable, but also enforces CEs to establish a process to establish a risk for every potential breach. The law does require proper assessment for each breach incident and does not allow the process to be automatic.

Patients Right to Access Their PHI has been modified as well. The patients have the same rights as before but they can ask their PHI (Protected Health Information) to be transmitted to them in an unsecured way, and the CE after informing the individual of the risk of privacy breach can transmit it based on the individuals demand. CE's do need to document this discussion for future reference and for their defense in case of an audit or litigation. The important point to note here is that this applies to individual whose PHI is being transmitted and not to professional exchange of PHI, in which case it should be properly encrypted.

We will continue posting further updates to this article to highlight more significant and not so significant modifications to the HIPAA/HITECH laws.

© 2012 Health Compliance Consultants

The Second Chance.

I used to wish to go back in time and do things differently and be a more successful person. Sometimes I would think about ideas that came to my mind but they remained ideas while someone else worked on the very same ideas and became successful. There is a saying "hindsight is always perfect". This implies that if we knew the future we can do things differently in present and become more successful than we would be without that knowledge.  Now compare this to "foresight" which is fraught with you making wrong decisions and not doing what you should have done. We always wish for a second chance to do things, the right way. 

One would think that the only way to get your Second Chance is to Travel back in time. Wish it was as simple as sitting in a time travel machine and go back. the problem with time travel is that right now there are no means to travel back in time except in sci-fi movies. However, there does exist a way to travel ahead in time i.e. the future. To do that all we need to do is use the machine we all already have. The machine is called imagination. Past cannot be imagined, for it has already happened, but nothing stops you from imagining the future as it has happened yet. Use your power of imagination and travel to the future and see your successful self, having achieved everything that you think would make you a successful person, but right next to your successful self imagine your unsuccessful self who failed to achieve anything. Here lies the really important trick, you can envision both your successful self as well as unsuccessful self then figure out what it took to get to become either one of them. 

Okay, enough of envisioning for now, travel back to present and the whole perspective has changed with the knowledge that you can reach your successful self in future much easily than just going through the life aimlessly and dealing with it as it hits you. If you still haven't got it, then just think you are 5, 10, 15, 20 or how many years in future and are broke, broke financially, physically, emotionally. Your family life is a ruin too, and you are just contemplating how you got there and "what you would do differently to not get to where you are?". This last part is really very important. This is going to be the key to your ultimate success. Now travel back to your present and think about what you just experienced, spend some time thinking about your failed self that you just saw and make a list of things you would do differently to avoid becoming that person. Start writing the list on paper or into your computer/laptop/tablet/phone. This list, if followed, almost guarantees you to become a successful person. Here's the catch, you are now living your "Second Chance", so make sure you do what you should have done the first time around so that you can become the successful person you just visited.

To get you started I have listed below some simple things we can start following today which i feel would lead me to the successful person I saw sanding next to the failure I wanted to avoid becoming. Feel free to add your own items to list or to simply start with your very own list from scratch. Just remember this is your Second Chance so don't make the mistakes you made first time around. Let's name this as "My Life List".

• Send a note/email/message to someone daily about why you like them. Send a note a day to certain people, a week to others, and a month to others. Keep adding more, but try not to delete anyone.
• Talk to a stranger, daily. Get to know about them, remember their name and other details and try to contact again.
• Take pictures every day and sort out the ones you want to keep.
• Identify a belief, daily. Question this and try to change it for the better
• Walk/exercise for at least 30 minutes every day.
• Identify one good quality about yourself, daily. Try to improve upon it.
• Try a new recipe, once a week.
• Refrain from one bad habit for at least 30 days, keep adding one habit a day.
• Write a blog entry, daily.
• Practice on a skill, daily. For example draw something, play an instrument, play a game.
• Watch an inspirational video, daily; Can be self-improvement, educational, biographical, documentary.
• Read at least one chapter of a book, daily.
• TV fast, daily. Sop watching TV outside a specific time (less than an hour)
• Meditate, daily, for 20 to 30 minutes.
• Wake up early, daily / Sleep in time, daily.
• Write a journal, daily.
• No excuses, no lies, no complains, forever.
• Do something you are scared of, daily.
• Do something selfless, daily.
• Pray, 5 times a day. Morning, noon, afternoon, evening, night.
• Thank before eating a meal.
• Plan your day the night before, daily.
• Plan your week, the Sunday before.
• Plan your month the last day of previous month.
• Plan you year the last week of previous year.
• Smile while talking, in person, on phone.
• Smile while writing a message.

NOW is the most important time....

Every once in a while I realize that I am making a big deal of something That really isn't important. I remember a book titled "Who moved my cheese?". Although I never read that book but my interpretation would be that someone is worrying about something that should not make much difference to the overall picture. Probably the cheese wasn't moved at all and it's just us thinking someone moved it, and to make it even worse, we start worrying about who moved it, what were they thinking, and now life's not worth living.

If you really want to analyze and understand something, you need to detach from it and take a 1000 feet (or maybe a 1000 miles) view, meaning you look from a much broader perspective instead of focusing on only a part of it.

Let's use this approach to our lives. A very very simple view from a thousand miles above would be that LIFE starts when we are born and ends when we die. This overly simplistic definition applies not only to us but also to those who have come before us and to those who will follow. The shortest life span can be death at birth, and the longest, though not definite, very close to 100 years (give or take a few years). Majority, though, perish somewhere in between the two extremes. Although, science and technology have increased the general life span but the fact remains that everybody is born and dies or will die at some point, giving it clearly delineated start and end points.

Do we really want to spend whatever life span we have worrying about who moved our cheese? who cut us off on the road? who said something that we didn't like? what someone is or is not doing? what someone is wearing, eating, driving? or do we want to spend it enjoying the small moments that swoosh past us while we are trying to figure out the exact location of the cheese? The small moments are right where we are, who we are with, what we are doing, how we are dealing with others, the PRESENT. This the most important point in time one can have.

We  have no control over what has already happened or what will happen next, but we can definitely make the best use of our "present". This will help us make the future better as well as our past something to cherish about. The most important person is the one you are with right now, leave them with pleasant memories and make them feel important and special. For when you are gone they will remember you as someone special they met and would want to meet again. You have the power to make this world a good place to live in one person at a time, and it doesn't take much effort. Just be nice.

The most important thing you do is what you are doing right now, for this will represent your past and also be the foundation of your future. So stop worrying about the coordinates of your cheese and share it with people around you and do something that will make your past memorable and future something to look forward to.

Your best comes out when you are not competing with others....

I will start by taking you back almost 35 years, when I was a young schoolboy. My parents always told me that there are only four positions in the class: first, second, third and "the rest". So naturally I was all the time being pushed to try and leave "the rest" behind and and get into the first three. I did manage to do that eventually, but there was always the these other two guys around me trying their best to get or stay ahead of me. Then, there always were boys from "the rest" of the crowd threatening to break into the top three and often succeeded.

Then something happened that got me to the first position and I never looked back. That something was when I stopped competing with the others. I decided that if I have to stay on top I must achieve a certain percentage and that was as close to 100% as possible, and I stopped worrying about what anyone else was doing or achieving. It was just me trying to get to 100%. In some subjects it was possible to get to 100% while in others you could only get as far as the teacher was willing to let you go. So now I had a goal in each subject to achieve and that goal was very precise and clear. It wasn't to stay ahead of others, as that would be a moving target without any specific position to get to. I was very clear what I needed to get in order to be the best. I repeated the same when I was in the engineering school and got similar results.

What I am trying to explain here is that if you want to be the best in whatever you do, you have to forget about how the others are doing and set up your own target, and then focus just to get to that target. The end results will always be that since the target was set at a point where you would be the best so you will turn out to be the best. This is what I consider not competing with others, or in other words, competing with yourself.

I have never failed at anything!

"I have never failed at anything in my life" - nobody will take you seriously if you say this. I never thought I could say that about myself either as I thought I could fill up books with list of things I have "failed" in. So why did I choose this as the title of this article? I was reminiscing one day on my life and what I have achieved (not what I have failed at) and it suddenly struck me that I have succeeded in anything I had wanted to succeed at. The new revelation dawned on me when I started analyzing why I had succeeded at certain things and then came the realization that I have succeeded at whatever I planned to succeed in. I hope the last couple of sentences would steer your thoughts towards the fact that when you really want something strong enough and you go out there to get it, you always get it. The things where you think you have failed are, in fact, things you didn't wanted bad enough and didn't try hard enough. And if you don't try hard enough, you have, in fact not failed because you never went after success to begin with. 

 Almost any self improvement speech has this famous quote from Napoleon Hill "What the mind of man can conceive and believe, it can achieve" and I used to think that I can think of a lot of stuff that I can never achieve, However, now that I have figured out that I have never failed at anything, I understand what Napoleon Hill wanted to convey.

 So, in order to understand yourself what I am talking about, first decide what you want, then make a plan listing what needs to be done to get it, and finally start executing the plan. There would be hurdles, set backs, seemingly impossible situations but as long as you focus on what you want, you can go around obstacles, get up and get going again or change you approach and you will get to your goal. To reinforce this mindset, just think about the successes, small and big, that you have had in your life and recall the reasons for your success and your would eventually you too will figure out that "You have never failed at anything in your life".