We are covered, our EMR is Certified. Really??

When asked, almost any small practice owner would respond that he doesn't have to worry about HIPAA compliance, their EMR (common terminology in vogue for practice management systems) is certified. Most don't even know what HITECH or Omnibus rules are. If you try to explain, they take it as someone trying to eek out a few bucks from their already over-burdened cash flow.

Well, let's go through a list of items that would really make a covered entity compliant with HIPAA and related regulatory obligations. This should give one a fair idea if merely having a certified EMR would suffice to be considered HIPAA compliant. The following list has been updated to reflect implications of the recently modified HIPAA/HITECH rules that became effective March 26, 2013 and all CE's are required to be compliant by September 23, 2013:

• The very first requirement for HIPAA compliance is to have a Risk Assessment/Analysis study conducted to identify security and privacy vulnerabilities in your business environment, which extends beyond your place of business as almost all systems provides remote and mobile access. Any audit or inquiry will begin by asking you to provide a copy of you risk assessment report. The risk analysis is an ongoing process and you need to be proactively monitoring your environment for any new or upgraded risks that you should mitigate.
• The Notice of Privacy Practices (NPP or NOPP) needs to be updated. You probably got a template over from somewhere and have been using that. The terms need to be updated with latest requirements that cam into effect this year (2013). You can get some recently updated NPP samples from the websites of VA, Stanford University Hospitals, etc. and develop yours accordingly/
• Your business associates (BA's) have now become covered entities and you need to update your Business Associate Agreements to cover these requirements. Any agreements signed before the March 23, 2013 effective date can be update within next 18 months, but any new BAA's dated after this deadline need to be updated by September 23, 2013. 
• Update your policies and procedures, and train your work force to be aware or the privacy and security requirements. All staff including the higher management are required to undergo training and tested and documented at least once annually , as well as at the time of initial employment. The key words here are training, testing and documentation.
• Your computer environment must be protected by firewall to prevent unauthorized access, anti-virus protection to avoid theft or loss of protected health information and backup system to recovery within reasonable time from any disaster. 
• Mobile Devices are being utilized more and more to access and update information to EMRs, either locally (on premises) or remotely (off premises). Some protective measures to consider include use of complex passwords to access the devices, enable data encryption (both during transmission and local storage - local cache), file sharing apps should be disabled, use only secured Wi-Fi connection - never use public Wi-Fi hot spots, enable remote locking and wiping of the devices to guard against lost or stolen devices.
• The Omnibus rule (new updates in 2013) dis-allows transmission of information on specific patient procedures/treatment to the health plans if the patient pays out of pocket for that service. Your process for coding and billing should be set up to take care of such cases.
• Physical access to your facilities should be well controlled to protect against unauthorized access to PHI. In addition track the backup copies of your data, hard copy information, thumb/external hard drives, CD's/DVD's, tapes and other portable storage media should be properly accounted for. Remember to wipe computers, devices and even your networked copiers/printers before disposing them off as they may have PHI that can be accessed by unauthorized persons.
•  You should be able to produce logs of who logged into your EMR/EHR, when and where the logged in from, and which data or files did they access. Review these logs periodically and in case of any discrepancies, record and take appropriate actions based on violations.
• Be prepared for Disasters, natural and physical failures, and quick recovery to ensure continuous access to patient data.

I urge you to go over the above recommendations once more to really understand what's involved in being HIPAA/HITECH compliant and realize that merely having a Certified EMR/EHR does not make you compliant. Remember, OCR (Office of Civil Rights), OIG (Office of Inspector General) and various federal and state agencies are becoming ever more proactive in enforcing the rules, and larger penalties and sanctions are resulting from these actions. 

You can either invest your time to do it yourself or invest in a good consultant to take care of this for you. Either way, it is a necessary investment that is a part of running your healthcare business as required by the law.

PHI - What does it mean?

PHI stands for Protected Health Information. It can be formally defined as:

"Any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual."

Informally, it includes any part of a patient's medical record or payment history.

Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers, must be treated with special care:

1.Names

2.All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

3.Dates (other than year) directly related to an individual

4.Phone numbers

5.Fax numbers

6.Email addresses

7.Social Security numbers

8.Medical record numbers

9.Health insurance beneficiary numbers

10.Account numbers

11.Certificate/license numbers

12.Vehicle identifiers and serial numbers, including license plate numbers;

13.Device identifiers and serial numbers;

14.Web Uniform Resource Locators (URLs)

15.Internet Protocol (IP) address numbers

16.Biometric identifiers, including finger, retinal and voice prints

17.Full face photographic images and any comparable images

18.Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

By removing certain pieces of information *based on the above listed 18 items), health information can be de-identified and, hence, can be used and shared publically , but still governed by the Common Rule, which is specifically applicable to biomedical and behavioral research involving human subjects in SUA. Removing these 18 elements is also known as the "Safe Harbor Method".

HIPAA Privacy Rule covers PHI in any medium, while HIPAA Security rule covers Electronic PHI or ePHI.

De-Identifying PHI:

The de-identification standard is covered under HIPAA Privacy Rule [45 CFR 164.514]. Some basic information regarding this rule is stated below:

(a) Standard:  de-identification of protected health information.  Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

(b) Implementation specifications:  requirements for de-identification of protected health information.  A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i)   Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination; or

(2)

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

(c) Implementation specifications:  re-identification.  A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation.  The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security.  The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”

© 2012 Health Compliance Consultants

HIPAA /HITECH Acts - New Final Rule 2013 - What changed?

DISCLAIMER: This article should not be taken as legal advice, instead it is a basic introduction to some changes that have been promulgated to the HIPAA/HITECH Acts final rules.

A Significant modification to the existing HIPAA/HITECH Rules was made which came into effect on March 26, 2013. The Covered Entities have until September 23, 2013 to become compliant with the revised rules. Let's start with some changes that are going to make the heaviest impact:

Business Associates are now considered Covered Entities and full force of HIPAA/HITECH Act have been enforced on them as well. This requires the Business Associates Agreements to be updated to reflect this change. The BAA's that had been implemented prior to this final rule became effective can be revised within the next 18 months as opposed to all new BAAs have to be in place for new Business Associates after the effective date to be updated within 6 months (the Sept. 23, 2013 cut off date).

Breach Notification standards have been revised. The Harm Standard, as it was commonly known, has been redefined with a new name or title "adverse to the individual". Each potential breach needs to be evaluated or assessed based on four factors: 1. what information was breached? 2.to whom the information was released? 3. was it actually accessed, used, or disclosed, and 4. what mitigating steps were taken on the incidence. This standard does not only provide some guidance regarding if a breach is reportable, but also enforces CEs to establish a process to establish a risk for every potential breach. The law does require proper assessment for each breach incident and does not allow the process to be automatic.

Patients Right to Access Their PHI has been modified as well. The patients have the same rights as before but they can ask their PHI (Protected Health Information) to be transmitted to them in an unsecured way, and the CE after informing the individual of the risk of privacy breach can transmit it based on the individuals demand. CE's do need to document this discussion for future reference and for their defense in case of an audit or litigation. The important point to note here is that this applies to individual whose PHI is being transmitted and not to professional exchange of PHI, in which case it should be properly encrypted.

We will continue posting further updates to this article to highlight more significant and not so significant modifications to the HIPAA/HITECH laws.

© 2012 Health Compliance Consultants