HIPAA in a "Nutshell" - Guidelines for EMR and Paper Medical Records Compliance

 

HIPAA in a “nutshell”

There are two HIPAA rules requirements; privacy (2003) and security (2005). Both rules require:

-Identifying possible threats,
-Assessing specific vulnerabilities,
-Determining appropriate and reasonable safeguards and
-Implementing the necessary defense mechanisms and policies.

Using an EMR (electronic medical record) has no absolute right and wrongs in either computer equipment or software for HIPAA compliance. Usually there are four areas to examine:

-Physical Security – can your computers with patient data be stolen?
-User Security - can anybody log on to the patient database?
-System Security – what happens on a hard drive crash?
-Network Security – can unauthorized persons outside your facility access patient data?

Using paper medical records begs similar questions:

-Physical Security – how secure are the files from fire and theft?
-User Security - what access controls and logging is there?
-System Security – what happens in a fire or flood?
-Storage Access – are the files in a locked, secure area?

There are HIPAA penalties

The civil monetary penalty is up to $100 per person record per violation and up to $25,000 per year total for the same type of violation. There is 30 days to correct the problem if it is not through willful neglect.

The criminal penalties are for “misuse” and for obtaining or using health information by “false pretenses” or with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. These penalties are up to $250,000 and five years in jail.

Currently there is no real effective enforcement body.

HIPAA compliance "thumb rules"

With an EMR most of the requirements are common sense and providers do not need to be overly concerned but do require some basic steps like:

-Put your computer server in a secure room, locked,
-Use an EMR with user management and permissions,
-Make regular back-ups and store them in a secure place and
-Employ a computer specialist.

Most medical practices and clinics using paper records need to make physical changes to be HIPPA compliant. If you continue to use paper then there are a myriad of physical complexities to consider:

-How to monitor staff access,
-Fire and flood protection (insurance is not enough)
-A disaster plan (that has been documented and practiced.)

Finally, if there is a legal case brought forward a provider to protect themselves should have a trail of how the patient's individual information was accessed. For paper records this means at a minimum a monitored sign out sheet and for an EMR user logging of patient file access.

Michael Milne is the CEO of BrunMed, Inc. (http://www.brunmed.com), the developer of Medscribbler, the first handwriting embedded EMR for the Tablet PC. Visit http://www.medscribbler.com for more information on a handwriting enabled EMR.

Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

 

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

 

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

 

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

 

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.

The Need for HIPAA Complaint Medical Billing Software

 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes seven sets of rules that will affect your practice. The Department of Health and Human Services, or DHHS, issues these in the form of the ""Notice of Proposed Rule Making"" or NPRM. Every practice, regardless of size, must comply with HIPAA privacy, security and transactional regulations. Moreover, adherence to all subsequent regulations is also required. This covers most everything in your practice, including your medical billing software.

When you are shopping for medical billing software, ask how and for whom the system was designed, and whether the data will be safe and secure on backed-up, protected, HIPAA-compliant servers accessible only to authorized persons. Look for companies who provide free updates to ensure continued efficiency and HIPAA compliance. The new HIPAA standards require huge changes to how healthcare organizations deal with their patient information, including coding, security, patient record management, reimbursement and care management. HIPAA‘s provisions include stringent codes for the unvarying transfer of electronic data, including routine alterations and billing.

Clearly your approach to HIPAA medical billing software must include a serious investigation of software security. Most computer experts will agree that there is no such thing as absolute computer or software security, so working closely with your HIPAA software providers to help determine data deficiencies is a good idea. HIPAA Complaint Medical Billing Software can be easily expanded to meet future needs, and can be targeted directly to the size and complexity of your practice. Options for new HIPAA compliant software have never been better, as there is unlimited scalability, a wide range of customization choices, and a large selection of useful features that will prevent the patients' privacy from being compromised.

Innovations in the technology of medical billing software have created a new criterion for digital precision. Make certain that the HIPAA compliant medical software packager you chose includes all finalized aspects of HIPAA to guarantee full compliance with HIPAA standards as they relate to the electronic transfer of protected health information. The regulations themselves took effect in February 2003, and affect every medical practice in the United States. Effective April 2005, HIPAA mandates security measures to physically and electronically secure electronic protected health information (PHI) against unauthorized retrieval, reliably store the electronic data, and provide for emergency access to the data.

Since most medical billing software packages are now designed to be HIPAA compliant, it is just a matter of choosing the right software for your practice, and your medical billing software will run as smoothly and efficiently as ever.

Medical Billing Software Info provides comprehensive information about medical insurance billing software, HIPAA compliant medical billing software, easy and free medical billing software, and medical billing software prices and reviews. Medical Billing Software Info is the sister site of Medical Billing Web.

Alert: New HIPAA Rules Could Affect Your Organization's Email System

On April 21, 2005, a new Health Insurance Portability and Accountability Act (HIPAA) security rule went into effect. The requirements of this rule, which are basically information security best practices, focus on the three cornerstones of a solid information security infrastructure: confidentiality, integrity and availability of information.

The HIPAA regulatory requirements encompass transmission, storage and discoverability of Protected Health Information (PHI). Given the widespread use and mission-critical nature of email, enforcement of HIPAA encryption policies and the growing demand for secure email solutions, email security has never been more important to the healthcare industry than it is right now.

Although many assume it applies only to health care providers, HIPAA affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 by former President Bill Clinton, with the intent of protecting employee health and insurance information when workers changed or lost their jobs. As Internet use became more widespread in the mid-to-late 1990s, HIPAA requirements overlapped with the digital revolution and offered direction to organizations needing to exchange healthcare information.

HIPAA in the Workplace
Collaboration between employers and healthcare professionals has grown increasingly digital, and email has played an ever-increasing role in this communication. However, email’s increased importance can lead to severe consequences without proper security and privacy measures implemented.

In addition to the usual concerns about privacy and security of email correspondence, even organizations that are not in the healthcare industry must now consider the regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how email containing PHI should be treated in the corporate setting. HIPAA, as it relates to email security, is an enforcement of otherwise well-known best practices that include:

* Ensuring that email messages containing PHI are kept secure when transmitted over an unprotected link

* Ensuring that email systems and users are properly authenticated so that PHI does not get into the wrong hands

* Protecting email servers and message stores where PHI may exist

Organizations regulated by HIPAA must comply and put these practices in place. However, the need to comply with regulations puts particular pressure on the healthcare industry to enhance their use of technology and “catch up” with other industries of similar size and scope.

Privacy and Email Security
The privacy protection provisions in HIPAA pose a major compliance challenge for the healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If the disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in the violations.

The clock is ticking – it’s time to get started
Bringing an enterprise into compliance with the rules set by HIPAA can seem like a very daunting task to even the most experienced executives. Nonetheless, the growing dependence on email as a mission-critical application requires that your organization implement comprehensive security and privacy policies – and soon. A solid combination of security policies and the technologies to enforce those policies can ensure improved security as well as HIPAA readiness and ongoing adherence.

Dr. Paul Judge is a noted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security solutions. Learn how to make your email system comply with HIPAA regulations by visiting http://www.ciphertrust.com.

Health Insurance; COBRA; OBRA; HIPAA; Medicare; Definitions, Relationships

Health Insurance; COBRA; OBRA; HIPAA; Medicare. If asked, could you state that you knew that all 5 of these topics had the same thing in common: medical insurance coverage for you and, perhaps, your family? Would you know the qualifications for each? Well, in this article, we will discuss them. For a timeline that depicts, graphically, the time relationship between them, please see the timeline in www.disabilitykey.com.

HEALTH INSURANCE Coverage from Work

If we are lucky, we, and/or our spouse, work for a company that provides, as a benefit, health insurance coverage for us and our family. If so, we are very lucky. Even if that is true, there are some key things that you might want to look at to see if you have ENOUGH coverage.

1) From your Human Resources Department (or wherever else you would go to get information about your health insurance) get what is called a "Summary Plan Description" (SPD). This document should be kept where you can always find it, as it contains all the information you will need about what your insurance covers and what it doesn't.

2) Look up "Coverage" and "non-coverage" in your SPD.

These will tell you what your plan covers and doesn't cover. You need to see if, perhaps, you or one of the covered members of your family has a condition or circumstance that might not be covered, where you need additional coverage. For example, let's say that your family has a history of cancer; perhaps your plan restricts the number of hospitalization days for care; or, restricts the days per condition. In this case, (like my children) you might want to get additional "cancer insurance" (I think that AFLAC might provide this type of coverage).

It would be a good idea to contact a Health Insurance benefit Broker and ask him/her to read your SPD and see if you have any gaps in coverage. They then can help you supplement coverage BEFORE YOU NEED IT!

NO HEALTH INSURANCE COVERAGE

You might be one of the growing members of our society that, through one circumstance or another, does NOT have health insurance coverage for your family. In this case, I strongly encourage you to contact a Health Insurance Broker and get immediate coverage of what is called "catestrophic" (not sure if I spelled this correctly) coverage. In this type of coverage, you will generally have large deductibles, but will have coverage if, say, one of you has to go into the hospital.

CONTACTING A BENEFITS INSURANCE BROKER

Whenever you call or email a Health Insurance Broker, it is very important to prepare ahead of time. WHAT, specifically are you looking for; how much can you afford to pay every month; what circumstances do you want to make sure that your family is covered for. In this way, you can make sure to focus on your critical needs.

COBRA

COBRA is an acronym ( how can I spell acronym correctly, yet not be sure that I spelled catestrophic correctly?) that stands for: Consolidated Omnibus Budget Reconciliation Act. Basically, it is a federal law that allows you to pay for your Company-paid health insurance, as an active member, if you no longer work for that company for, generally 18 additional months.

1) COBRA is "triggered" (that is, you, or a covered member of your family, become eligible for COBRA) by events such as the following: resignation from the company; termination (FOR ANY REASON) from the company; divorce of a spouse; a covered chile's birthday makes them ineligible for coverage. These are the main "triggering" events for COBRA.

2) Now, when eligible for COBRA, you will be asked to pay for 100% to 105% of the company's employee/employee and family coverage amount. You should get a letter from your company explaining what that amount will be. BEFORE YOU DECIDE TO TAKE COBRA, there are some important things for you to consider.

What will be your cost, and what will be the coverage for that cost? Sometimes the cost is too much for the coverage. In these cases, you might want to select HIPAA coverage, instead (see HIPAA below).

Or, you might just want to get catestrophic coverage as was mentioned earlier, and wait for full coverage under your next job.

Part of this decision should be whether or not you or a member of your family has what is called a "pre-exisitng coverage" condition.

Here again, before automatically taking COBRA, it would be wise to contact a Benefits Insurance Broker and give him/her all of your options, and get their input. I have worked extensively with a Benefits Insurance Broker, and he is absolutely fantastic!

OBRA

What, you ask, is OBRA? I've never heard of it, you say, and no one I know has heard of it either! Well, that's because, 99% of Human Resource or Benefit folks that I know have never heard of it! OBRA is a federal law that was passed that extends COBRA for an additional 11 months FOR DISABILITY PURPOSES ONLY!! Why, you ask, is this important? Thanks for asking, let's see if I can explain.

If you are as nieve (did I spell this wrong too? sorry!) as I was when I first started looking to bridge my health insurance from working to Medicare, I assumed that when I got through all of the hoops to qualify for SSDI (Social Security Disabililty Insurance) I'd IMMEDIATELY be eligible for Medicare, RIGHT??? WRONG!!!!

When you FINALLY qualify for SSDI, you have to wait for 5 months before you get your first check. AND, the rules state that, you are eligible for Medicare 2 years (24 months) FROM THE DATE OF YOUR FIRST SSDI PAYMENT. Well, if you add 24 + 5 you get, 29 months between qualifying for SSDI, and Medicare coverage.

OK, I said earlier that COBRA is for 18 months of coverage. Well guess what 18 months of COBRA + 11 months of OBRA equal - 29 months!

BUT, there are two catches to OBRA; first of all, you have a small window of 30 - 60 days to apply ( this window opens the date of your SSDI approval); and, it can cost up to 150% of your plan coverage amount. BUT, if you have a "previously existing condition" this might be the best way for you to proceed.

Again, it is important to contact a Health Insurance Broker to help you with the risk/cost ratio of all of these situations.

It is also improtant to know all of these deadlines as you plan to ensure that you and your family have important health insurance coverage.

HIPAA

HIPAA is a federal law that is called, briefly, the "portability" law for health insurance. What that means is that when you leave a group (read company-paid plan), the carrier that provided that plan, must offer to you, another plan, different from COBRA, when you leave the group coverage. Generally this will be what is called a "bare bones" plan. Again, the best thing for you to do is to call/email a Health Insurance/Benefits Broker with all of your information: SPD, COBRA info, HIPAA info, needs, cost limits, and let him/her help you find the optimum plan coverage for you.

MEDICARE

OK, now, finally, we've reached Medicare! BUT (you really didn't think it would be that easy, did you?) if you have qualified for Medicare because of disability, there are RESTRICTIONS (of COURSE there are!).

First of all, if you are qualifying for Medicare because of disability, you are probably under the age of 65 - normal retirement age.

Medicare coverage does NOT cover prescription drugs, which, those of us with disabilities probably need, and which cost lots.

But, Congress prescribed that states (all but 11) offer what is called "Medicare supplement" plans, some of which do offer prescription coverages. BUT, these plans ARE NOT REQUIRED TO, and do not, offer these medicare supplement plans that offer prescription coverages to folks who qualify under age 65! So, if you are qualifying because of disability, your medical insurance plan doesn't cover one of your primary cost expenditures!

Here again is where you need to contact a health insurance/benefit broker. Again, he/she can work with you, and your specific circumstances, to get you the coverage you need.

Hope that this information was helpful to you. If you have any questions, please feel to ask them by commenting on this blog, and I'll be happy to get you an answer.

About Disabilitykey.com & Carolyn Magura:

Disabilitykey.com is a website designed to assist each person in his/her own unique quest to navigate through the difficult and often conflicting and misleading information about coping with disabilities.

Carolyn Magura, noted disability / ADA expert, has written an e-Book documenting the process that allowed her to:

a) continue to work and receive her “full salary” while on Long Term Disability; and

b) become the first person in her State to qualify for Social Security Disability the FIRST TIME, in UNDER 30 DAYS.

Click here to receive Carolyn 's easy-to-read, easy-to-follow direct guide through this difficult, trying process. If you are disabled, don't let this disabiling process

 disable you. Read Carolyns Disability Key Blog.