healthcarecompliance101

Healthcare Compliance 101

Archive for the tag “HIPAA Security”

$750,000 Settlement Highlights the Need for HIPAA Business Associate Agreements

 

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.  HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.

 

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).

 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

 

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits.

OCR Settles HIPAA Privacy and Security Case With UCLA

OCR Settles HIPAA Privacy and Security Case With UCLA.

Celebrity snooping  by employees results in stiff civil monetary penalties and a resolution agreement to University of California Los Angeles Health Services (UCLAHS).

Woman Faces Criminal Charges for HIPAA Privacy Violations

Woman Faces Criminal Charges for HIPAA Privacy Violations.

Resolution Agreements

What is a Resolution Agreement

Resolution Agreements and Civil Money Penalties -A resolution agreement is a contract initiated by HHS and then signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations.  A resolution agreement would likely include the payment of a resolution amount.  These agreements are brought about to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) are imposed for noncompliance against a covered entity.   

Candy Sina

Author & Publisher of Medicare/Medicaid Compliance for Less Than $2.00

www.healthcarecomplianceconsulting.net

Accounting of Disclosures – Proposed Rule

Patient rights in the healthcare industry have been a critical issue for years.  One such right that the public has insisted on is their right to access their own health information and amend health information when it is deemed to be incorrect. 

On May 31, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under HITECH.  OCR will now receive comments on this proposed rule until August 1, 2011 and is expected to publish a final rule by the end of 2011. Compliance with the accounting of disclosures requirements would then begin sometime mid 2012.

The purpose of this rule is to implement the requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations where such disclosures are made through an electronic health record. This rule will expand the accounting provision so that individuals would have the right to receive an access report indicating who has accessed ePHI in a designated record set.  A Designated Record Set means a group of records maintained by or for a health plan or health care provider that are 1) the medical records and billing records about individuals maintained by or for a covered health care provider; 2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; used, in whole or in part, by or for the health plan or health care provider to make decisions about individuals.

There are a couple of noteworthy points about this NPRM. First, the covered entity accounting information must be for all disclosures by the covered entity or its business associates (if that business associate creates, receives, maintains, or transmits record set information). So this would include all non-routine and routine (those for treatment, payment and operations) disclosures of PHI from an electronic database (ePHI).  Beginning Jan. 1, 2013, individuals would have the right to receive a report of who accessed their ePHI (access report) for a three year period from the date of the request.  Secondly, covered entities will have to revise their Notice of Privacy Practices (NPP) to reflect these changes and provide individuals with a Notice of Privacy Practice that discloses how the covered entity may use and disclose PHI and the individuals’ rights regarding their health information.  Thirdly, this NPRM will reduce the time for a covered entity to respond to a request for an accounting of disclosures from 60 days to 30 days.

The time to start preparing for these new accounting of disclosure requirements is now – not December 2012.  Why now?  A big challenge will be whether your system vendors can handle this new ePHI accounting of disclosures requirement and how they will do it. Covered Entities and Business Associates will have to revise their NPP to explain to individuals that they now have a right to an accounting of all disclosures of their ePHI.  Changes will have to be made administratively on how a Covered Entity and Business Associate will manage non-routine disclosures of hardcopy PHI for 6 years and routine disclosures of ePHI for 3 years.  With another new rule (accounting disclosures) coming down the pike shortly, be prepared and start planning now. 

Dave Sina – Author of A Healthcare Compliance Plan for Less that Two Dollars ($2.00) Per Day.

OIG Results of HIPAA Security Audits of Hospitals

Audit (A-04-08-05069)

05-16-2011
Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Executive Summary

Our review found that the Centers for Medicare & Medicaid Services’ (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise. Both the Social Security Act and the Security Rule require a covered entity, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, to (1) ensure the confidentiality, integrity, and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information.

Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

We recommended that the Department’s Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. OCR did not comment on our specific findings and stated that it had considered our recommendations. OCR also noted that it maintains a process for initiating covered entity compliance reviews in the absence of complaints and that it had used this process to open compliance reviews as a result of our hospital audits. Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.

Complete Report

Notification Download the complete report (PDF)
Adobe Acrobat Reader This link exits the Office of Inspector General Web site is required to view PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

Post Navigation