Filed under HIPAA

Dialogue With Leon Rodriguez-Director of Office of Civil Rights for HHS. (HIPAA Enforcer In Chief)

It’s a pretty rare opportunity as  HIPAA geek to sit in a room with the Director of the Office of Civil Rights for HHS and hear his perspective and ask him questions.

I got to do that today through my attendance at the HCCA Compliance Institute in National Harbor, MD.

Almost too much for me to take in all it once.

But in the spirit of blogging and sharing knowledge, I was typing and tweeting frantically not wanting to miss a nuance .

Leon Rodriguez was appointed to his role as “HIPAA Enforcer in Chief ” (my term) about twenty months ago.

Here are some things I learned during his talk and some accompanying shifts in my thinking and issues raised in my own mind for further consideration.  (I welcome comments as well)

  • OCR was founded in 1967 after passage of the civil rights act in 1964. Leon Panneta was first OCR director when HHS was known as the Department of  Health, Education and Welfare.  Panneta  chose to enforce desegregation laws, much to chagrin of many in roles of authority.  Mr. Rodriguez shared that at one point,  Attorney General John Mitchell, the architect of Nixon’s “southern strategy,” called Nixon and told him to “fire that prick in the basement of HEW.”  So I gleaned from this bit of history that the OCR director is historically a bit of a scrapper.
  • Patient privacy is deemed to be a kind of civil right.  The role of OCR is to protect the patient’s privacy, because if a patient does not feel secure, the substance abuser won’t get help, the abuse victim won’t get treatment, the mentally ill will be fearful to disclose their suffering and get assistance. From this, I see that OCR views a breach of patient privacy as a civil rights violation although it’s perhaps not equivalent to having to attend a segregated school or drink from a different water fountain.
  • Rodriguez views OCR as being similar to the SEC.  Just as the SEC is supposed to enhance investor confidence in the fairness of the markets, so the OCR is supposed to enhance patient confidence in the confidentiality of their health records.  Query: I wonder if people view these governmental agencies as fulfilling these roles or even know that there are agencies playing these roles?  Another query: does increased enforcement activity enhance patient or investor trust in the healthcare or financial system?
  • There is one OCR investigator for ever 3 million Americans.  They are stretched pretty thin.
  • OCR is becoming even more proactive in their enforcement.
  • Well over half of breaches that occur take place at the Business Associate level.
  • The vast majority of breaches are due to human mistakes and not technological errors.  Major breach causes are theft (51%), unauthorized access and disclosure and loss.
  • Hacking is not a major cause of HIPAA breaches.
  • Electronic records are more secure than paper records.  Paper records account for 25% of breaches.
  • In the first decade of HIPAA we were in “learning” mode.  We are now in “enforcement” mode, which is part of the reason the fines have gone from a maximum of $25,000 per violation to 1.5 million per violation per year.
  •  The most important things a covered entity can do after a breach are to notify affected individuals promptly, identify why the breach occurred and the root cause for it and take decisive action to fix the problem.
  • One reason OCR wants a database of all breaches is to be able to examine and understand where vulnerabilities are industry-wide.
  • Even with all the publicity around fines, it’s still the case that a relatively small portion of cases reported result in any monetary fine.  Majority of cases are resolved through corrective action and technical assistance.
  •  Most big fine cases are usually one of two things  1. A longstanding pattern of repeated violations of multiple violations  2. Cases where you have a particularly unforgivable set of disclosures and a failure to prevent the disclosure.  A common thread present in both 1 and 2 is that the entity discovers the problem and fails to take decisive action.
  • Mr. Rodriguez truly believes enforcement promotes compliance.  He has a strong prosecutorial background.
  • However, he was also a defense lawyer and DOES believe   “Government can overreach”  and that enforcement should be conducted in a balanced and constructive way that focuses monetary fines on the most egregious cases.
  • Another commonality among big fine cases is lack of appropriate risk analysis.  The entity fails to fully inventory the information it has, where the information is kept, and how the information is secured.
  • If an investigation is conducted and OCR sees that a risk analysis is done properly and there are appropriate mitigation and contingency plans, the more likely the office is to settle the violation through corrective rather than monetary fine.
  • Encryption is an addressable requirement under HIPAA.   If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.  Succinctly, show your work!  (Like you were supposed to in 5th grade math!)
  • Mr. Rodriguez takes his job quite seriously.  He sees part of his role as someone who routinely engages with compliance professionals to hear their concerns and educate them.  He is not “hiding the ball” and seems extremely open, transparent and reasonable although oriented towards the interests of the patients rather than the provider which is appropriate given the mission of OCR.

It was great being able to have dialogue with him today!  Grateful for the chance!

 

 

Tagged

HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified

 

In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.

 

HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.

 

HIPAA 2013-Timetables

 

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.

 

HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.

 

HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!

 

Subscribe!

Julie Meadows-Keefe

Julie Meadows-Keefe

 

 

 

 

 

Tagged , ,

HIPAA 2013-Business Associates Asking “Am I My Brother’s Keeper?”

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013-New World for Business Associates-Of Biblical Proportions?

 

Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your

brother?” and Cain responds,  “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.

You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

Many haven’t wanted to think about it!

To learn more, please continue reading!  I promise to try and keep it interesting!

 

Get to Know Business Associates

In mafia movies a “business associate might be the muscular wall of a man who collects overdue loan payments.

In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.

In the HIPAA world, the term has a very distinctive and detailed definition.

What (Or Who)Is A Business

Associate Under HIPAA?

The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.  Examples of business associates include:

  1. Claims processors,  administrators or practice managers.
  2. Accountants, legal advisors, consultants, or data aggrators.
  3. Accrediting services.
  4. Patient safety organizations

In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity  that person or entity is considered a business associate.  Before the HITECH Act,  the Security Rule did not directly apply to business associates.

Business Associate Changes Under HITECH

Life changed for business associates under the  HITECH Act.   Under HITECH,  the Security Rule’s administrative, physical, and technical safeguards requirements  as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule.  Therefore, under HITECH,  business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.

HIPAA 2013-Businesses Associates & Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So,  a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.

There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.

 Drop Dead Dates for Business Associates

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions.   This translates into September 23, 2013.  However, HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.

In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met.  Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.

That brings us to September 23, 2014 to have the updated agreements executed.

Please do not wait until September 1, 2014 to consider this!

 What do Business Associates Need to Know? 

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,
  2. for a failure to provide breach notification to the covered entity
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
  4. for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
  5. for a failure to provide an accounting of disclosures
  6. for a failure to comply with the requirements of the Security Rule.
  7. Business associates remain contractually liable for other requirements of the business associate agreement.
  8. Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
  9. Business associates need to evaluate their subcontractors!

Hopefully now you understand why I started this post with  reference to the biblical story of Cain.  Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling  identifiable health information!

Do you have questions about what you’ve read?

Don’t consider this post legal advice!

Contact me @ julie@esq140.com or here.

I am friendly and do not bite!

Read the rule for yourself here!  I recommend it, especially if you have trouble sleeping!

Tagged , , ,

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!

 

The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!

 

HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).

HIPAA 2013 HINT

Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!

 

Tagged , ,

Identity Theft Often Begins at the Workplace

The law is just a part of my identity

Julie Meadows-Keefe

Identity Theft and the Mythical Evil Hacker Across the World.

 

When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.

Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.

We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.

Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.

Identity Theft Under Our Noses!

This recently occurred at a clinic serving low income patients in Palm Beach County, Florida.  Here, the individual had been collecting the data to sell as part of a fraud scheme.  Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight.  The driver  opened the package and discovered lists with clients’ information.  Information included client’s social security numbers.  The employee was fired and has been arrested on several counts of fraud.

Additionally, in Texas there have been several reports of similar identity thefts.

A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow.  The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.

The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.

What Can Be Done to Prevent Identity Theft By Trusted Employees?

Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants.  Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty.  They may not seek employment involving confidential data with the intent to steal it.  They may also think there is a low likelihood they will be caught.  This is where there logic falls apart.

Most employers storing and utilizing confidential data electronically are deploying tracking software.  This allows them to see what employees are accessing what data and when it’s being accessed.  Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes.  If you have not deployed tracking software, this should be a top priority to accomplish in 2013.

Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies.  I’ve included two examples in this post.  Jobs are lost, arrests are made, lives are ruined.

It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.

If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.

 

 

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?

 

 

 

Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,

Are NFL Teams Covered Entities Under HIPAA?

Even NFL coaches know about HIPAA and are interpreting it to the news Media!  John Harbaugh, head coach of the Baltimore Ravens got pretty peeved  the week after the Ravens were fined $20,000 by the NFL for not listing Ed Reed on the injury report.  Their head coach John Harbaugh said that the team will cite every “hangnail” going forward, and questioned the validity of the weekly report.

“There’s no credence on the injury report now,” Harbaugh said. “It doesn’t mean anything. It has no value. The injury report has no value.”

Ed  Reed confessed he had been playing most of the season with a slightly torn labrum. The Ravens never listed him because  he  hadn’t missed any game or practice time with the injury.

“If a guy that goes out there and doesn’t miss a practice and doesn’t miss a game and doesn’t want to be on the injury report and we have to put him on the injury report, I want the league’s answer on that,” Harbaugh said. “I’m looking forward to hearing that.”

Harbaugh also questioned the wording of the league’s injury report policy which states, “All players with significant or noteworthy injuries must be listed on the report, even if the player takes all the reps in practice, and even if the team is certain that he will play in the upcoming game. This is especially true of key players and those players whose injuries have been covered extensively by the media.”

“I’ll go back to the significance thing. The way the thing is written, it says, ‘if a player has practiced fully or played fully and he has an injury and he is a significant player and it affects his play, then he should be on there.’ Well, I think player safety is important for all of the players. I’m going to say that every injury is significant,” Harbaugh said. “If that’s how they want to word it, I’m not going to go with the league saying that one player is more significant than another player. That’s absurd to me. They can get mad at me if they want for saying that, but they need to write that a little more clearly. We’ll just put every guy on there that has a hangnail and go from there.”

Harbaugh also voiced concerns about player’s privacy. “Aren’t there HIPAA rights here?,” Harbaugh asked. “If I’m a player and I’ve been out there playing and I don’t want that on the injury report and I’m told I have to put that on the injury report, we’ve got some players that resent that. So yeah, I got a problem with that in all honesty.”

Some quick research on my part produced this link to the NFL Injury Report where, for example you can see that Atlanta Falcon Zach Streif and Atlanta Falcon Sam Baker are both struggling with groin issues.   So I assume from all of this that NFL players are required by the terms of their contracts to disclose conditions that might impact their play.  Further perusal of the website led me to theorize  that one of the purposes of the injury report is to assist fantasy football participants and Vegas odds-makers.  I guess if you were betting on the Kentucky Derby you’d want to know if your horse had a groin injury.  Same difference, right?

And coach Harbaugh’s HIPAA reference gives me a jumping off point to clear up a frequently believed myth that anytime someone’s health information is disclosed someone or some entity has violated HIPAA. This is not the case.  HIPAA can only be violated  by individuals and entities within HIPAA’s purview.  These are called covered entities.  HIPAA violations can also be committed by business associates who have contracts with covered entities.  I initially was going to say that it would appear that The National Football League and teams are not a covered entities.  The players are contracted employees of their teams and HIPAA does not apply to employers.  So health records in your employment file aren’t protected under HIPAA, but may be protected by other confidentiality laws.  But then I realized that the teams  have physicians who treat the players.  Physicians are typically covered entities when they treat patients.  But then I went to this flowchart  I would argue that the main job of  NFL teams is playing football,  but accompanying that, they are obviously intimately involved with the health of a player and his ability to play. So it would appear that the teams furnish health care in the normal course of business.  So we say “yes” and move forward on the chart.

Interesting.

Then, the next part of the chart asks if  the person or business sends any covered transactions electronically.  I do not know what their practice is, however, if they do send electronic transactions, the chart indicates the team would be a covered entity.  If it does not send electronic transaction it would not be covered by HIPAA.  So, if all the health information is transmitted by paper only they could ostensibly scoot out from under HIPAA.    Also, it could be that players agree to disclosure of relevant injuries as part of their contracts.  Further, from the sound of this article, it sounds like players only have to report general types of injuries and that things like specific treatment they are undertaking would be covered by HIPAA.

So my conclusion is that team treating physicians are covered by HIPAA so only the most general type of disclosure is made, but specifics of treatment and other non-football related health issues are not disclosed due to HIPAA concerns.

Please comment if you think differently or have some insight to add.

 

 

Tagged

Are You Antsy over ANSI & Why It’s Hanging Out in HIPAA Regs?

Are You Antsy over ANSI?

ANSI stands for the American National Standards Institute. ANSI is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide. For example, standards ensure that people who own cameras can find the film they need for that camera anywhere around the globe.  The Institute administers five standards panels including the Healthcare Information Technology Standards Panel.  The panel works to identify, coordinate, and harmonize relevant voluntary standards relevant to these areas.  So you may now see why ANSI would be relevant to HIPAA.

ANSI is referenced in Section 160.103 of the Health Information Portability and Accountability Act (HIPAA), within the definitional section. HIPAA authorizes HHS to require the use of standards for the electronic exchange of health care data and to specify what medical and administrative code sets should be used within those standards.   Later, ANSI appears in the administrative requirement section of HIPAA- Section 162.940- which explains how an organization may petition HHS to deviate from standard transactions and code sets.  HHS sets forth a list of evaluative criteria by which such requests will be examined.  The petitioning process is extensive and burdensome. In part, an organization must show that the modification be supported by an ANSI-accredited standard setting organization or public organization that would maintain the standard over time.

ANSI ANGST

There has been much discussion and gnashing of teeth regarding a looming requirement that all HIPAA covered entities update to ANSI 5010 and begin using the updated ICD-10 code set. Here, think of ANSI 5010 as the pipeline and ICD-10 as the oil—the highly detailed and discrete coding information system to help ensure precise reimbursement.

By October 1, 2014, all covered entities must be ready to embrace the new coding system, having made all the necessary technological updates and provided adequate training to physicians and administrative staff.

ANSI Understanding?

Hopefully, you now have a better idea about ANSI’s role in standardizing the method by which health care information is coded and conveyed.

Please comment if you have thoughts or questions.  You can also e-mail me @ julie@esq140.com.

Thinking too much about ANSI

Julie Meadows-Keefe

Tagged , , , ,

What is a Health Care Clearinghouse?

What is a health care clearinghouse?  Most people hear the word “clearinghouse” and think of commercials featuring shocked sweepstakes winners having their lives changed when strangers come to their door with tv cameras, balloons, bouquets  and big cardboard checks.

However, for purposes of HIPAA (Health Insurance Portability and Accountability Act), a health care clearinghouse is an entity that transforms or translates data from one form to another so that it usable for a particular purpose. A health care clearinghouse is a covered entity under HIPAA.  That means that a health care clearinghouse is governed by HIPAA.

In trying to understand the nature of a health care clearinghouse,  imagine the difficulty you have traveling abroad and not speaking the native language.  You will need a translator to in order to communicate.  A clearinghouse can be thought of as a sort of translator.  A clearinghouse can also organize or structure data.  Whereas health data used by a doctor or hospital may be useful to them for documenting patient care, data in that form may not be useful to payors.  Data may need to be coded or presented in a certain way to be usable for a permitted purpose.

Health care clearinghouses can be public or public or private entities.  As HIPAA considers a clearinghouse, the entity most often is one of the following:

  • a billing service
  • a repricing company (which takes the bills, matches them up with the insured’s contract with the hospital, and adjusts them to the pre-negotiated price).
  • a  community health management information system or community health information system and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.   A key objective of HIPAA was to require national uniform methods and uniform codes for the exchange of electronic information between health care providers and health plans.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health care clearinghouses make data user-friendly for particularized purposes.  Most often, clearinghouses are trying to convert data for billing purposes, price comparison and cost-effectiveness analysis.  It’s reasonable to speculate that health care clearinghouses will have an enhanced role to play in a post Affordable Care Act world, because costs and benefits of particular treatments and efficient use of resources will become even more important.

Although you have not won a sweepstakes by reading this post, you now know what a health care clearinghouse is, how it functions, its purpose and why it’s important for clearinghouses to understand HIPAA’s requirements.

If you need assistance understanding HIPAA’s applicability to your organization, contact me: julie@esq140.com or leave a comment below.

Tagged

What is a Health Plan?

Health Plans Under HIPAA

The law is just a part of my identity

Julie Meadows-Keefe

 

 

 

 

 

 

 

Health Plans are important to Americans.  HIPAA applies to health plans, health care providers and health care clearinghouses.

 What does HIPAA Consider a Health Plan?

Today, I want to focus on its applicablity to health plans 45 CHR 160.102(a)(1). Health plans are probably familiar to you.  These are most often known as health insurance companies.  More specifically, a health plan means an individual or group plan that provides or pays the cost of medical care.

I’ll provide a quick list of further definitional aspects of what consitutues a health plan.  A health plan can have one or several aspects of the following:

(i) A group health plan;

(ii) A health insurance issuer;

(iii) An HMO (Health Maintence Organization);

(iv) Part A or Part B of the Medicare program;

(v) The Medicaid program;

(vi) An issuer of a Medicare supplemental policy;

(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;

(ix) The health care program for active military personnel under title 10 of the United States Code;

(x) The veterans health care program under 38 U.S.C. chapter 17;

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);

(xii) The Indian Health Service program under the Indian Health Care Improvement Act;

(xiii) The Federal Employees Health Benefits Program;

(xiv) An approved State child health plan under title XXI; providing benefits for child health assistance;

(xv) The Medicare+Choice program under Part C of title XVIII;

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals;

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

What’s not considered a health plan under HIPAA?

Any discussion of what a health plan includes should also include a list of what’s excluded from the definition of a health plan.  These exclusions include:

(ii) A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

 Under HIPAA, there is a rather specific laundry list of what is and isn’t a health plan.

It’s intuitve to think you already know what a health plan looks like for general purposes, but I hope that it was helpful to receive more details regarding how HIPAA defines a health plan.

If your organization would like further training, please contact me at

julie@esq140.com