blog

What is HITECH Act and to Whom Does HITECH Act Compliance Apply?

by Admin on August 3, 2011

What is Hitech ActHITECH is the Health Information Technology for Economic and Clinical Health Act, a large part if which extends the reach of HIPAA to what are referred to as ‘Business Associates’ of those health entities to which HIPAA applies.

What that means to you in a nutshell is that if you have any dealings whatsoever to any business or authority to which HIPAA applies, and that business or authority can provide you with personal health information (henceforth PHI) then it also applies to you! So let’s take an example of that.

Say you are an insurance broker with a health insurer on your books – just like the health insurer, you too will be subject to HIPAA because you are technically a business associate of that health insurer. Let’s take another example: you provide IT support to a dental practice, and in the course of your work are liable to be able to access the patient files of the practice.  Whether you like it or not, under HITECH you are classed a business associate of that dental practice, and so both HITECH compliance and HIPAA compliance apply to your business.

You cannot get out of this, and you must therefore set up a HIPAA policy and maintain it to include all of the relevant sections of HIPAA that may appertain to your business. Included in HITECH is the fact that should you, or any of your employees, note a violation of HIPAA in any of the businesses you have dealings with, you are legally obliged to report it at the risk of severe financial penalties.

HITECH has also increased the penalties for violation of HIPAA from a minimum and maximum of $100 and $50,000 to $10,000 and $1.5 million, so HITECH has given teeth to HIPAA that it did not previously have.

You can read anything into that you want, but the way you should perhaps read it is that the government is sick of HIPAA transgressions and is now prepared to stamp down hard on them with financial penalties for each level of transgression multiplied by between 100 times and 250 times.  That’s a massive increase, so you had better make sure you are complying, because they won’t accept many excuses for not doing so.

So how can you make sure you are complying, even if you just supply prosthetics to an orthopedic surgery and have PHI in order to do that? There is software available that can help you stay legal with regard to HIPAA, but fundamentally, you have to develop a mindset of security: security of patient’s records and making sure that your business can never possibly either have access to these records, or release them if you do have. Then record everything you are doing to ensure that.

That is basically what HIPAA is: a set of regulations to ensure the privacy of patient information between the patient and those to whom it must be revealed. People with access to such information must make sure it is not revealed down the line and so on till it reaches you – then you have to do the same and prove you have done it.

If you have a formal Business Associate Agreement (BAA) with a business with access to PHI, then HITECH covers you – if you are not sure, then contact your lawyer to determine your status under HITECH and HIPAA. In fact, some lawyers must also technically comply with HITECH, although there is still a great deal of uncertainty whether lawyers who have access to PHI must comply. It would appear strange if they did not.

HITECH also applies to contracted foreign language interpreters and sign language experts hired by health services to interface between patients and health authorities such as doctors. You are advised that, should you feel that you have a business associate that may come within HITECH, then you should formulate a formal BAA with their need for HIPAA compliance included as part of that agreement.

HITECH is designed to make sure you understand these obligations and stick to them, with the ultimate objective of backing up HIPAA and underlining its importance to the entire medical world, including consultants, doctors, nurses, pharmacies, dentists and everybody who has direct contact with patients. As stated, the situation between HITECH and lawyers is unclear.

And then it starts going down the levels to receptionists, clerks, insurers and so on, and then down another level to suppliers to each of these such as the insurance broker and even guy that services your photocopier if you believe that they could have access to PHI.

Everybody that can possibly receive and pass on the health information of a patient comes under HIPAA through the terms of HITECH. It’s like a domino effect – every domino is covered by HITECH in respect of a patient’s health information – referred to as PHI, and you may see that abbreviation a lot more from now on!

{ 0 comments }

The Purpose of HIPAA Compliance Forms

by Admin on August 1, 2011

HIPAA FormsHIPAA compliance forms are intended to manage the patient information management system and so ensure compliance to HIPAA. The simple way to manage HIPAA is to regard it as a security or patient confidentiality management system and maintain it as such, just like any other management system.

That means separating the system from the information it is controlling, and managing the system as an entity and not managing the patient’s information. It is not an easy concept for many to grasp, but once it has been, then HIPAA compliance becomes so much easier. The forms and records required to achieve this are as much a part of the system as the regulation itself, which is the driving force behind it. Manage HIPAA properly, and patient medical records will be secure by definition.

If we take note of how patient records are obtained, stored and disseminated, and then manage the systems controlling these we shall be complying with HIPAA. The first HIPAA compliance form you will need will be the Notice of Privacy Practices. You will already have something like this in place for health and safety – your Health and Safety Policy notice. The Notice of Privacy Practices is simply a notice informing patients of how you handle their information, and making them aware of your management system to control their Protected Health Information (PHI).

Once you have that, you can then collect all the other forms together that you will need. These will be a mixture of checklists, auditing forms and permissions that should be signed whenever a form changes hands. HIPAA does not require this in every instance, but is just as easy to do so as try to identify those practices that do and do not require it.

Thus, consider the Patient Authorization Form. This should be signed by the patient whenever you have to provide PHI to any third party that is not covered by what is referred to as TPO – Treatment, Payment or routing transfer Operations. Some health services have decided that making the distinction is too dangerous, too difficult or simply confusing, so they request that the patient sign for ANY transfer of their PHI.

They have gone beyond HIPAA, but have demonstrated a tight application of their management system, and are within the law to do so. If a patient refuses, it is simply signed as such and there are no problems. However, patients rarely refuse essential transfer operations when their need is explained to them. Take note that ‘transfer’ and ‘disclosure’ in this case refers to both physical transfer and verbal or other form of health information disclosure. You can even operate a chain of custody system for physical health records and secure password protection for electronic equivalents.

Another requirement of a health authority is to allow patients to request an amendment to their health information. Even if you don’t agree with this, simply have a HIPAA compliance form for this that the patient can sign. You have no obligation to agree, but you should record the reasons for this in the event that the patient complains.

The patient has a right to request how his or her PHI has been disclosed to others – they should sign an Accounting of Disclosures form, another HIPAA compliance form, on which you should provide all inter-office transfers or disclosures of the patient’s health records, and also those sent out of the facility itself. If you run a good management system, you will have records of all of these disclosures and this should be a simple request to deal with.

You should identify all areas and circumstances where patient’s records are stored, ensure the storage is secure (even to the type of locks used) and then record all transfers of this information along with the permission of patients for each where relevant. A HIPAA compliance form will be required for each type of transfer along with the patient’s signature. Note that this applies irrespective of the relative geographic locations of patient and records.

You should carry out an internal audit of your entire system using trained auditors, and hold regular review meetings designed to initiate any corrective actions required. Treat HIPAA as any other management system and you should find compliance easy if not quick. HIPAA compliance forms will be the backbone of such a system.

{ 0 comments }

How Are You Doing With HIPAA Compliance?

March 31, 2011

Well, are you compliant yet, or is HIPAA compliance just another legislative thorn in your side that you can leave till somebody tells you to get it done? Are you one of those that wait to ‘see what will happen’ or are you proactive and ready for when the government auditors come calling? Yes, it [...]

Read the full article →

Curiosity and HIPAA Don’t Mesh – You Could Wind Up In Jail

January 18, 2011

By: Kristen Pinto Is it really a crime to have wandering eyes?  In short, yes.  Well, at least when it comes to the personal health information of other people.  HIPAA has, at least to some degree, been scoffed at over the last several years.  It seemed to be one of those laws enacted without any [...]

Read the full article →

HIPAA Compliance – Privacy vs. Safety

December 18, 2010

There are stories left and right of inadvertent leaks of medical information.  Sometimes there is a computer glitch allowing unauthorized people to access information.  Sometimes I file is left out and picked up by a curious passerby.  Sometimes one simple error can lead to a violation of the HIPAA privacy regulations for thousands of patients.  [...]

Read the full article →

The HIPAA Headache

November 12, 2010

By: Kirsten Pinto “Hip…what?”  That was my reaction when I first encountered HIPAA.  I was working at a dental office while home from college for the summer.  I had worked at that office part time while in high school and was now receiving instruction about the “new way” to do things around the office.  I [...]

Read the full article →

HIPAA Equals Administrative Simplification?

October 18, 2010

By: Dr. Hubert Chang Subtitle F of title II of HIPAA is entitled “Administrative Simplification.”  Let’s just stop right there. Does anyone else find the title of this section of government imposed, convoluted and often times majorly confusing act to be bit of an oxymoron?  The passage of the Administration Simplification was completely warranted because [...]

Read the full article →

What Does HIPAA Mean to You?

September 18, 2010
Thumbnail image for What Does HIPAA Mean to You?

By Marilynn Allen Health Insurance Portability and Accountability Act.  Does that mean anything to you?  How about HIPAA.  Yes, by the cringe that likely just shot over your face, I can tell that HIPAA, even if the full name of the legislation doesn’t catch your eye, means quite a lot to you.  In some offices [...]

Read the full article →

The Bite of HIPAA – HITECH Act, HIPAA Violations and Fines

August 4, 2010

HIPAA just grew some teeth.  Well, actually the teeth started to first show in 2009 when the Heath Information Technology for Economic and Clinical Health (HITECH) Act was signed into law, but only in 2010 did that law take effect.  HITECH was meant to promote the adoption and meaningful use of health information technology.  With [...]

Read the full article →