HITECH is the Health Information Technology for Economic and Clinical Health Act, a large part if which extends the reach of HIPAA to what are referred to as ‘Business Associates’ of those health entities to which HIPAA applies.

What that means to you in a nutshell is that if you have any dealings whatsoever to any business or authority to which HIPAA applies, and that business or authority can provide you with personal health information (henceforth PHI) then it also applies to you! So let’s take an example of that.

Say you are an insurance broker with a health insurer on your books – just like the health insurer, you too will be subject to HIPAA because you are technically a business associate of that health insurer. Let’s take another example: you provide IT support to a dental practice, and in the course of your work are liable to be able to access the patient files of the practice.  Whether you like it or not, under HITECH you are classed a business associate of that dental practice, and so both HITECH compliance and HIPAA compliance apply to your business.

You cannot get out of this, and you must therefore set up a HIPAA policy and maintain it to include all of the relevant sections of HIPAA that may appertain to your business. Included in HITECH is the fact that should you, or any of your employees, note a violation of HIPAA in any of the businesses you have dealings with, you are legally obliged to report it at the risk of severe financial penalties.

HITECH has also increased the penalties for violation of HIPAA from a minimum and maximum of $100 and $50,000 to $10,000 and $1.5 million, so HITECH has given teeth to HIPAA that it did not previously have.

You can read anything into that you want, but the way you should perhaps read it is that the government is sick of HIPAA transgressions and is now prepared to stamp down hard on them with financial penalties for each level of transgression multiplied by between 100 times and 250 times.  That’s a massive increase, so you had better make sure you are complying, because they won’t accept many excuses for not doing so.

So how can you make sure you are complying, even if you just supply prosthetics to an orthopedic surgery and have PHI in order to do that? There is software available that can help you stay legal with regard to HIPAA, but fundamentally, you have to develop a mindset of security: security of patient’s records and making sure that your business can never possibly either have access to these records, or release them if you do have. Then record everything you are doing to ensure that.

That is basically what HIPAA is: a set of regulations to ensure the privacy of patient information between the patient and those to whom it must be revealed. People with access to such information must make sure it is not revealed down the line and so on till it reaches you – then you have to do the same and prove you have done it.

If you have a formal Business Associate Agreement (BAA) with a business with access to PHI, then HITECH covers you – if you are not sure, then contact your lawyer to determine your status under HITECH and HIPAA. In fact, some lawyers must also technically comply with HITECH, although there is still a great deal of uncertainty whether lawyers who have access to PHI must comply. It would appear strange if they did not.

HITECH also applies to contracted foreign language interpreters and sign language experts hired by health services to interface between patients and health authorities such as doctors. You are advised that, should you feel that you have a business associate that may come within HITECH, then you should formulate a formal BAA with their need for HIPAA compliance included as part of that agreement.

HITECH is designed to make sure you understand these obligations and stick to them, with the ultimate objective of backing up HIPAA and underlining its importance to the entire medical world, including consultants, doctors, nurses, pharmacies, dentists and everybody who has direct contact with patients. As stated, the situation between HITECH and lawyers is unclear.

And then it starts going down the levels to receptionists, clerks, insurers and so on, and then down another level to suppliers to each of these such as the insurance broker and even guy that services your photocopier if you believe that they could have access to PHI.

Everybody that can possibly receive and pass on the health information of a patient comes under HIPAA through the terms of HITECH. It’s like a domino effect – every domino is covered by HITECH in respect of a patient’s health information – referred to as PHI, and you may see that abbreviation a lot more from now on!

HIPAA compliance forms are intended to manage the patient information management system and so ensure compliance to HIPAA. The simple way to manage HIPAA is to regard it as a security or patient confidentiality management system and maintain it as such, just like any other management system.

That means separating the system from the information it is controlling, and managing the system as an entity and not managing the patient’s information. It is not an easy concept for many to grasp, but once it has been, then HIPAA compliance becomes so much easier. The forms and records required to achieve this are as much a part of the system as the regulation itself, which is the driving force behind it. Manage HIPAA properly, and patient medical records will be secure by definition.

If we take note of how patient records are obtained, stored and disseminated, and then manage the systems controlling these we shall be complying with HIPAA. The first HIPAA compliance form you will need will be the Notice of Privacy Practices. You will already have something like this in place for health and safety – your Health and Safety Policy notice. The Notice of Privacy Practices is simply a notice informing patients of how you handle their information, and making them aware of your management system to control their Protected Health Information (PHI).

Once you have that, you can then collect all the other forms together that you will need. These will be a mixture of checklists, auditing forms and permissions that should be signed whenever a form changes hands. HIPAA does not require this in every instance, but is just as easy to do so as try to identify those practices that do and do not require it.

Thus, consider the Patient Authorization Form. This should be signed by the patient whenever you have to provide PHI to any third party that is not covered by what is referred to as TPO – Treatment, Payment or routing transfer Operations. Some health services have decided that making the distinction is too dangerous, too difficult or simply confusing, so they request that the patient sign for ANY transfer of their PHI.

They have gone beyond HIPAA, but have demonstrated a tight application of their management system, and are within the law to do so. If a patient refuses, it is simply signed as such and there are no problems. However, patients rarely refuse essential transfer operations when their need is explained to them. Take note that ‘transfer’ and ‘disclosure’ in this case refers to both physical transfer and verbal or other form of health information disclosure. You can even operate a chain of custody system for physical health records and secure password protection for electronic equivalents.

Another requirement of a health authority is to allow patients to request an amendment to their health information. Even if you don’t agree with this, simply have a HIPAA compliance form for this that the patient can sign. You have no obligation to agree, but you should record the reasons for this in the event that the patient complains.

The patient has a right to request how his or her PHI has been disclosed to others – they should sign an Accounting of Disclosures form, another HIPAA compliance form, on which you should provide all inter-office transfers or disclosures of the patient’s health records, and also those sent out of the facility itself. If you run a good management system, you will have records of all of these disclosures and this should be a simple request to deal with.

You should identify all areas and circumstances where patient’s records are stored, ensure the storage is secure (even to the type of locks used) and then record all transfers of this information along with the permission of patients for each where relevant. A HIPAA compliance form will be required for each type of transfer along with the patient’s signature. Note that this applies irrespective of the relative geographic locations of patient and records.

You should carry out an internal audit of your entire system using trained auditors, and hold regular review meetings designed to initiate any corrective actions required. Treat HIPAA as any other management system and you should find compliance easy if not quick. HIPAA compliance forms will be the backbone of such a system.

Well, are you compliant yet, or is HIPAA compliance just another legislative thorn in your side that you can leave till somebody tells you to get it done? Are you one of those that wait to ‘see what will happen’ or are you proactive and ready for when the government auditors come calling?

Yes, it is true that the penalties for non-compliance might not be 100% clear, but you can be sure that they will eventually lead to fines and then imprisonment, and you will still have to comply in the end. So why not do it now – get it over with before it costs you even more money and grief – or even ‘time’?

HIPAA compliance isn’t a walk in the park, and will involve a great deal of your time and money unless you know the easy way – and no, that doesn’t involve hiring a lawyer to look after it for you. You could, but will cost an arm and a leg!

We know HIPAA compliance can be difficult – we know it involves understanding the regulations, identifying these areas where patient confidentiality is not secure, and training all your staff on compliance procedures. That’s why we are offering Interactive HIPAA to make it a lot easier for you.

Complying with the requirements of the HIPAA Safety Regulations will never be easy – nobody is saying that, but if you take them as an ethos that you can apply to improve security and confidentiality throughout your organization, then they will become a bit easier to apply and who knows, they might even improve the efficiency of your business.

HIPAA Compliance.org, with its 20 stage program to ensure you are 100% compliant, is just what you need to make sure that you are ready to face any government auditor with total confidence that you pass. Whether you agree with the objectives or administration of HIPAA or not, your organization must be in compliance if you wish to remain in business.

HIPAA Compliance.org with take care of your office’s HIPAA compliance and provide you with a Compliance Verification Report that will satisfy any external auditor.

By: Kristen Pinto

Is it really a crime to have wandering eyes?  In short, yes.  Well, at least when it comes to the personal health information of other people.  HIPAA has, at least to some degree, been scoffed at over the last several years.  It seemed to be one of those laws enacted without any real weight.  The laws were written and laid out “clearly” (this, of course, is a subjective term) but with no real threat of punishment for violating some of them.

The times, they are a changing.  Dr. Huping Zhou is the first person who has been convicted and sentenced to prison time for what some would simply call curiosity or a wandering eye.  He has essentially now become the poster child for HIPAA violations demonstrating to the nation that HIPAA violations can and will be prosecuted.

Different sources tell the story with slightly different details, but the gist of it is as follows.  Dr. Zhou, a surgeon from China, was working as a researcher at UCLA.  At some point during his time there he began perusing the medical records of some of his superiors—and other high-profile people, such as Governor Schwarzenegger, Tom Hanks, and other celebrities.  How exactly it was discovered that Dr. Zhou was snooping around I cannot find anywhere.  This is especially interesting as it is noted that there was never any evidence or indication that Dr. Zhou had any intent or plan to sell or use the information he found improperly.  Regardless of how he was found out, in the end it was sad news for Dr. Zhou.  In January he pleaded guilty on 4 misdemeanor counts of illegally reading confidential medical records.   A judge has recently sentenced him to pay a $2,000 fine and spend four months in federal prison.

OK, honestly, the first question that comes to mind for me when I read these types of stories is this: Why does anyone care about the health history of anyone else?  But personal curiosity aside, the second question that came to mind after reading up on Dr. Zhou was if the punishment really fit the crime.  Was the judge a little heavy-handed when passing down his sentence?  Are HIPAA violations like this really fairly punished with time in federal prison?  When so many heinous crimes flash across headlines these days, does it really seem necessary to punish Dr. Zhou’s curiosity with such a severe penalty?  I am all for protecting an individual’s privacy.  And HIPAA does need to be taken seriously and followed.  But I’m not sure we are going about it the right way if this is the direction we’re headed.

There are stories left and right of inadvertent leaks of medical information.  Sometimes there is a computer glitch allowing unauthorized people to access information.  Sometimes I file is left out and picked up by a curious passerby.  Sometimes one simple error can lead to a violation of the HIPAA privacy regulations for thousands of patients.  This can be appalling.

Even more appalling sometimes are the intentional information leaks.  A celebrity is treated at a clinic and one of the office staff copies their file and sells it to a tabloid.  In one particular instance, the daughter of a hospital employee took a list of patients’ information and called those people to tell them they had been diagnosed with HIV—as a practical joke.  Some of these stories make us shake our heads in disbelief.

The topic of privacy violations—whether intentional or not—raises an important question.  Is it ever okay to violate the rules of HIPAA?  Is there ever a time when there is something more important than protecting a patient’s privacy?  Are there times when keeping a patients’ information private might cause them—or others—more harm than good?

Let’s address a few things first.  The previous examples are obviously unethical on the part of the HIPAA violators and harmful to the victims—psychologically, emotionally, and financially.  There are times when it is obvious that HIPAA achieves its purposes in protecting patients.  No one should ever use another person’s health for personal financial gain.  Also, no one should be giving out false information about a patient—to him nor to anyone else.  That is obvious.  But what about some situations that may lie in the gray area?

What about public safety?  Is there ever a time when it is better for the safety and health of the public to disclose health information about an individual?  Should illnesses that are highly contagious be disclosed to a patient’s school or workplace to protect those with whom the patient may come in contact?  HIPAA protects the privacy of that patient but what about the safety and health of those around him?  Are those people less important?

What about the patient’s own safety and well-being?  Doctors are often privy to a great deal of personal information.  According to HIPAA, he must keep that information confidential.  What if a doctor is aware of a recent suicide attempt and thinks it would be beneficial to notify a family member to have them keep an eye on the patient and offer support?  Is it better to guard the patient’s privacy or his life?

There is no easy answer to questions like these.  But in a world that has become so obsessed with safeguarding the privacy of the individual, maybe it is time to stop and ask ourselves “Is there a downside to so much privacy?”

By: Kirsten Pinto

“Hip…what?”  That was my reaction when I first encountered HIPAA.  I was working at a dental office while home from college for the summer.  I had worked at that office part time while in high school and was now receiving instruction about the “new way” to do things around the office.  I had been away at college making new friends, attending all the sporting events (as any loyal student would, of course), eating late-night pizza, and doing my school work somewhere in there.  I admit that staying on top of the happenings in the healthcare industry were not at the top of my priority list.  In my neglect, I had missed one of the biggest moments in healthcare legislative history—in all of healthcare history maybe.  The HIPAA Privacy Act compliance deadline.  In my time away from the dental office, the compliance date for HIPAA had come and gone.  From what I could gather it was some messy law passed to protect patients.  It sounded like it had been (and still was) quite the headache for practitioners and their staff.

So, I listened patiently to some of the new policies and procedures.  It all started at the time of check-in.  It was a violation of HIPAA policy for patients to know who else had signed in—to know who else was a patient there.  It seemed lame to me, but I understood it was the law—and I wanted to keep my job—so I paid attention to the rules of blacking out and covering up patients who had already signed in.  This involved quickly attending to each patient as soon as they signed in so you could get anything else you needed from them and their name covered up before anyone else signed in.  It seemed easy enough.  Next I listened to the other receptionist point out the specific direction that folders were turned whether they were in a cubby on her desk or outside the exam areas.  Basically this precaution kept us from flashing the names of patients around for all the world to see.  It sounded pretty similar to the issues with the sign-in sheet.  And honestly, equally silly at first.  As I learned some of the other rules around the office I understood that the essence of the law was to each patient’s PHI confidential.  Yes, I had to ask what PHI stood for, but I know now—Personal Health Information.

As the summer progressed I gradually learned more about HIPAA, PHI, and some of the other ins and outs of the legislation and how it affected a small healthcare provider like our dental office.  I can’t say that in that summer I came to a good understanding of all the intricacies, underpinnings, and logic involved in HIPAA.  As a patient and as an employee in a healthcare provider’s office, I still felt a little naïve.  I followed the procedures as best I could but sometimes wished that I could have a better understanding of the bigger picture and how the little details of what I did to basically protect our patients’ identities fit into that bigger picture.  Something tells me I’m not the only one out there who still feels a little lost sometimes when it comes to HIPAA and what exactly is involved in compliance to it.

By: Dr. Hubert Chang

Subtitle F of title II of HIPAA is entitled “Administrative Simplification.”  Let’s just stop right there. Does anyone else find the title of this section of government imposed, convoluted and often times majorly confusing act to be bit of an oxymoron?  The passage of the Administration Simplification was completely warranted because by design it’s supposed to improve the Medicare program, the Medicaid program, and the healthcare system by encouraging the development of a health information system through the establishment of standards and requirements through the establishment of standards and requirements for the electronic transmission of certain health information. The confusion often comes into play when deciphering who exactly must comply with the HIPAA regulations.  The requirements of HIPAA apply to any entity storing and/or transmitting patient identifiable information on electronic media. This means compliance must be followed by virtually all health care organizations from physicians and insurance companies to health care support organizations and even small and large companies who offer medical plans to their employees.

Administrative Simplification is intended to reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper.  This means your office or facility needs to have a procedure in order to be compliant under HIPAA.  While it may seem like quite the undertaking, it is important to remember that everyone will benefit from implementation of the HIPAA standards. Electronic data exchange will save time, increase efficiency and reduce administrative costs. In the meantime, HIPAA is causing a great deal of stress for many people. The HIPAA rules and the standards adopted by Department of Health and Human Services are complicated, and the threat of penalties makes HIPAA all the more freighting.

For my own practice, I purchased the HIPAA Compliance Tools software produced by HJ Ross Company.  After attending multiple seminars and trying to navigate the HIPAA maze on my own, I came to the conclusion I needed a little extra help.  My administrative assistant was able to navigate the program on her own, create a customized policy and procedures manual, and subsequently provide an in-service training for myself and the rest of the staff.  However, my method is just the path that worked out best for me. There are many routes that a facility can take to ensure compliance; the important part is that you need to do something! Your Procedure needs to be documented in case that day ever comes when you are faced with an audit, a civil claim, or a criminal charge.  It is imperative that your facility has evidence that there is a procedure in place and training was administered and that every precaution to avoid a HIPAA infraction was taken.

By Marilynn Allen

Health Insurance Portability and Accountability Act.  Does that mean anything to you?  How about HIPAA.  Yes, by the cringe that likely just shot over your face, I can tell that HIPAA, even if the full name of the legislation doesn’t catch your eye, means quite a lot to you.  In some offices HIPAA is still the equivalent of a curse word.  But why?  Is it because the passing of HIPAA and the additions over the years has caused you an immense increase in workload?  Is it the headache you get trying to make sense of all the implications it has on your office?  Is it the stress you feel from sifting through the legal jargon to pull out what you need to do differently in your office?  Or is it that the changes just plain seem unnecessary to you?

Whatever it is about HIPAA that you dislike, I have one suggestion to help alleviate some of the HIPAA stress in your life.  A paradigm shift.  Self-help books everywhere typically hit this major topic at some point in their pages.  Basically they are suggesting changing the way you look at and see things.  Put on new glasses.  Changing your perspective can change your attitude and your feelings about something.

Let’s be honest.  No one really likes to be told what to do.  Think of the two-year-olds you know.  They love the word, “No!”  You tell them what to put on, they say it.  You give them a plate and tell them to eat, again they respond with the determined, “No!”  And you’re left thinking, “But she loved that dress last week,” or “But grapes are her favorite.”  The point is she doesn’t want to be told what to do.  Give her a choice of what to wear and it will be no surprise when she picks out that dress.  Ask her if she’s hungry and she might ask for those grapes.

So, you’re probably thinking right now, “What in the world does this have to do with HIPAA?”  Adults are really no different than 2-year-olds in at least one sense.  We don’t like to be told what to do either.  Many of the ideas of HIPAA are sound ideas that many of us would have gladly implemented in our office—if we came up with them.  But we start to squirm when Congress tells us we are required to do something.  My suggestion is to forget about Congress.  When you are sifting through your policies and procedures to make sure you are HIPAA compliant in every way, do it with your favorite patient in mind.  Think of Mrs. Harrison, that sweet older lady who always comes in with a smile on her face.  Think of Jeff, that high school student who wants to be the tough guy but is obviously the nicest kid.  Whoever it is—that patient you would help with anything—think of him or her.  They might even be clueless about HIPAA and all your office is doing to protect them and be HIPAA compliant.  It doesn’t matter.  Do it because you care about them.  And you care that in a day and age when the personal information of others is a commodity to be bought and sold, you want to keep them safe from that threat—even if they are unaware of it.

Do you feel a little calmer already?  Good.  Now keep those positive patients rolling through your mind as you go tackle some of your paperwork.

HIPAA just grew some teeth.  Well, actually the teeth started to first show in 2009 when the Heath Information Technology for Economic and Clinical Health (HITECH) Act was signed into law, but only in 2010 did that law take effect.  HITECH was meant to promote the adoption and meaningful use of health information technology.  With offices of all kinds making paper records a thing of the past, it was only fitting that the U.S. Department of Health & Human Services introduce law that would ensure the privacy of individual health information in the electronic age.  This HITECH subtitle of HIPAA can really bite those not properly dealing with the electronic transmission of health information; HITECH provides the provision that strengthen the civil and criminal enforcement of the HIPAA rules.

Monetary fines under the HITECH Act can run anywhere from $100 per single violation to $1,500,000 as the maximum for a calendar year worth of violations.  The fines are structured on a tier level.  Each level is meant to punish violations based on an increasing level of capability by the offender; the penalty will be decided based on the nature and the extent of the violation and the nature and the extent of the harm resulting from the violation.  If you are one of the entities( i.e. companies with a health care plan, health care clearinghouses, and  healthcare providers to name a few) required to be HIPAA compliant you could be subject to civil (money penalties) enforced by the Department of Health and Human Services, and or criminal penalties, enforced by the U.S. Department of Justice.

The fines and threat of imprisonment are a few major incentives for HIPAA covered entities to really get serious about protecting patient privacy information, but the reputation of a company, office, or facility should also be incentive enough.  The last thing anyone wants is for their company or practice to make the evening news for improperly disposing of patient records or being the cause of their employees’ identity being stolen.  However, it’s those high fines that are really starting to make those of us mandated to be HIPAA compliant sweat.  The high fines levied on HIPAA violators reflect the importance of safeguarding protected health information. Faced with the looming threat of steep fines from failing to meet HIPAA data breach requirements, the health service industry is seeking ways to make sure they are HIPAA compliant.

There are a host of methods in which a facility or company can ensure compliance.  These methods range anywhere from hiring an attorney to guide you through compliance, attending seminars, having a consultant visiting your facility, or purchasing software or other such compliance tools to guide you through the process.  It would be a massive undertaking to sift through the HIPAA laws and administrative compliance procedures for any one person. I definitely recommend soliciting some sort of help. Just remember, whatever method is chosen, it is critical to make sure any staff dealing with patients or clients are trained in a uniform, facility specific, HIPAA compliance procedure. While the whole process may seem cumbersome, taking the time and making the investment to insure HIPAA compliance is going to pay off if the Department of Health and Human Services, or the Department of Justice ever decide to pay a visit.

Katie M. Sullivan holds a master’s degree in Public Policy and Administration and directs the HIPAA compliance program for a company with a client base of over five thousand medical providers nationwide.