Friday, June 28, 2013

How the HIPAA Privacy Rule is Enforced and how to Protect Yourself

How HIPAA Privacy Rule is Enforced and How to Protect Yourself

Understanding Health Information Privacy

Many providers and individuals are confused about what the HIPAA Privacy Rule is about. In a nutshell, the HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. 

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

With all the fear of HIPAA Security audits being stimulated these days and the large penalties being imposed on healthcare practices, health plans and individuals, providers need to know, specifically, how the Office of Civil Rights under Health and Human Services, enforces the HIPAA Security Rule, and how to protect themselves and their practices. This article summarizes information available on the hhs.gov website and adds  information from e2o Health on how to protect yourself and your practice from HIPAA Security and Privacy violations.

For more detailed information on HIPAA Privacy Rule, go to 

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html

How Office of Civil Rights (OCR) Enforces the HIPAA Privacy Rule


OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.

OCR may only take action on certain complaints. See What OCR Considers During Intake and Review of a Complaint for a description of the types of cases in which OCR cannot take an enforcement action.
If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.
What OCR Considers During Intake and Review of a Complaint
The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services that investigates complaints about failures to protect the privacy of health information. It does so under its authority to enforce the Privacy and Security Rules.

OCR carefully reviews all complaints that it receives. Under the law, OCR only may take action on complaints that meet the following conditions.

·       The alleged action must have taken place after the dates the Rules took effect. Compliance with the Privacy Rule was not required until April 14, 2003. Compliance with the Security Rule was not required until April 20, 2005.  Therefore, OCR can not investigate complaints about actions that took place before these dates.

·      The complaint must be filed against an entity that is required by law to comply with the Privacy and Security Rules. Not all organizations are covered by the Privacy and Security Rules. Entities subject to the Privacy and Security Rules are considered “covered entities.” Briefly, a covered entity is:

o    a health plan:
including but not limited to
health insurance companies,
company health plans; or

o    a health care provider that electronically transmits any health information in connection with certain financial and administrative transactions (such as electronically billing insurance carriers for services): including but not limited to
·         doctors,
·         clinics,
·         hospitals,
·         psychologists,
·         chiropractors,
·         nursing homes,
·         pharmacies, and
·         dentists; or
              a health care clearinghouse. 

 Examples of organizations that are not required to comply with the Privacy and Security Rules include
  •       life insurers,
  •       employers,
  •       workers compensation carriers,
  •       many schools and school districts,
  •       many state agencies like child protective service agencies,
  •       many law enforcement agencies,
  •       many municipal offices


A complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. For example, OCR generally could not investigate a complaint that alleged that a physician sent a person’s demographic information to an insurance company to obtain payment, because the Privacy Rule generally permits doctors to use and disclose such information to bill for their services.

 Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Privacy or Security Rule. OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180 day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible).

Enforcement Results as of the May 31, 2013


 HHS / OCR has investigated and resolved over 20,056 cases by requiring changes in privacy practices and other corrective actions by the covered entities. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and that affects all the individuals they serve. HHS has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

·         In another 9,372 cases, our investigations found no violation had occurred.

o   In the rest of our completed cases (45,202) HHS determined that the complaint did not present
o    OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by HIPAA;
o    the complaint is untimely, or withdrawn or not pursued by the filer
o    the activity described does not violate the Rules – such as when the covered entity has disclosed protected health information in circumstances in which the Rules permits such a disclosure.

·       In summary, since the compliance date in April 2003, HHS has received over 81,790 HIPAA complaints. We have resolved ninety-one percent of complaints received (over 74,630): through investigation and enforcement (over 20,056); through investigation and finding no violation (9,372); and through closure of cases that were not eligible for enforcement (45,202).

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

What Do you Have to Do for a HIPAA SRA?

  •  In order to Meet Meaningful Use and comply with HIPAA-HITECH requirements, Providers   have to perform a thorough SRA once during the reporting period.
  •  The HIPAA SRA should cover all the 5 categories that we identified earlier.
  •  Constantly monitor to ensure that the organization complies with all the HIPAA requirements
  •    Prepare documentation of your HIPAA SRA.


How to Prepare for an Audit

  •  CMS has announced that 10% to 50% of the attested providers will face an audit.
  • The audit will be conducted by a CMS contractor Figliozzi and Company.  This audit will be        performed on the complete Meaningful Use Information and not just on HIPAA SRA
  •   If possible perform a Mock Audit as a preparation
  •  Keep thorough documentation of your Meaningful Use reports, attestation information, and HIPAA SRA information

Conclusion      

  • Consequences for failing to do a HIPAA SRA can be significant. Audit preparations take considerable amount of time, so please be prepared.
  •  Use the assistance of your Meaningful Use support or a qualified HIPAA Security Risk Assessments company to ensure that you can face an audit.
  •  e2o Health offers a thorough HIPAA SRA service. For inquiries or questions, please contact us at (800) 326-0215.
Posted by Unknown at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)