Privacy & Security: The New HIPAA Rule

HIPAA Privacy, Security, and the HITECH Act

HITECH ACT – 2010 Changes in HIPAA Law

HITECH Act and Encryption in 5 Minutes

Information Security Program and HIPAA Compliance

#1: Practical Guide to HIPAA Privacy and Security Compliance

496 pages

Description:

This book is a one-stop resource for HIPAA privacy and security advice that can immediately be applied to any organization’s unique situation. It defines what HIPAA is, what it requires, and what can be done to achieve and maintain compliance. It describes the HIPAA Privacy and Security Rules and compliance tasks in easy-to-understand language, focusing not on technical jargon, but on what organizations need to do to meet requirements. Anyone preparing an organization for HIPAA laws will receive expert guidance on requirements and other commonly-discussed topics. The book enables organizations determine how HIPAA will impact them, regardless of whether they are a HIPAA Covered Entity.

#2: PKI Security Solutions for the Enterprise: Solving HIPAA, E-Paper Act, and Other Compliance Issues

336 pages

Description:

• Outlines cost-effective, bottom-line solutions that show how companies can protect transactions over the Internet using PKI
• First book to explain how PKI (Public Key Infrastructure) is used by companies to comply with the HIPAA (Health Insurance Portability and Accountability Act) rules mandated by the U.S. Department of Labor, Health, and Human Services
• Illustrates how to use PKI for important business solutions with the help of detailed case studies in health care, financial, government, and consumer industries

#3: A Guide to HIPAA Security and the Law

372 pages

Description:

This publication discusses the HIPAA Security Rule’s role in the broader context of HIPAA and its other regulations, and provides useful guidance for implementing HIPAA security. At the heart of this publication is a detailed section-by-section analysis of each security topic covered in the Security Rule. This publication also covers the risks of non-compliance by describing the applicable enforcement mechanisms that apply and the prospects for litigation relating to HIPAA security.

#4: The Clinical Documentation Sourcebook: The Complete Paperwork Resource for Your Mental Health Practice

336 pages

Description:

The paperwork required when providing mental health services in the current era of third-party accountability can be quite daunting. The sourcebook is designed to help clinicians provide this documentation in a form that satisfies managed care requirements and maximizes prospects for approval of payments. Includes ready-to-use sample forms that meet the documentation requirements of virtually every managed care organization. The sourcebook also provides properly completed examples of each form, as well as a computer disk which contains word-processing versions of every form in the book.

#5: HIPAA Survival Guide for Providers: Privacy, Security and the HITECH Act

Description:

The HIPAA Survival Guide attempts a “forest from the trees” overview of the HIPAA Privacy and Security rules, and also includes a general overview of the HITECH Act as it pertains to these rules. The genesis of these rules is covered in the Background section. The HIPAA Survival Guide only targets a subset of covered entities, namely healthcare providers, focusing mostly on small providers, since this group will clearly be the most challenged by new laws and regulations.

The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available on Amazon’s Kindle.

BONUS #6 – YES, IT’S A HIPAA ROMANCE NOVEL — HIPAA Hysteria

We’re really not sure how good this could be, but cmon — a steamy romantic novel set in the wild world of HIPAA compliance? Yes please!

Description:

Is it a romantic comedy? Yes! Is it a legal thriller? Yes!

Margaret Nicks, a new graduate with a couple of degrees in health information management, becomes the Acting Director of Health Information Management at a hospital when the Director suffers a stroke. She quickly finds out that her new duty of getting the hospital HIPAA compliant won’t be easy. But she hires a consultant that she had met at a Cross Country seminar. Follow their struggles with the hospital doctors, staff, and administration to get them into compliance. They are attracted to each other, but legal ethics prevents him from dating her. After the compliance date, a hospital employee commits identity theft and blames it on the hospital’s failure to enforce HIPAA. Management tries to hang Margaret out to dry to save the hospital administrator and the governing board from liability. The U.S. Attorney indicts her under the theory of corporate criminal liability. So she hires the consultant, who is also an experienced defense attorney. Can he keep her out of federal prison? Will they end up an item after she is no longer his client?

Don’t have a Kindle yet? Get one at a discounted price on Amazon here.

Cignet Health failed to honor the access to medical records requests of 41 of their patients between September 2008 and October of 2009. The company’s failure to cooperate with the subsequent investigation by HHS OCR (Office of Civil Rights) officials earned them another $3 million in fines at the end of the day. According to the official press release about the matter it was the HHS’s position that Cignet had displayed a willful neglect to the basic privacy rules laid down by HIPAA.

“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this administration,” Health and Human Services Secretary Kathleen Sebelius said in a statement.

HIPAA only regulates electronically transmitted data – Oh if only it were so, the life of a HIPPA compliance officer (and anyone else in the medical field) would be so much easier. But no, HIPAA applies to all forms of communication: written, verbal and any form of electronic transmission, including personal e mail notes and social networking posts.

If improperly released information is not exploited, there is no violation of the law – In many of the cases of improperly released PI that have hit the headlines over the last several years no one had any way of telling how and if patient data had been been exploited after the release of information but they still got hit with the big fines and penalties. It is the act of improperly releasing the information that is the violation.

Dentists, optometrists, nurses, and pharmacists are exempted from HIPAA regulations – We actually heard this one – from an individual employed in one of the aforementioned professions -and were flabbergasted. HIPAA governs anyone and everyone who creates or handles patient records – right down to the high school kid who works part time filing charts. Hopefully the professional who was under this misguided impression has now taken a serious crash course in HIPAA compliance.

Little HIPAA violations don’t matter, no one will ever find out – This is unfortunately the mentality of many employees in smaller medical offices. In fact though all it takes is one patient complaint and the whole office will be under serious scrutiny. And just as a reminder, the maximum fines and penalties for failure to comply with the HIPAA laws are $250,000 and 10 years imprisonment. Not to mention the damage the resultant inevitable bad publicity will have on any practice in both the short and the long term.

According to that report the prospect of a data disaster that leads to a costly HIPPA breech is scarier than luer mis connections, over sedation, needle sticks, surgical fires and defibrillator failures.

Is this a bit of an over reaction? Surgical fires and needle sticks sound a lot more serious than data loss. However given the increasing number of HIPPA violations reported around the country in 2010 and in many cases the costly fines and horrendous publicity that came with them make this kind of concern understandable.

Some of these violations would never have been prevented by even the most sophisticated of IT security systems though. Take the recent reports about a physician who transmitted a great deal of personal patient information via email to his home in a completely insecure and unencrypted manner.

There was no malice involved, the man was merely trying to have the information at hand to review properly at the end of his long day. The story though highlighted the continuing need for the education of everyone who handles PI in what is and is not allowable under the HIPPA rules and regulations.

Attorney -Group Health Insurance/HIPAA Job

Location: New Jersey

This Part-Time Attorney position will support Insurance Services daily legal needs including: carrier contract negotiations, HIPAA advice, Group Health and Workman’s comp Insurance advice and review of Business Associate Agreements and associated issues, assist in resolution of client issues, support insurance regulatory compliance processes and procedures, support product development with insurance regulatory reviews. Provide general business guidance as it relates to insurance regulatory and compliance matters. Advise on HIPAA compliance and update evolving policies and procedures as needed to maintain compliance with HIPAA.

Learn more about this HIPPA job here

Clinical Information Project Manager

Company: Sanford Health

Location: Sioux Falls, SD

The Project Manager will gather, analyze, design, develop, modify, test, implements evaluates, and maintain clinical information handling technologies: That collect data to support clinical practice That use data to support clinical decision-making That provide for identification of outcomes To develop plans for achieving identified outcomes To assist and document testing, training, activation and implementation of the plan To provide for outcome measurement and evaluation To communicate project progress and outcomes to appropriate health system departments & personnel. These job duties will be carried out using a high level of customer service while promoting and participating in the team approach

Apply for this opportunity here

Director of Compliance and HIPAA Officer

Company:Berger Health System

Location:Circleville, OH US

The Director of Compliance/HIPAA Officer oversees the Corporate Compliance Program, functioning as an independent and objective body that reviews and evaluates compliance issues/concerns within the organization and serves as the HIPAA Officer for Berger Health System and its entities. The position ensures the Board of Governors, management and employees are in compliance with the rules and regulations of regulatory agencies, that organization policies and procedures are being followed, and that behavior in the organization meets the organization’s Code of Conduct. This person will also assure that processes, policies, documentation and training are in place for full HIPAA compliance.

Learn more about this position here

Patient Accounting Analyst – HIPAA 5010 compliance Specialist

Company :CyberCoders Engineering

Location:Chicago, IL US

What you need for this position:
• In-Depth understanding of Patient Accounting
• EDI experience including ICD-10-CM and ICD-10-PCS
• Expert knowledge of Implementation Guides for HIPAA 5010
• ASC X12 affiliations, work group involvement, and network of other EDI experts
• Familiarity with multiple patient accounting systems (such as MedSeries4, Meditech, Invision, Epic Resolute, Affinity, GE Flowcast, or Allscripts)
• Available for Travel Monday through Thursday

To apply for this position click here

HIPAA Compliance Program Manager

Company: First Solution USA

Location: New London, CT

Our client, located near the Connecticut shore offers a full-time, direct hire, permanent job opportunity. Highly visible leadership role with hospital seeking a Program Manager to ensure compliance with all aspects of the Health Insurance Portability and Accountability Act (HIPAA), including but not limited to all current rules and regulations that have been instituted since the original act was instituted in 1996. The position requires development of a formal program that will ensure rapid implementation of new rules and regulations throughout the corporation, as well as ongoing activities that ensures this hospital is maintaining its compliance with all rules and regulations and actively working to reduce or to eliminate its exposure and risk in areas of non-compliance.
Reporting to the Vice President/General Counsel, you will influence, recommend and provide guidance and counsel to all leaders and staff within the hospital on HIPAA related matters.

To apply for this position click here

The simple fact is that barely a week goes by when the efficacy of the current HIPAA privacy paradigm in the new information age isn’t called into question by someone . For example:

In 2009 , a number of parents sued the Texas Department of State Health Services when they learned blood samples taken from infants for public health purposes, were used without parental consent for research. The suit finally led to the destruction of more than 5 million samples.
In February of 2010 , the not-for-profit news website Texas Tribune reported the same state program also provided hundreds of the infant blood samples to the Armed Forces DNA Identification Laboratory for the creation of a genetics database to be used for military, law enforcement and security purposes, causing further uproar.

In May of 2010 , PatientsLikeMe, a social-networking site for patients with serious and life-ending diseases ranging from depression to ALS, discovered, according to its co-founder, that it had been scraped of members’ information by an unauthorized data-collection service run by the Nielsen Co, the famous global marketing research firm. A Nielsen spokesman says it has since halted what he called a “legacy” practice.
Examples like this can be citied on and on. Issues such as these simply would not have existed in 1996 so never needed to be considered.
Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel said in a recent interview with Modern Healthcare. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

What do you think? What would you see changed about the HIPPA statutes in the Internet age? Let us know in the comments.

Dr Peel

A new survey, conducted by privacy advocate Dr Deborah Peel ‘s Patient Privacy Rights Foundation and Zogby International found that a whopping 97% of the 2,000 adults questioned want the right to control their own personal medical information and be allowed to limit with whom their “sensitive information” is shared.

Many of those surveyed want to be in control of all of their electronic medical records and have the right to limit with whom their doctors, insurance companies and even the government can allow the information to be given to. Some expressed concern that employers, researchers, ex-spouses and abusive partners may be able to get a peek at sensitive information.

In a press release accompanying the release of the survey results Dr Peel said “No matter how you look at it, Americans want to control their own private health information. They overwhelmingly believe that they are the only people in the right position to make decisions about how their information can be used. Researchers do not get a free pass.”

Dr Peel’s Austin, TX based advocacy group is calling for the creation of a “do not release” list, something that would work along the same lines as the “do not call” lists that telemarketers must abide by. 73% of those surveyed said they would sign up if such a list were ever to be created.