What the new HIPAA means for Digital Health Access - Jan/2013
New 2013 HIPAA Rules Are Here - 2013
HHS Final Guidance on Risk Analysis - 2013
NPI requirements for Medicare claims as of June/2012: As of June, 2012 providers will have to include their National Provider Identifier when submitting all claims for payment from Medicare and Medicaid or when applying for enrollment in either program, according to a Final Rule issued by the CMS. The rule will become effective 60 days after its April 27, 2012 publication date in the Federal Register. (The NPI is a 10-digit identification number, required for use in HIPAA-applicable transactions, that is used for verification as well as to curb Medicare and Medicaid fraud and abuse.)
Federal Enforcers increasingly Impose Fines. after a breach: Federal HIPAA enforcers. ask: "Did you, in good faith, do these six common-sense things that HIPAA requires you to do?"
While HIPAA provide a minimum (not an ideal) standard, nevertheless, if you answered 'no' to any or all of these, OCR may fine you (some of this item may be minimally applied to psychotherapists in private practice, who, for example, may not have any employees):
- Do you have documented HIPAA policies and procedures in place?
- Do you have an employment training program. on HIPAA?
- Have you done an internal HIPAA risk assessment?
- Do you have employee disciplinary policies in place?
- Have you evaluated your physical, administrative, digital and technical safeguards?
- Do you implement your documented policies and procedures?
Top of Page
November: CMS Announces Delay in Enforcement of New Standards for Electronic Claims Submission: By APA Practice Organization Legal and Regulatory Affairs staff
This article provides a brief update in light of recent questions from psychologists about new standards for the technical format of electronic claims known as HIPAA Version 5010.:. www.apapracticecentral.org/update/2011/12-08/electronic-claims.aspx.
Covered Entity Charts: Guidance on how to determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA:. www.cms.gov/hipaageninfo/downloads/CoveredEntityCharts.pdf
More whether Skype is HIPAA compliant: More information about the Skype debate is available at. www.zurinstitute.com/telehealthresources.html#skype.
HITECH Penalties Lead to Insurance Policies for Privacy Data Breaches: As we are approaching mid-way to 2011 reports of data breaches are increasingly common. Fines and penalties a healthcare organization might have to pay for privacy breach, such as improperly accessed electronic medical records, can be minimal to fatal. . Privacy breaches can cost more than $200 per breach or per patient.. Health care practitioners can buy a new kind of stand-alone insurance policy to shield themselves from losing too much money in such cases. . Smaller organizations, such as independent practices, might face higher risks for privacy breaches because, as solo practice or small group practice they often do not have an informed privacy expert of security person on staff.
Confidentiality and Skype: There seems to be some confusion, fear and disagreement in regard to the issue of using Skype as part of f2f psychotherapy and counseling or as the platform for tele-mental-health, e-counseling, or tele-psychiatry.. The concern is whether Skype is a HIPAA compliant platform.. In her blog "Is Skype HIPAA-compliant?". patrickbarta. wrote: "HIPAA says that protected health information (PHI) must be encrypted if it is sent over the Internet.. Skype. says that they use. AES. encryption, which is approved by the NSA for encryption of top secret information, so that would seem to be defensible as having encrypted PHI for HIPAA purposes." . What is important to remember is that neither HIPAA law nor CMS. advise on technology specific issues, because the HIPAA Privacy Rule specifically allows for flexibility in the approach to safeguarding information.. Due to the huge potential market for teleconferencing as part of telemedicine there is tension between the industry between the manufacturers and distributors of Skype, which is free. Voyager Telepsychiatry LLC, at. www.telepsychiatry.com,. is an example of am established Telehealth service that uses Skype.
Top of Page
Health Data Breaches Hit 100 Companies - Affecting More Than 500 Patients: As of June, 2010,. the HHS Office for Civil Rights (OCR) has posted 100 data breaches affecting 500 or more patients. The breaches affected over 3 million people. Physical security continues to be the leading problem. Theft accounted for the lion's share of breaches.. Stolen laptops accounted for 32 breaches and paper records remain a concern.
Copy Machines and HIPAA: Yes, it is true....digital copiers have hard drive(s), and the HIPAA. implications are numerous and considerable.. Recent events are unfolding regarding this newly discovered HIPAA. vulnerability due to the fact that the hard drives of digital copier may contain highly confidential mental health and other information. CBS report on the topic: www.cbsnews.com/video/watch/?id=6412572n. Pentagon alert.. Department of the Navy, CIO Alert:. www.doncio.navy.mil/ContentView.aspx?ID=1366. For more detailed information on the issue, go to. Digital Copier Security, Inc (DCSI). at. www.copiersecurity.com. For more information, contact. Sean G. O'Leary,. Senior Regional Analyst,. Digital Copier Security at. 253-312-0452.
Confidentiality and Internet Social Networking: As more therapists have social networking profiles on Facebook, Twitter, etc., there is a growing concern that therapists may accept clients as friends on such social networking sites and may communicate via these sites. Regardless of the privacy settings on social networking sites, therapists must be aware that communication via such sites is considered. neither. confidential nor secure. More info at. www.zurinstitute.com/socialnetworking.html#confidentiality.
Access to Records by Patients: It is important to remember that the rules for accessing records by patients are different under HIPAA than they are under CA law. Under California law, a provider has the option of providing a patient with a summary of the patient's treatment. However, under HIPAA, the patient must agree to accept the treatment summary.
Enforcement Update: Violating HIPAA is becoming more problematic than before because aggrieved patients may be able to share in monetary penalties assessed by the government. That means that there is now a fiscal incentive for turning covered entities in (to HHS) when they violate HIPAA laws.
Minimum Necessary: Following is a clarification on the "Minimum Necessary" standard for Covered Entities (CE's). In general, under HIPAA, CE's must use, disclose, and request only that amount of personal health information ("PHI") that is reasonably necessary to accomplish a task or function. The standard is not always clear and at times hard to implement. The "Minimum Necessary" standard applied to situation when PHI is used by the CE's, PHI is being disclosed to a third party, or when CE's request information from a third party. The "Minimum Necessary" standard does NOT applied to situation, such as (not an exhaustive list): When providing the patient with copies of records the patient is allowed access to by law; When the patient authorizes the disclosure in writing; When using or disclosing PHI that is required by law, including the mandated reporting of child, elder, and dependent adult abuse; When a CE discloses PHI to another health care provider for treatment purposes; When a health care provider requests treatment information regarding the provider's patient from another CE.
New Provision for Business Associates Are In Effect Starting 2/18/2010: On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).. Starting February 18, 2010 all Business Associates must be fully compliant with current HIPAA Privacy and Security regulations or face penalties. This new provision expands the duties of business associates which will require amendments to business associate agreements. Business Associates and Covered Entities alike now have direct responsibility and liability for breaches of 'unsecured protected health information;. The maximum penalty for non-compliance increases to $1.5 million/year;. Business Associates that violate HIPAA Privacy & Security can now face criminal and civil penalties. Individuals can be prosecuted;. Business Associates must comply with HIPAA Security in the same manner as a Covered Entity;. HHS Secretary required to do periodic audits of Covered Entities and Business Associates to ensure compliance;. If you are a Covered Entity, be sure your Business Associates are aware of the new policies and procedures;. Update your HIPAA Policy and Procedure manual to include the new HIPAA HITECH requirements;. Review all Business Associate Agreements, based on change in the regulations, they may require updating. More details.
Top of Page
Use of Cell Phones: When some of the original HIPAA Regulations came into effect in 2003, not all cell phones were digital and some used analogue technologies that were vulnerable to interceptions. In later years almost all cell phones are digital and are generally considered a secure way to communicate with clients. Most therapists are using cell phones, and in a way it has become part of the standard of practice. Additionally, many (young) therapists and clients do not even have access to land lines, all they know are cell phones.
Breach of Unsecured Personal Health Information:. New Notice Requirements: On August 24, 2009, the Department of Health and Human Services ("HHS") published an interim. final rule implementing new notification requirements for breaches of unsecured protected health. information ("PHI").1 The rule requires covered entities2 to report breaches to affected individuals. without unreasonable delay but no later than 60 days of discovery of the breach (and requires. business associates3 to report breaches to their covered entities without unreasonable delay but in no. case later than 60 days after discovery of the breach). Covered entities must also notify HHS within. 60 days of discovery for large breaches, i.e., those affecting 500 or more individuals, and must notify. HHS annually for those impacting fewer than 500 individuals. In some cases, notification to the. media is required, as well.
Federal Stimulus Plan, Act of 2009 Mandates Changes to HIPAA:
The biggest change involves new requirements for breach notification. Covered entities are required to notify affected individuals when a privacy breach occurs. Previously, an entity only needed to try to limit the negative effects of a breach. If the breach affects more than 500 people, the covered entity must also report the incident to HHS and the media. Notification must be given no later than 60 days after discovery of the breach, and if the breach includes 10 or more individuals with insufficient contact information, the covered entity must make a conspicuous posting on its website or provide notice in print and broadcast media. The notification requirement applies only to "unsecured" information, which is defined as protected health information that is not secured by an accredited "technology standard" yet to be defined.
The new rules also expand who is covered by HIPAA to include "business associates" of covered entities. Essentially, a business associate is an entity that wouldn't be covered by HIPAA but for its relationship with a covered entity, such as a third-party administrator who helps an employer administer its health plan. The new rule. business associates. are subject to the security regulations and privacy requirements of HIPAA.
Another change is the mandatory audits by HHS. Before, HHS was permitted to perform audits on entities covered by HIPAA to make sure they were following the rules. The 2009. Act includes a provision requiring HHS to perform audits, which in turn could increase the amount of enforcement actions.
The new act also provides an expansion of individual rights. . Patients. are now able to go to a doctor, pay 100% for their procedure and then notify the doctor that they want to limit the disclosure of their information and say it cannot be provided to their health insurer," she explained. Additionally, an employee might choose to keep information such as drug counseling private in this way.
Another change is in regard to the. 'Minimum necessary' rule.. Previously, under HIPAA, the "minimum necessary" rule instructed covered entities that if they were using or disclosing protected information for any reason, the use or disclosure should be kept to the minimum amount necessary to accomplish the intended purpose. Entities had a good deal of discretion in this area but not according to the new rules. Under the new Act, the disclosure and use of protected information must be limited to a "limited data set" which is largely information with the patients' identifying information removed, "to the extent practicable." This is another area where HHS is scheduled to issue further guidance.
Another change is an. inclusion of a provision that allows state attorneys general to bring HIPAA enforcement actions.. The provision allows state AGs to bring a civil action in federal court to enforce both the privacy and security provisions of HIPAA and seek damages on behalf of state residents. Along the same line of thoughts, covered entities that violate HIPAA are now subject to a $1,000 per violation penalty (up from $100 per violation), and the maximum annual penalty has increased to $100,000 from $25,000. Both civil and criminal penalties now apply to business associates as well.
HIPAA, FERPA, and Student Health Records: Due to some confusion among health care professionals and school administrators throughout the country, the U.S. Department of Education and the U.S. Department of Health and Human Services have issued a joint guidance (November 2008) on the application of two federal acts . the Family Educational Rights and Privacy Act (FERPA) and HIPAA in regard to student health records.
Generally,. HIPAA Privacy Rule specifically excludes from its coverage educational records that are protected by FERPA. FERPA protects the privacy of students' "education records" which also includes certain students' health records. To read more about the 2008 clarification, please go to the Nov. 2008 document titled. Joint Guidance on the Application of the. Family Educational Rights and Privacy Act (FERPA). And the Health Insurance Portability and. Accountability Act of 1996 (HIPAA). To Student Health Records.
Top of Page
Stolen Laptops and HIPAA - New HHS Enforcement Effort: In one of the few enforcements of HIPAA by Health and Human Services so far, a Seattle company that provides home health care services has been forced, in mid 2008, to pay a $100,000 settlement because laptops, disks and tapes containing individuals' health records were taken from company employees' cars on 5 occasions in 2005 and 2006. The agreement seems to signal that HHS is finally taking a tougher stance toward violations. This may have started a shift from the education approach they have taken so far to an enforcement mode. This HIPAA enforcement action suggests that psychotherapists who carry patient records with them are at risk for security violations and may be held legally and ethically accountable for security and privacy breeches. See also. Transporting Confidential Clinical Records in Laptops:. Heads up to Psychotherapists & Counselors.
Top of Page
The New HIPAA Enforcement Rule: A new HIPAA Enforcement Rule explains the circumstances under which a therapist could be held responsible for HIPAA violations by their employees, members of their workforce, trainees or business associates, such a billing service or accountant. Some ways to protect oneself is to have good training for employees and other members of the work force and solid Business Associate Contracts with billing services and other business associates. Therapists will not be protected if they are aware that their business associates are violating the privacy or security obligations under their contracts and fail to take reasonable steps to remedy the problem. Generally, being prudent and attentive to HIPAA rules can help avoid the HIPAA wrath even when one makes some understandable mistakes and takes reasonable steps to correct the situation. The entire text of the enforcement rule, including ways that therapists may defend themselves, is available at http://www.hhs.gov<.
National Provider Identifier (NPI):
- As part of mainstreaming the process of electronic claims, HIPAA mandates that all individual practitioners, who are covered entities, should obtain a National Provider Identifier by May 23, 2007.
- The use of standard identifiers is one of HIPAA's key elements, and I recommend that all therapists obtain an NPI.
- The NPI is a 10-position numeric identifier for each provider or therapist and is akin to a Social Security Number or an Employer Identification Number.
- All insurance companies dealing with therapists will use this single NPI for each therapist.
- Psychotherapists in private practice will receive their own NPI, as any other health care provider does. But, practitioners who are employed by clinics, agencies and counseling corporations will use the NPI that the organization has been assigned.
- Covered Entities, under HIPAA, will have until May 23, 2007, to obtain their NPI, as they will be mandated to use their NPI in all covered transaction by the 2007 deadline.
- Therapists who receive reimbursement from Medicare or other federal or state programs, such as Federal Employee Health Benefit Plans or Victims of Crime, should consider getting an NPI sooner rather than later, regardless of whether they submit claims electronically or by mail.
- Any therapist who deals with insurance companies, whether electronically or not, is likely to benefit from having an NPI, which will become the standard identifier for practitioners.
- While covered entities must obtain the NPI, a therapist, who is not a covered entity, may also obtain it (in fact is highly advised to do so).
- Obtaining an NPI does not turn a therapist, who is not a covered entity, into a covered entity.
- Once a therapist is assigned a number it will stay with him/her for life. It would be de-activated only when the therapist retires or dies.
- To apply: www.cms.hhs.gov/NationalProvIdentStand/03_apply.asp. It takes about 10 minutes to complete the online application.
Top of Page
Dealing With HIPAA Violators: As of 2006, the feds continue to take an educational corrective approach to HIPAA in dealing with those who violate the law. As long as there is no clear criminal or malicious intent or intentional disregard for HIPAA law, they seem to work with the violators to fix the problem. HHS would like to see "reasonably diligent efforts to understand and comply with HIPAA rules." Merely stating that one did not know s/he was in violation would not be an adequate defense. As far as clinicians are concerned, basic HIPAA knowledge and basic forms, such as the simple form, HIPAA Notice of Privacy Practices, and basic computer protections (firewall, password, virus protection, etc.) probably provide a basic indication that an attempt to be compliant was made. See below for compliance list.
Grievances: As of mid 2006, about 20,000 grievances, primarily regarding disclosures, have been filed and investigated by HHS. The most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records. So far the feds have been investigating only as a response to filed complaints and do not conduct their own inspections.
California AB 3013 (Koretz) Medical Information, Disclosures: As a continuous proof that states' laws are changing to comply and match HIPAA law, California introduced AB 3013 (Koretz) Medical Information: Disclosures. This bill strengthens patient confidentiality laws by conforming California law to provisions of HIPAA. It limits the release of patient information, provides the patient the opportunity to prohibit such a release, and permits the health care provider to make judgments regarding releases in emergency situations.
Top of Page