Friday, September 30, 2011

HIPAA SCHMIPAA. This is a cake walk. (HIPAA HITECH YOUR TECH Part 2)

HIPAA compliance can almost be this easy.
HIPAA, SCHMIPAA.

No, that's not another acronym you've got to learn.   It's a dismissive slur.

Really.  THE TECH ASPECTS OF THIS IS NOT INSURMOUNTABLE.

These regulations ARE a lot of fairly reasonable guidelines that should ultimately put your practice, your clinic, or your hospital in much better shape.   (Okay, yes, there's an abundance of governmental, "legalese" language in there too...)

AND Okay, so calling it a cake walk is possibly an overstatement.   Cake walks are no-brainers: you keep getting back in line, and eventually you're going to get a cake.

With HIPAA & HITECH, you've not only got to get in line, you've got to do a little heavy lifting, a lot of homework, and a decent amount of paperwork.

So let's get to it.   HERE'S WHAT WE'RE GOING TO COVER IN THE FOLLOWING ARTICLES:

1. What you've got to do
2. How to do it.

Simple.

Step 1.   What's your primary I.T. goal as relates to HIPAA?    

ANSWER: PREVENT BREACHES OF Protected Health Information (PHI).

Okay, first off, how do you define the word "Breach"?

HITECH ACT, SEC. 13400. DEFINITIONS.

Read the whole act here or jump straight to the definition of breach here
In this subtitle, except as specified otherwise:
(1) BREACH.— (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Second, how thoroughly should you work to prevent breaches?  

According to the Office of Civil Rights:
Read the whole companion document here
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

and
Read the source here 
HIPAA, § 164.306 (b) – Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

And oh, what is PHI again?

Basically, it's almost any kind information about patients that could be used to figure out who your patient is

Specifically, there are 18 pieces of data that make it up.   We'll write in gross detail about that later, but here's the best explanation I've seen yet: http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/


So, a gross summary of this 1st BIG POINT is that YOUR JOB, as a healthcare provider or vendor to healthcare vendors, is to keep the wrong people from finding out anything about your patients.   SEEMS FAIR.


Now, for the zillion dollar question:

STEP 2.   What steps should we take to prevent breaches of PHI (And pass an audit...)

THE SINGLE BIGGEST POINT WE CAN MAKE HERE IS THIS.....

DO A RISK ASSESSMENT. 


If you're ready to read on, though, here's a simple to-do-list of things you can do to get a HUGE chunk of your HIPAA / HITECH issues out of the way & put to bed:


  USE 164.308 implementation specs as a TO DO LIST:

¨  Do a risk analysis
o   Internal Audit / Self-Assessment
¨  Risk management
o   DO SOMETHING.   Address Self-Assessment results.
¨  Sanction policy
o   Make your employees know this is serious & get their help.
¨  Regular Information Systems activity review
o   Audit, review, and improve.
¨  Procedures for Vendors, H.R. & I.T. interaction
o   …including a termination policy with I.T. steps
¨  Security awareness and training
o   Guard against malicious software
o   Log-in monitoring
o   Password management
¨  Create good contingency plans – including backups, Disaster Recovery & emergency ops
¨  Use Business Associate Agreements



Sounds simple, right?    Most for-profit businesses do the same stuff.   It's certainly basic stuff that Turn Key Solutions, LLC has taught our clients to do since 1999.

So, how do you do each step?

Stay tuned!

I'll walk you through each piece of this, and a lot more, in pretty deep detail.

Need a jump start?   Call me!  (225) 751-4444.   I'll be glad to answer your questions.

Need to back up?  Here's our primer on HIPAA / HITECH







PS: Good resources:
HIPAA SECURITY SERIES,  Part 2 - Security Standards: Administrative Safeguards
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

Tuesday, September 20, 2011

HIPAA, HITECH & YOUR TECH

So tomorrow, 9/21/2011, I'm presenting the first of a series of lunch & learns titled  "Hipaa, Hitech & Your Tech."

As the title hints at, we're talking about what specific tech things that a Business Associate (BA) and Covered Entities (CE) need to do to assist in their HIPAA / HITECH compliance strategy.


Here's a brief summary of what we're going to cover, and an overview of what I'll lay out in this blog, as well:

A. Being HIPAA / HITECH compliant is doable.   Possible.  Not an insurmountable mountain.
"DO OR DO NOT.  There is no try."

B. Being HIPAA / HITECH compliant is required.  The immortal words of Yoda may be haunting you:  "Do or do not.   There is no try."

He's right.  You gotta do this.  Don't play with it.  Just do it.

C. There are tactical points in the HIPAA, HITECH, OCS & other documents that you can hang your hat on and work with.

D. There aren't really aren't zillions of laws you need to read to understand the basic intent & requirements of the HIPAA & HITECH laws.

E. You probably do need to get a little help with this, but it doesn't have to cost you an arm and a leg.


Let's start with a quick summary of what you're facing, and what's at stake for CE's and BA's with HIPAA / HITECH.

So, here's what good I see coming out of all of this:

THE GOOD:
  1. HITECH ACT Grants offer possible +/- 44k over 5 years
  2. Medicare Incentive for meeting Meaningful use w/ EMR
  3. Healthcare info (PHI) will (probably) be more secure.
  4. Healthcare will get measurably better??


THE BAD:
  1. Choosing the wrong EMR can cost you more than 44k.
  2. Financial penalties for anyone that touches PHI
  3. Legal fees the Attorney General levies!
Ug.  You put my client's PHI on Facebook.
Me sue you now.  Ug. 
AND THE UGLY:
  1. February 17th, 2010 – BA’s became subject to HIPAA regulations
  2. February 17th, 2011 – mandatory civil penalties for violations involving “willful neglect” for BA's AND CE's.
  3. February 17th, 2012 – Complainants will share in collected civil monetary penalties.   (Can anyone spell "Class Action Lawsuits out the Wazoo"?)




In our humble opinion, that's the big highlights of what's on the table with HIPAA / HITECH.