New HIPAA rules: Make sure you are in compliance because your liability has increased

Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).

In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.

For primary care and other physicians in private practice, compliance will mean:

  • conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;

  • reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;

  • ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);

  • modifying the practice’s  electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;

  • having the ability to send patients their health information in an electronic format;

  • reviewing your contracts with any vendors that have access to your practice’s PHI; and

  • updating your practice’s notice of privacy practices.

Other provisions

Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.

The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunization records to schools without obtaining formal authorization from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.

The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.

The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Among other provisions, the HITECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalized the rules with adoption of the omnibus rule.

Growth in EHRs drive changes

Driving many of the changes in the omnibus rule is the proliferation of EHRs and the accompanying digitization of patient information, says Jeffrey J. Cain, MD, FAAFP, president of the American Academy of Family Physicians (AAFP).

“The [original] HIPAA legislation is 15 years old now and was enacted at a time when EHRs were nothing more than a gleam in Microsoft’s eye, but now everyone’s using them, and the rules were seen to be in need of tightening up,” he says.

Angela Dinh Rose, director of health information management excellence for the American Health Information Management Association, says, “HITECH was a huge factor in pushing the adoption of health information technology, so along with that, Congress saw the need for improved privacy and security practices to protect patient information now that so much of it is becoming electronic.”

According to a study of breaches reported on the HHS Web site by Kaufman Rossin & Co., an accounting and consulting firm based in Miami, Florida, the number of individuals affected by data breaches doubled from 2010 to 2011, even though the number of entities involved in a breach declined (see “Summary of health breach information reported to HHS, 2010 to 2011,” below). The largest cause of breaches was theft (53%), followed by unauthorized access (20%) and loss (14%).

New rules for data breaches

The changes likely to have the greatest effect on medical practices are those concerning how PHI should be secured and kept private and what practices must do in case of a  breach—meaning the PHI is lost, stolen, or otherwise made available to someone who should not have it. Why? Whereas before the omnibus rule, breaches only had to be reported if they involved a “significant risk of harm,” now the presumption is that virtually any unauthorized disclosure of PHI may be a breach, unless the practice can demonstrate a low probability that the information has been compromised, explains Kenneth Rashbaum, JD, a health law attorney with Rashbaum Associates in New York, New York.

“These changes are a big deal because  the standard [of what constitutes a reportable breach] is much lower, and as a result there’s now a presumption of harm to the patient by virtue of the breah by the entity that made the disclosures,” Rashbaum says.

Given the new standard, the most important action practices can take to protect themselves against penalties, experts emphasize, is to encrypt patient data, both within the practice itself and when they are taken outside the practice in a laptop computer, smartphone, or other portable device.  Why? “In the [omnibus] rule now, they’re defining a breach as the loss of unsecured PHI,” explains Juli A. Ochs, CPA, healthcare engagement director for the consulting and accounting firm CliftonLarsonAllen LLP. “So anything that renders the data ‘unusable, unreadable, or undecipherable’ is now not considered a breach.”  (See “Encrypting your patient’s health information” below for suggestions on how to encrypt data in a way that meets HHS requirements.)

Determining risk of harm

Whenever a breach does occur, it is presumed to be reportable to HHS unless the practice can demonstrate a low risk of probability that the PHI will be compromised, meaning that anyone will be harmed as a result. Demonstrating the risk contains four components:

  • The nature and extent of the data involved. “Was the information just a list of patients? Did it include identifying data like Social Security numbers or other financial information? Were there intimate medical or psychotherapy records? Those are the types of questions that need to be asked,” says Aldo Leiva, JD, a data security and privacy attorney in Coral Gables, Florida.

  • The unauthorized person who used the PHI or to whom it was disclosed (something you can’t know if the breach resulted from a device being lost or stolen).

  • Whether the PHI was actually acquired or viewed.

  • The extent to which the risk has been mitigated after the fact. An example, Leiva says, might be having a contractor to whom the PHI accidentally was sent sign a non-disclosure agreement.

In addition, the rule requires practices to notify patients whose PHI has been breached within 60 days of discovery of the breach. If the breach affects more than 500 patients, then HHS and the local news media must be notified within the same 60-day timeframe. Practices must keep a log of all breaches regardless of the number of patients affected, and they must submit the log annually to HHS.

Another requirement of the rule is that practices and other covered entities conduct a risk analysis. The purpose of the exercise is to discover where the practice might be vulnerable to having its patient information lost or stolen—through theft of a laptop computer on which data are stored, for example—and putting in place policies and procedures to reduce those vulnerabilities.

“People get overwhelmed by this, because they think it needs to be a formal process,” Ochs says, “but it can be just everyone in the practice sitting down to talk about where are we vulnerable, assessing the risk of each vulnerability, deciding how to address it, and then documenting that they’ve gone through the process.”

In addition, practices should appoint a privacy and security officer with the responsibility for making sure the practice has policies and procedures for complying with the rules and that staff members are trained in them. Practices can—and often do—assign the responsibilities to a current employee rather than hire someone new, Ochs says. “The main thing is just that it’s assigned,” she adds.

Violators of the privacy and security rules will be fined in amounts ranging from $100 to $50,000 per violation (see “HIPAA rule violation categories and penalty amounts”). The maximum a practice or other covered entity can be fined in a year is $1.5 million.

Relations with business associates

After changes to the PHI security and breach notification rules, the omnibus rule changes of greatest interest to practices are those affecting their relationships with “business associates,” vendors that have access to a practice’s PHI. Such vendors are now directly responsible to HHS for securing and guarding the privacy of PHI in the same way that practices are, and they are subject to the same penalties.

“Before [the omnibus rule], physicians and medical organizations might be protecting patient data the way they were supposed to, but their third-party providers were not obligated except under the terms of their contract with the providers,” notes Jorge Rey, CISA, CISM, director of security and compliance for Kaufman, Rossin & Co. “Now the rules say that if you have access to patient healthcare-related information, you need to comply with all the privacy requirements.” The rule also puts subcontractors to practice vendors under HHS jurisdiction.

The increased responsibility of business associates does not let doctors off the hook entirely. That’s because even if the business associate loses PHI or has it stolen, the medical practice ultimately is responsible for notifying affected patients and reporting the breach to HHS.

Leiva notes that many health information technology (HIT) vendors and consultants include boilerplate language in their contracts absolving them from liability for data loss. Consequently, he advises reviewing all contracts with HIT vendors to ensure that their wording conforms with the omnibus rules governing relations between covered entities and their business associates. (A sample business associate agreement is available from the government at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contr…)

Greater patient control

The third part of the omnibus rule affecting doctors’ practices concerns patients’ rights related to their own health information.

The rules gives patients the right to:

  • obtain copies of their health information in an electronic format within 30 days of requesting it, with one 30-day extension permitted, and

  • instruct his or her doctor not to share information about a test or treatment for which the patient has paid out-of-pocket with his or her insurance company.

In addition, the rule requires practices to update their notice-of-privacy practices (NPPs) to reflect the changes to patients’  rights included in the omnibus rule and requires sending the updated NPP to all patients and posting it prominently in the practice and on the practice’s Web site.

Complying with the changes likely will be challenging for doctors due to the limitations of EHR systems. “EHRs were designed so that you could share information easily between healthcare providers and insurance providers,” notes the AAFP’s Cain. “Now we have this law saying that if a patient pays cash, the condition won’t be revealed to insurance providers, which is problematic for the way most EHRs are built.”

The design of EHRs also makes it difficult to share information with individuals who don’t have EHRs, Cain notes. “That’s going to be a problem and something the vendors will have to help us with,” he says.

In the meantime, possible alternatives include joining a private health information exchange network or a one of the regional or statewide networks many states are establishing. Regional extension centers and state and local medical societies are good sources of information about health information exchange networks.

Doctors should ask their EHR vendors about a timetable for implementing a function that allows them to meet the requirement by the September 23 deadline, advises Lisa Gallagher, CISM, vice president of technology solutions for the Healthcare Information and Management Systems Society.  If a vendor won’t be ready to provide such a feature, then the practice will have to still find a way to meet the requirement, maybe through a different way of recording the patient’s data until the function is available, Gallagher says.

“Sometimes regulatory requirements are misaligned,” she adds. “What’s happened here is the requirement for the provider to do something, and the requirement hasn’t made its way down to the vendor. But the important thing for everyone to realize is that HHS has said this requirement is going into effect and you have to meet it.”

Cain says that most AAFP members understand the need to provide patients with greater control over who can see their information and the need to guard confidentiality generally. Nevertheless, “it does add another layer of administrative complexity to managing an office practice,” he says.

 “All the rules are well-intentioned, but they may interact in ways that aren’t understood when they are developed,” Cain adds. “The law of unintended consequences is challenging for office-based physicians.”


What would you like to know about HIPAA? Post your questions to our Facebook page at www.facebook.com/MedicalEconomics or email us at medec@advanstar.com. We’ll present answers in future articles.


HIPAA rule violation categories and penalty amounts

The Health Insurance Portability and Accountability Act omnibus rule establishes four “tiers” of violations, based on what it terms “increasing levels of culpability,” with a rage of fines for each tier.

Violations of the same requirement or prohibition for any of the categories are limited to $1.5 million per calendar year.

The language of the rule states that actual dollar amounts will be based on “the nature and extent of the violation, the nature and extent of the resulting harm, and other factors…includ[ing] both the financial condition and size of the covered entity or business associate.”

HIPAA survival is not difficult. It just requires good comprehension.

how-to-improve-patient-education-denteractive

You can take this bet: Try finding out from any healthcare industry professional what she considers the biggest professional challenge of hers, and HIPAA survival would surely not miss out from any healthcare professional’s list. Why? Simply because HIPAA audits are complex.  Period.

So, is the toughness and complexity of HIPAA audits such that one should run away from it? Healthcare professionals are not given this option. They have to mandatorily carry out HIPAA audits in such a way that it satisfies the regulatory authorities. This needs a thorough understanding of the exact meaning and import of words contained in HIPAA. In addition, carrying out successful HIPAA audits, which is what HIPAA survival essentially is all about, requires the healthcare professional in the organization in which HIPAA audits take place, to get a grasp of the purpose and intent conveyed in HIPAA’s language.

This thorough understanding of the meaning and intent of what is contained in HIPAA is absolutely essential for both the Covered Entity and the Business Associate to ensure HIPAA survival.

One challenge upon another

And, in addition to the already existing complexity in HIPAA, which many healthcare professionals consider as an obstacle to HIPAA survival; an additional step has been hemmed into HIPAA audits. It is this: For 2017, the federal government is set to increase the Office of Civil Rights (OCR)’s budget by a good 10 percent. This is being done with one simple intention: To increase the OCR’s resources for carrying out HIPAA audits and to also reinforce the OCR’s efforts towards HIPAA audits.

This is not all. HIPAA survival has been made even more difficult, as the OCR now requires Business Associates and Covered Entities to show compliance with around 180 areas as part of Phase 2 of HIPAA. The time given for response: A mere 10 days.

Any Business Associate or Covered Entity which thinks that these are all to the additional aspects of HIPAA survival are mistaken. Yet another issue compounds the misery of the whole task of HIPAA survival: The OCR’s audit protocol is no longer going to be satisfied with general and vague references to policy documents when they are required to furnish documents to corroborate their work. They have to furnish the specific and exact documents that the OCR asks for during a HIPAA audit. Isn’t HIPAA survival a really tough ask for Covered Entity or a Business Associate?

No room for relaxation

The OCR expects complete and total adherence to its requirements, no matter how tough they may seem. Just a little slackening of effort anywhere down the line can severely impede the preparation for Phase 2 HIPAA audits. This is bound to result in serious issues for the Covered Entity and Business Associate, who simply cannot drop guard even for a second.

If there was any feeling that anyone who is subject to a HIPAA audit can relax a trice, all that has been destroyed by the OCR’s decisions on HIPAA audits for 2017. Its additional measures mean that HIPAA survival is real and serious. To ensure HIPAA survival, Covered Entities and Business Associates need to put a process in place and make sure they control and implement it with the maximum assiduousness and thoroughness. This is to be ensured all the time, every time.

An opportunity to learn what it takes for HIPAA survival

Given the severity of HIPAA survival, it is necessary for those who are subject to HIPAA audits, especially Covered Entities and Business Associates, at whom the new regulations are primarily aimed, to understand the art of HIPAA survival.

This expert guidance is what a two-day seminar from GlobalCompliancePanel, a highly popular provider of professional trainings for the areas of regulatory compliance, will be offering. Please visit HIPAA survival is not difficult. It just requires good comprehension to register for this seminar.

The Director of this two-day seminar is Brian L Tuttle, a senior Compliance Consultant & IT Manager at InGauge Healthcare Solutions. The aim of this seminar is to arm regulatory compliance professionals with total guidance to about how practice managers need to prepare for HIPAA audits. Since many changes have been suggested for 2017 for HIPAA; Brian will throw light on what changes can be expected under the Omnibus Rule and any other applicable updates for 2017.

The Director will explode the various misconceptions and myths about HIPAA, which are a major obstacle to ensuring HIPAA survival. He will explain real life audits conducted by the Federal government to explain HIPAA survival.  He will also illustrate which the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures.

During the course of this seminar, Brian will cover the following areas:

  • History of HIPAA
  • HITECH
  • HIPAA Omnibus Rule
  • How to perform a HIPAA Security Risk Assessment
  • What is involved in a Federal audit and how is it conducted
  • Risk factors for a federal audit
  • EHR and HIPAA
  • Business Continuity/Disaster Recovery Planning
  • Business Associates and HIPAA
  • In depth discussions on IT down to the nuts and bolts
  • BYOD
  • Risk factors that can cause an audit (low hanging fruit)
  • New rules which grant states ability to sue citing HIPAA on behalf of a patient
  • New funding measures

 

All about HIPAA compliance

all-in-one-HIPAA-Compliance

HIPAA compliance is a must for Covered Entities and their Business Associates. It is a sine qua non requirement from the Department of Health and Human Services (HHS), a US federal department that is charged with the responsibility of enhancing and protecting the wellbeing and health of all Americans. It provides the means for bringing about effective health, as well as human services. Its mission is to engender improvements and developments in the fields of public health, medicine and social services.

The HHS requires complete compliance with its laws by a Covered Entity and its Business Associate. The HHS’ Office for Civil Rights (OCR) considers Covered Entity as one that is involved in generating, storing, receiving or transmitting electronic Protected Health Information (PHI). A Business Associate is one that does all these on behalf of its affiliated CE. HIPAA compliance is mandatory because the nature of information that Business Associates carry with them –Protected Health Information –is of a highly confidential and sensitive nature. Not only that; when there is a breach of data on the part of the Business Associate or the Covered Entity, it results in huge costs by way of damages. Data breaches also carry a bigger penalty: They dent the reputation of the business, something no money can compensate.

Locating the source of data breach

Most of the patient information breaches take place at the Business Associate’s end. This makes compliance with HIPAA compliance rules by BA’s all the more important. The basic reason for which most such breaches take place is the many misconceptions that abound among healthcare organizations about the nature of the HIPAA privacy and security regulations. What these regulations are, what they mean to healthcare organizations, and the steps that the healthcare organizations, Covered Entities and their Business Associates need to do –all these are areas of considerable confusion.

It is to equip professionals from the healthcare industry with the complete knowledge needed to understand and implement HIPAA compliance that GlobalCompliancePanel, a highly popular provider of professional trainings for all the areas of regulatory compliance, will be organizing a two-day seminar.

A complete roundup of HIPAA compliance

Senior healthcare professional Jim Wener, who brings four decades of experience in the industry and has been assisting providers and payers in identifying their automation requirements and helping them select and successfully implement the ideal automation for their needs, will the Director of this seminar. To gain the benefit of the vast experience that Jim brings and to ensure total HIPAA compliance for your organization; please register for this seminar by logging on to http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900874?wordpress-SEO.

Questions, questions, questions

At this seminar, Jim will take the participants through HIPAA compliance from start to compliance. He will provide answers to all the questions that Business Associates and Covered Entities face during the process of ensuring HIPAA compliance. He will show what healthcare organizations need to do to secure their healthcare information.

Some of the questions that he will seek to answer include:

Do the HIPAA regulations apply to the organization? What risks does the organization face, and how does it mitigate these risks? What is it that the organization is required to do, and how is this done? Is there a role assigned for and expected of the organization’s computer resources in assessing and managing HIPAA compliance risks? What is the level of safety that the healthcare organization’s computer and paper patient information carry? Is there a way by which the organization determines if its computer resources provide the needed features and functions for the organization to become compliant?

Diligence can lessen the severity of penalties

These are just some of the questions for which Jim will seek to provide answers. Framing these questions and answering them is a watertight means to developing and executing a compliant plan. This in turn is critical to ensure that the organization takes the right path in ensuring HIPAA compliance. A breach is a very bad thing to happen for an organization, but diligence that the organization has showed in protecting patient information will go a long way in mitigating penalties. This is one of the prime reasons for which attendance at this seminar is necessary.

  • What is HIPAA, who is covered and what is HIPAA Compliance
  • Why the healthcare organization should be concerned about HIPAA compliance
  • How to perform a HIPAA Risk Assessment
  • How to prepare HIPAA Policies and Procedures
  • How to perform HIPAA Training
  • What is IT’s role in the healthcare organization’s HIPAA Compliance
  • How to prepare a Business Continuation/Disaster Recovery Plan
  • How to handle a potential HIPAA Breach.

https://www.hhs.gov/about/index.html

 

Today’s Article on Understanding the HIPAA Privacy Rule, Security Rule and Breach Notification Rules and their compliance

The Health Insurance Portability and Accountability Act (HIPAA)’s Privacy, Security, and Breach Notification Rules are aimed at protecting the privacy, as well as the security aspects of health information. This set of rules has the intention of providing individuals with some rights on information relating to their health.

This is how the three rules need to be understood:

The Privacy Rule: Sets out standards about the conditions to be met for using and disclosing Protected Health Information (PHI). This Rule applies nationally.

The Security Rule: Specifies the kinds of safeguards that Covered Entities and Business Associates have to put in place and implement for protecting electronic Protected Health Information (ePHI) and ensure that they remain confidential and are made available when required, and have integrity.

The Breach Notification Rule: Covered Entities have to report breach of unsecured PHI to the affected individuals and the HHS. In some situations, this has to be reported to the media, as well. The Breach Notification Rule has details on how this is to be done. Generally, a window period of 60 days is given from the date of detection of the breach. Small breaches, meaning breaches that affect lesser than 500 individuals, may be directly reported to the HHS annually.

Purview of the HIPAA Privacy Rule and Security Rule

Privacy Rule: HIPAA Privacy Rule has standards on how to protect PHI held by the following: Health plans, healthcare clearinghouses, healthcare providers; part of whose healthcare transactions are carried out electronically, and Business Associates

Security Rule: HIPAA Security Rule sets out standards and guidelines on the steps that Covered Entities and Business Associates have to take to ensure that Protected Health Information is confidential, has integrity and is made available when needed. The Security Rule describes how these qualities in the ePHI created, maintained or transmitted by them.

Knowledge of all these aspects is very necessary if the Covered Entity or Business Associate has to ensure HIPAA compliance. The task of HIPAA compliance does not become possible with just a reading of the rules and the procedures. Expert advice on how to actually implement the requirements is needed.

This is what a two-day seminar from GlobalCompliancePanel, a leading provider of professional trainings for the regulatory compliance areas, will offer. At this seminar, Jim Sheldon Dean, Director of Compliance Services, Lewis Creek Systems, LLC, will be the Director.

In order to gain complete understanding of the HIPAA Privacy Rule, Security Rule and the Breach Notification Rules, and to understand ways by which to ensure compliance with them in a way that satisfies the regulatory authorities, please register for this seminar by logging on to http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900754?linkedin-SEO .

Jim Sheldon Dean will explain the requirements of HIPAA, how to prevent incidents, and how to survive audits, so that penalties can be avoided. He will offer an explanation of the background to HIPAA, and detail what a manager of healthcare information privacy and security has to know about the most important privacy and security issues. He will also show how to ensure HIPAA compliance, and explain the consequences of inadequate HIPAA compliance.

This seminar will provide in-depth understanding on the major aspects of HIPAA compliance, such as:

o  The new features of the regulations

o  The recent changes

o  The aspects that Covered Entities and Business Associates need to address if they have to remain compliant.

Learning on all aspects of HIPAA Privacy Rule, Security Rule and Breach Notification Rules

Jim will also explain audits and enforcements. He will also describe privacy and security breaches and explain how to avoid them. He will enrich the learning by providing sample documents and references.

Jim will cover the following areas at this two-day session:

o  Overview of HIPAA Regulations

o  HIPAA Privacy Rule Principles, Policies and Procedures

o  Recent and Proposed Changes to the HIPAA Rules

o  HIPAA Security Rule Principles

o  HIPAA Security Policies and Procedures and Audits

o  Risk Analysis for Security and Meaningful Use

o  Risk Mitigation and Compliance Remediation

o  Documentation, Training, Drills and Self-Audits.

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf

Breaking down the rules into steps makes HIPAA compliance less complicated

HIPAA compliance is a legal requirement for Business Associates and Covered Entities. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with two main intentions:

o  To enable employees to keep their insurance intact when they switched jobs or their insurance provider

o  To facilitate the payment and information process by putting in place a uniform code for these.

From its start, up to 2013, HIPAA has undergone a few changes, such as:

o  The privacy regulation additions of 2003;

o  The insertion of the HIPAA Security Rule in 2005;

o  The passage of the HITECH Act in 2009, and

o  The addition of the Omnibus Rule in 2013, with the intention of extending liability to Business Associates

With the insertion of these additions, HIPAA compliance has become more and more demanding and complex, or at least that is what most entities who are required to comply with it feel. Most Business Associates and Covered Entities have issues with the following areas of HIPAA compliance:

–       The 18 identifiers that Protected Health Information (PHI) consists of; with the name, full face photos, e-mail address, and date of birth of the patients being some of their constituents

–       The requirement of designation, by every organization or practice, of a privacy officer, who has to carry out a risk analysis

–       The requirement, as part of HIPAA compliance, of covered health care providers and health plans, of developing and distributing a notice, in which the privacy rights and practices relating to patients’ personal health information have to be clearly explained.

Despite these requirements, HIPAA compliance is not as difficult as it seems

The reality, however, is different. HIPAA compliance is not as complicated and difficult as it is thought to be. At first glance, these requirements may appear to be intimidating. Yet, when it comes to practical application, HIPAA compliance is not really all that cumbersome or difficult. All that is needed is a clear-cut understanding and explanation of the major sections on compliance.

This clear-cut understanding of the major sections on which many Covered Entities and their Business Associates face difficulties is the intention of a seminar that is being organized by GlobalCompliancePanel, a leading provider of professional trainings for the areas of regulatory compliance.

At this detailed two-day seminar, Paul Hales, an attorney at law in St. Louis, Missouri who specializes in HIPAA Privacy and Security Rules, will be the Director. All that is needed to gain a thorough understanding of the perspectives Paul will offer on HIPAA compliance is to register for this seminar by visiting http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900798?linkedin-SEO .

What makes this seminar a valuable learning session is that Paul will explain, in simple and plain language, the contents of HIPAA compliance. He will demystify the tricky areas of HIPAA compliance and offer clarity of understanding of these, and will crystallize them into six easy steps.

Paul will drive home the point that HIPAA compliance becomes easier when its seemingly difficult requirements are broken down into steps. He will suggest six steps that organizations can take to make HIPAA compliance easier.

He will pack the seminar with visual presentations, interactive discussions and stimulating questions and answer sessions. He will also show how to find the right rule with the six step-by-step procedures he will lay down.

Takeaways at this important seminar on HIPAA compliance

Paul will offer these following key takeaways at this highly valuable seminar:

·        Thorough Understanding of HIPAA Rules

  • What they are
  • How they work together
  • Why and How they were made
  • How they are changing and what to expect next

·        HIPAA Risk Analysis – Risk Management for Your Organization

  • A Practical Guided Exercise done in class on your computer to take home

·        Privacy and Security Rules – Permitted and Required Uses and Disclosures

  • What information must be protected
  • Administrative, Technical and Physical Safeguards
  • Social Media, Texting and Emailing Patients

·        The inter-connected, inter-dependent relationship of Covered Entities and Business Associates

·        What is, and what is not a Reportable Breach of Unsecured PHI

http://www.fertilitybridge.com/blog/hipaaandsocialmediawithpaulhales

HIPAA Security Rule Principles

Though short in length,HIPAA Security Rule principles are well defined in some areas, but vague in some others, making implementation of these areas difficult.

HIPAA Security Rules are an offshoot of the Privacy Rule. While Privacy Rule concerns itself with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) concerns itself specifically with electronic Protected Health Information (ePHI). Since it particularly focuses on an element of the Privacy Rule; it is considered a subset of the HIPAA Privacy Rule.

The HIPAA Security Rule seeks to fortify individually identifiable health information with reasonably high levels of technical, administrative and physical safeguards so that these attributes are protected and unauthorized or inappropriate access, use, or disclosure prevented:

  • Confidentiality
  • Integrity, and
  • Availability.

To enable this, the HIPAA Security Rule codifies a few standards and best practices in information technology. In a general sense, the HIPAA Security Rule requires computer systems containing patient health implementation to implement these three safeguards:

  • Administrative,
  • Physical, and
  • Technical.

It has clear definitions of each component relating to its specifications. Some of the terms on which the HIPAA Security Rule is unambiguously clear are:

Challenges associated with implementing HIPAA Security Rule

Despite the clarity of definitions of a few terms as stated above; the HIPAA security rule is considered complicated by practitioners and participants in the Rule. Although not a very painfully long document in that it runs into only eight pages; because of the high technical nature of its text, it is considered quite complex.

A major requirement that the HIPAA Security Rule imposes is a set of additional organizational requirements, apart from documenting processes that are in tune with the HIPAA Privacy Rule. This is easier said than done, especially for small time providers that have limited technical bandwidth and capabilities, for whom implementing the Privacy Rule itself can be challenging. The solution is to make Health information technology (HIT) resources available for this kind of providers.

Further, this Rule has some ambiguities. For instance, its fundamental requirement is implementation of “necessary safeguards”. There is no unanimity about what this means.

Want to know more : http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900739SEMINAR?wordpress-SEO

Get your HIPAA compliance right in six simple steps

The most important element that Covered Entities and Business Associates must keep in mind while carrying out HIPAA audits is best summarized in the words of Jocelyn Samuels, the top Federal official in charge of HIPAA enforcement. To quote her own words, Covered Entities and Business Associates must ensure compliance through “… a comprehensive and thorough approach to assessing and addressing the risks to all of the Protected Health Information (PHI) they maintain”.

hipaa-compliance

Although Risk Analysis is mandatory; HIPAA audits of 2012 showed that as many as four fifths of health care providers failed to comply with this mandatory requirement. Covered Entities and Business Associates are under severe pressure to do a HIPAA Risk Analysis of all the PHI’s they maintain. Most of this, they are expected to do on their own. This explains perhaps just why 80% of health care providers failed to do the Risk Analysis, a fact discovered by the HHS. In fact, the incidence of HIPAA violations has been increasing so steeply that 2015 was sardonically referred to in HIPAA circles as the “Year of the Breach”. This fact leads to the next important point: higher and greater number of government enforcement and private lawsuits.

Learn the ways of getting HIPAA compliance right in just six simple steps

The above facts make it absolutely imperative for Covered Entities and Business Associates to get every aspect of the HIPAA compliance right, in the manner suggested by Jocelyn Samuels. This is precisely what GlobalCompliancePanel, a highly renowned provider of professional trainings for all areas of regulatory compliance, will be imparting at a two-day, in person seminar. To enroll for his event, just visit

http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900616SEMINAR?master-HIPAA-compliance-six-steps-San-Diego.

The Director of this highly meaningful and valuable seminar is the well-known expert on HIPAA compliance, Paul Hales. Paul’s credentials get augmented by the fact that he has, with a team of expert advisors and practical field testers, created a method of making all HIPAA regulations accessible to the everyday person. Paul’s method explains all the aspects of HIPAA in uncomplicated and simple language and carries the exact citations to each regulation. This method is directed at organizations’ legal counsel who may not be well versed or experienced in HIPAA, and will be a major part of this seminar.

hippa

Major benefits by learning from the expert

Organizations that are required to carry out HIPAA audits will gain enormously from this seminar. It will help them to save money, time, and research. Paul will discuss how Business Associates and Covered Entities can grow their practice and be compliant. His method will serve as the very foundation on which organization can implement their HIPAA Compliance Program. Most importantly, he will teach how they can grow what is most valuable to their business: Their patients. Paul’s HIPAA compliance method, which consists of six easy steps, will create a level of quality to the advice that the legal counsel provides.

He will take participants of this seminar through a Risk Analysis for their organization and will also delve into the Privacy, Breach, and Security Rules as applicable to their particular organization.