In reality there’s nothing funny about HIPAA compliance  but sometimes you have to laugh..

If you are one of the thousands of HIPAA professionals who struggle every day to make their colleagues understand why all the finicky (and let’s face it sometimes downright annoying) HIPAA rules have to be followed to the letter here is yet another cautionary tale you can now use to back your arguments up.

On Tuesday July 27^th, 2010 it was announced that drugstore giant Rite Aid had agreed to a $1 million settlement to atone for their HIPAA transgressions. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

The problems began for Rite Aid and its 40 affiliated entities – collectively known as RAC – when the television news media began producing video footage of various RAC employees in several cities across the country disposing of prescription bottles containing individuals’ identifiable information in industrial dumpsters that were accessible by the public – a huge HIPAA violation that one would have assumed a giant corporation would have known better than to ever risk.

In addition to the fines Rite Aid has had to forge agreements with both the OCR (Office for Civil Rights) and the FTC (Federal Trade Commission) who conducted the joint investigation as to the steps they have to take to ensure that such violations never occur again.

You can read the full press statement announcing the settlement here

Connecticut State Attorney General Richard Blumenthal made a little bit of history back in January of this year when he became the first AG in the country to bring a HIPAA enforcement action, which he did against insurance giant Health Net. Now he has just made a little more by announcing he has brokered the first state settlement of such an action.

The suit came about as a result of  Health Net’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. According to Blumenthal, Healthnet then compounded the gaffe (which they chalked up to theft) by failing to inform those affected about what had occurred for over six months after the incident occurred.

Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner. Guessing that there are still a lot of crossed fingers at Healthnet on that issue..

You can view the full settlement details here

Merry Christmas!  Here is a holiday poem featuring HIPAA that I recently ran across and wanted to share.  It was originally posted here.

HIPAA Christmas poem – Santa in the ER:

A Visit to the ER from St. Nick

Twas the night before surgery, and all ‘cross the floor

The patients were buzzing ’bout the guy in Room Four.

His chart was hung on his door with great care

To make sure his name was not shown anywhere.

The patients were nestled all snug in their beds

While telemetry monitors beeped overhead.

And I in my gown, with its crack in the back,

Had just settled down for my clear liquid snack.

When down the hall there arose such a clatter,

I sprang from my bed to see what was the matter.

I pulled off my leads and flew out the door,

With my IV pole dragging behind on the floor.

Away to Room Four I hurriedly dashed

Unaware of my gown and the nurses I flashed.

As I slid to a halt and leaned to peek in

I heard the nurse say, “Sir, you mustn’t go in!”

And what did I see when I looked in Bed A

But ole Mr. Claus; on his belly he lay.

Covered in gauze and stuck high in the air

Oh what a sight, ’twas St. Nick’s derriere!

He was yelling at Doris, the nurse at his side

To be tied to this bed, he just could not abide.

He moaned and he bellowed about his ill luck

But there was just nothing for it; the old man was stuck.

“What happened to Santa?” to Doris I said,

“Why’s he on his belly in this hospital bed?”

With a grin she whispered, “He did something stupid.

He injured his butt when he backed into Cupid.”

But the old man’s ears were sharp as tack.

He heard what she said there behind his back.

“You had no right to speak, and that is a fact!

Don’t you know about HIPAA, the privacy act?”

“You’re out of compliance, Doris, my dear.

You had no right to tell him ’bout my injured rear!

I’ll sue you for breach, and this hospital, too!

You won’t have a job when I’m through with you!”

“When I check my list and then check it twice,

You’ll be in the column labeled ‘Not Nice.’

The HIPAA patrol will likewise drop by

To find out why you, Doris, did not comply!”

“They’ll want to know why you opened your yap,

A big, hefty fine on your butt they will slap.

And from me every Christmas you will now see

Nothing but switches and coal ‘neath your tree.”

Merry Christmas and HIPAA New Year!

Once again we’ve brought you the best of the best.  From Monster.com, SimplyHired.com, MedicalWorkers.com and Dice.com, here are the top 10 HIPAA jobs as of October 29, 2009 nationwide.

1. Chief Privacy Administrator

2. HIPAA Specialist

3. HIPAA Business Analyst

4. Corporate HIPAA Compliance Manager

5. EDI Lead Developer

6. HIPAA Privacy Manager

7. Manager, Patient Relations

8. Lead Correspondence Clerk

9. HIPAA Auditor

10. Privacy Specialist

Here are the brief summaries and details of the jobs we’ve found for you:

Job Title: Chief Privacy Administrator

Company: Catholic Healthcare West (CHW)

Location: San Francisco, CA

Job description: The Chief Privacy Administrator is appointed by the CHW Board to direct the organization’s activities related to development, implementation, maintenance of, and adherence to policies and procedures covering the privacy of, access to, and protection of patient, provider, employee, and business information in compliance with CHW policies and procedures, and as required by the HIPAA privacy rule, the FTC Red Flag Rule, and other applicable regulations and laws.

The Chief Privacy Administrator collaborates with CHW legal counsel to monitor or interpret the requirements of HIPAA and other applicable federal and state privacy laws and regulations. The Chief Privacy Administrator receives complaints and requests for further information regarding CHW privacy policies and notices; in collaboration with CHW legal counsel, oversees investigations and required state and federal reporting and notification involving breaches of confidentiality; coordinates all activities with privacy implications; and monitors systems and services to assure meaningful privacy practices. The Chief Privacy Administrator also monitors and coordinates all requests for information from federal and state regulators investigating privacy.

Click  here to read more about this position.

Job Title: HIPAA Specialist

Company: AETEA Information Technology

Location: Olympia, WA

Job description: Our Olympia, WA customer needs a Consultant with strong HIPAA experience and knowledge to help with getting through HIPAA/EDI testing. We are looking for someone who knows the Federal HIPAA transaction implementation guides well and can understand the companion guide and help providers troubleshoot why their files are failing.

Click  here to read more about this position.

Job Title: HIPAA Business Analyst

Company: CATS

Location: Washington, DISTRICT OF COLUMBIA

Job description: This initiative requires the resource to evaluate the existing District agencies requiring HIPAA Security measures and to offer a comprehensive and logical approach in providing HIPAA Security for those agencies.

Meets with customer and reads designs and uses software tools to gather requirements, analyze needs, identify risks, propose designs, wrote documentation, remediate and carry out analysis. This initiative requires the resource to evaluate the existing District agencies requiring HIPAA Security measures and to offer a comprehensive and logical approach in providing HIPAA Security for those agencies. Any HIPAA IT security assessment experience is a plus. Conduct risk analysis of various agencies here after referred to as a covered entity, to identifying deficiencies in standards, to resolving problems where applicable, to develop and amend HIPAA associated Policies, Plans, and Procedures. Implement preventive compliance measures as it relates to Part 164 of the HIPAA Security Rule described in the Work Plan.

Click  here to read more about this position.

Job Title: Corporate HIPAA Compliance Manager

Company: HMA – Corporate (Health Management Associates)

Location: Naples, FL

Job description: Assists with all ongoing activities related to the development, implementation, training, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization’s information privacy and security practices…

Click  here to read more about this position.

Job Title: EDI Lead Developer

Company: CATS 

Location: San Francisco, CA

Job description: The tech lead for the EDI Program is responsible for building and implementing the technology solutions which are part of EDI Roadmap. Responsibilities include analyzing the requirements, detailed system design, development, testing and support of technical solutions…. The candidate should experience in architecting and implementing EDI in healthcare industry with knowledge of HIPAA standards…

Click  here to read more about this position.

Job Title: HIPAA Privacy Manager

Company: Cedars-Sinai Medical Center

Location: Los Angeles, CA

Job description: Works with the CCO/Privacy Officer in implementing and administering federal and state regulatory requirements on patient privacy and the confidentiality of patient information. Primary customers include physicians and CSHS employees…

Click  here to read more about this position.

Job Title: Manager, Patient Relations

Company: MetroWest Medical Center

Location: Framingham, MA

Job description: Under the general supervision of the Director of Quality and Patient Safety, is responsible for managing patient relations and complaint activity. Serves as liaison between the patients, their families, and the organization’s departments, administration, and physicians for thorough and timely resolution of issues, concerns, and complaints. Acts as the organization’s HIPAA / Privacy Officer assuring adherence to all HIPAA and privacy of information regulations and standards.

Click  here to read more about this position.

Job Title: Lead Correspondence Clerk

Company: UCSF Medical Center

Location: San Francisco, CA

Job description: The Lead Correspondence Clerk is responsible for processing requests for medical records. This individual must have general overall knowledge of The HIPAA Privacy Rule (Federal Registry, Title I, Health Care Access) along with laws governing State and Local Release of Information and Patient Access…

Click  here to read more about this position.

Job Title: HIPAA Auditor

Company: COMSYS

Location: Boise, ID

Job description: The Internal Auditor for Information Security is responsible for the auditing and testing of IT controls for HIPAA, PCI, and other regulatory based auditing and testing. This person will audit routine information systems and the most complex of new and existing systems to ensure that appropriate controls exist, and that system procedures are in compliance standards. Provides timely periodic reports on findings and identifies controls needing improvement.

Click  here to read more about this position.

Job Title: Privacy Specialist

Company: St. Luke’s Hospital

Location: Houston, TX

Job description: Provide input on the development, implementation, and on-going review of privacy policies and procedures.  Provide information about matters covered by the System’s Notice of Privacy Practices, Receive, respond to, and document privacy complaints from patients, employees, business associates, and others. Coordinate correction, mitigation, and disciplinary action as requested.  Prepare, as directed, periodic privacy reports to the Governing Board and management regarding the status of implementing and maintaining the privacy program.  Oversee, direct, deliver or ensure delivery of initial HIPAA/privacy training on applicable policies to all employees, volunteers, medical and professional staff.  Initiate, facilitate, and promote activities to foster HIPAA/privacy awareness.  Work with the Privacy Officer to establish a process for receiving, documenting, tracking, investigating, and taking corrective action on all complaints concerning the organization’s HIPAA/privacy matters. Implement corrective action to mitigate effects of inappropriate use or disclosure of PHI and document such actions.  In collaboration with legal counsel, identify business associates that receive PHI and review existing contracts with these entities for compliance with HIPAA. Assist regulatory bodies and organization officers in compliance reviews or investigations.  Work in conjunction with the Privacy Officer to address such reviews or investigations.  Set and track potential HIPAA/privacy compliance performance measures, which may include: Breach of confidentiality/privacy related complaints; Determine number of internal incidents involving violations of privacy policies;Determine and improve compliance with HIPAA training;Act as a liaison to St. Luke’s IM Department to review all system-related information security plans to ensure compliance;Respond to other compliance matters as appropriate or as assigned by the Compliance Officer.

Click  here to read more about this position.

There’s a new solution on the market to make HIPAA and HITECH compliance faster and easier, and the real draw is that it makes it easier for physicians to qualify for the stimulus incentives and bonuses from the ARRA, PQRI and E-Prescribing initiatives.  In a business wire issued on October 22^nd Reuters highlights the new “Surveillance Program” offered by Doctations.

The Surveillance Program allows physicians to meet requirements for the E-prescribing initiative for a 2% bonus, the Physicians Quality Reporting Initiative (PQRI) for a 2% bonus as well as to qualify for up to $44,000 in incentives from the ARRA via the High-Tech bonus. Doctations’ COO Jerry Kolosky highlights the benefits: “By implementing the Surveillance functionality, we are providing online tools that make it simple for doctors to meet new government requirements, help ensure positive patient outcomes and receive the associated financial benefits.”

Reuters states that “By implementing the medical practice management and digital documentation solutions as web-native tools, Doctations provides doctors and patients with advanced, secure, HIPAA compliant, comprehensive solutions that are substantially less expensive than any other options currently available.”

And yes, the Certification Commission for Health Information Technology (CCHIT) has certified this application.  Doctations has committed to updating this program for immediate compliance with HIPAA and HITECH rules as well as other regulations.

Once again we are in the midst of hurricane season.  I thought this would be a good time to review a few points about HIPAA and natural disasters – always helpful reminders, since “the big one” could be here soon (earthquake, tornado or hurricane…you just never know).

When hurricane Katrina struck the US, time was of the essence in providing care to those injured.  The Department of Health and Human Services issued a bulletin titled Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations to succinctly address the issue of patient information while responding to an emergency.  It covers treatment, notification, imminent danger and facility directories.

In short, “the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need.”  The Red Cross is also mentioned specifically: “Of course, the HIPAA Privacy Rule does not apply to disclosures if they are not made by entities covered by the Privacy Rule.  Thus, for instance, the HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information.”

For a more in-depth analysis of hurricane Katrina and HIPAA Privacy, you can access the CRS Report for Congress on Hurricane Katrina: HIPAA Privacy and Electronic Health Records of Evacuees.

For hurricane updates from the National Weather Service, click here.

On the lighter side, here are a few puns and jokes about HIPAA.  Since laughter is the best medicine, you may as well smile as you read through these.

What do you call a provider if he/she is found to have violated patient confidentiality?

HIPAAcrit

What do you call a theory for HIPAA success?

HIPAAthesis

What does one experience once they’ve grown cold to HIPAA compliance threats?

HIPAAthermia

What do you call someone who complains incessantly about HIPAA?

HIPAAchondriac

What do you call urgent HIPAA issues?

HIPAAcritical

What do you call the uphill slope toward HIPAA compliance?

HIPAAtenuse

What do you call someone who thinks HIPAA is sweet?

HIPAAglycemic

What is the disease you get from too much HIPAA?

HIPAAtitis

What do you call someone who is delighted with HIPAA?

HIPAA-go-lucky

These were originally posted here by D. Hager, Paramedic.

Get your HITECH and HIPAA ducks in a row.

The World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance Management is designed to provide solutions for exposing risks and maintaining compliance with new HIT requirements from the ARRA, HIPAA and health reform. The summit will be held on November 9 – 10 in Arlington, VA. Read on for 10 compelling reasons to attend along with interesting facts about the upcoming conference.

10.  Resources and Checklists are included so you can reduce exposure and risk.  Make HIPAA and HITECH work for you, not against you.

9.  Network in the Exhibit lounge with other executives and HIPAA know-it-alls.

8.  Torpedo Factory Art Center is not part of the conference, but it is one of the free things to do before or after the conference.  Click here for a list of more free things to do in Alexandria.

7. Meet 17 speakers and learn from their experiences.  They’re here to help you, after all.

6. Data Breaches pose a huge liability.  Find out how to identify, track, fix and report a HIT data breach, as well as best practices for organizational recovery.

5.  27 Red Flags of medical ID theft…learn what you need to do to protect yourself and your clients from data breaches and medical ID theft.

4.  Get money from the Recovery Act, Medicaid and Medicare by learning the security frameworks required by these programs.

3.  Save money by registering by October 30: enter code QFZ483 on the registration page for an extra $100 off the current rate.

2.  Bill Clinton is providing the closing keynote address: “Embracing our Common Humanity”.  How often do you get to see the former President up close and personal?

1. Be proactive on your HIPAA and HITECH implementation so that you can make the right strategic and tactical HIT management decisions…learn how to avoid security breaches in the first place!

For more information about the conference, click here.

Clinical trials and medical studies are fundamental to the advancement of medicine. But how does HIPAA impact the research and what personal health information can be shared? The National Institutes of Health has put together a 38-question FAQ addressing this: HIPAA Privacy Rule for Researchers.

The good news is that “patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected…The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.”

What does the Privacy Rule cover when it comes to research? In short, it regulates the documentation needed (i.e. the waiver that patients sign to release their information for the study).

Who else might see your information? “The Office for Human Research Protections (OHRP) is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the OHRP either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities…”

Are you a patient involved in a clinical research study? Learn more about the protections for your personal health information by clicking here to read the lowdown at the National Institues of Health.