Archive for the ‘HIPAA News’ Category

After 2.5 years, HHS finally finalizes modifications to HIPAA rules

Excellent and detailed write-up of the new HIPAA rules that take effect on September 23, 2013:

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) issued the highly anticipated omnibus final rule (the “Final Rule”) to modify the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Following the enactment of HITECH, HHS issued interim final rules to implement the breach notification requirements and certain of the enforcement provisions of HITECH (collectively, the “Interim Rules”), and in July of 2010 HHS issued a proposed rule to implement modifications to the privacy and security provisions of HIPAA. Since that time, Covered Entities and their Business Associates and subcontractors have been awaiting the Final Rule to confirm the extent to which these modifications, which are aimed primarily at strengthening the privacy and security protections for protected health information (“PHI”) and tightening the HIPAA enforcement provisions, will impact their operations, contractual relationships and potential exposure for HIPAA liability.

Read all the gory details here:

10 Affordable Health Care Act changes to be aware of for 2013

2013 HIPAA ChecklistWith 2013 right around the corner, you should be aware of the following 10 items for your checklist to make sure you’re ready for the Affordable Health Care Act.

Effective in 2013:

The following list itemizes the changes that generally will become effective in 2013.  The effective date depends upon a number of factors, including whether the health plan is grandfathered, the first day of the plan year, and the number of employees.

  • Women’s Preventive Health Care Mandates               
    Applicable To: Non-grandfathered plans only
    Effective:        Plan years beginning on or after August 1, 2012 (January 1, 2013 for calendar year plan years)
    Details:           Plans are required to provide in-network coverage with no cost sharing for preventive care such as coverage for contraceptives, contraceptive counseling, breastfeeding support, supplies and counseling, and screening for domestic violence.
  • Reduction in the Maximum Employee Contributions to a Health Flexible Spending Accounts
    Applicable To: Only health flexible spending accounts (generally offered under a cafeteria plan)
    Effective:        January 1, 2013 for calendar year plan years
    Details:           The maximum amount that an employee can contribute to a health flexible spending account on a pre-tax basis cannot exceed $2,500 per taxable year.  While the reduced limit is effective January 1, 2013 (or the first day of the plan year beginning after January 1, 2013 for plans with fiscal years), employers have until December 31, 2014, to adopt amendments to reflect this reduced limit.
  • Annual Benefit Limits
    Applicable To: Health plans other than health flexible spending accounts, health reimbursement accounts, and medical savings accounts
    Effective:        Generally only for the 2013 plan year (see below for changes in 2014)
    Details:           The annual limit on the dollar value of essential health benefits cannot be less than $2 million.
  • Reporting the Cost of Group Health Insurance Coverage on Forms W-2
    Applicable To: Employers that issued at least 250 Forms W-2 for 2012 (transition relief applies to exclude employers that issued fewer than 250 Forms W-2 for 2012, and certain types of plans)
    Effective:        For the 2012 W-2s to be issued by January 31, 2013
    Details:           The Forms W-2 issued by employers in early 2013 must report the value of any health coverage provided to each employee in 2012, regardless of who pays the premium for that coverage.  Employers should take steps to ensure that payroll departments or payroll providers are prepared for the new reporting requirement.
  • Summary of Benefits and Coverage and Notices of Material Modification
    Effective:          For open enrollment periods beginning on or after September 23, 2012 and for plan years beginning after that date
    Details:             Employer health plans must provide a Summary of Benefits and Coverage (SBC) to all plan participants, as well as to all employees who are eligible to participate.  If the employer makes a mid-year change in the plan provisions that would change the terms of the SBC, the plan also must provide a Notice of Material Modifications at least 60 days before the change takes effect.
  • Additional Medicare Tax Withholding
    Effective:          January 1, 2013
    Details:             An employer is required to withhold an additional 0.9% Medicare tax on an employee’s compensation in excess of $200,000.  The additional tax does not have an employer matching requirement.
  • Notice of Exchange Availability
    Applicable To: Employers subject to the Fair Labor Standards Act
    Effective:        Required by March 1, 2013
    Details:           Employers must provide a notice to employees concerning the availability of health coverage through the state-wide exchanges.  The notices will explain some of the benefits and consequences to employees if they choose to purchase a qualified health plan through the state exchange instead of electing coverage under an employer-sponsored health plan.  Employers are still waiting for additional guidance regarding these requirements, and some are predicting that this requirement may be postponed.
  • Taxation of the Retiree Drug Subsidy
    Effective:          January 1, 2013
    Details:             Employers who were providing retirees with prescription drug coverage that was generous enough to qualify for a federal tax subsidy will no longer be allowed to deduct all of those expenses.
  • Patient-Centered Outcomes Research Comparative Effectiveness Fee
    Applicable To: Plan sponsors maintaining a self-insured plan (insurers will pay this for fully-insured plans)
    Effective:        First payment is due by July 31, 2013
    Details:           Plan sponsors must begin to pay a fee (the “PCORI Fee”) to the Internal Revenue Service per average covered life ($1 for the first year, $2 for the second year, and increased as permitted in future years) per plan using Form 720.  These fees will be used to fund the new nonprofit corporation, the Patient-Centered Outcomes Research Institute, to support clinical effective ness research.  Some rules permit the limited aggregation of  plans.
  • Certification of Compliance to Health and Human Services (HHS)
    Effective:          By December 31, 2013
    Details:             Group health plans must file a certification statement with HHS certifying that their data and information systems for the plan are in compliance with the HIPAA standards and operating rules for health plan eligibility, electronic funds transfer, health claim status, health care payments, and remittance advice transactions.


Read more here, including 2014 preparedness items:

5 Interesting HIPAA & HITECH Rule YouTube Videos

Need a refresher of some of the differences that HITECH brought to the HIPAA landscape? Check out the videos below.

Privacy & Security: The New HIPAA Rule

HIPAA Privacy, Security, and the HITECH Act

HITECH ACT – 2010 Changes in HIPAA Law

HITECH Act and Encryption in 5 Minutes

Information Security Program and HIPAA Compliance

HIPPA Violations Scarier than Surgical Fires?

Wonder just how worried hospital administrators are about potential HIPAA breeches due to IT failure and mistakes? According to a poll taken and published by Healthcare IT News worried enough to put IT failures at number five on their Top Ten list of general technology hazards an institution might face.

According to that report the prospect of a data disaster that leads to a costly HIPPA breech is scarier than luer mis connections, over sedation, needle sticks, surgical fires and defibrillator failures.

Is this a bit of an over reaction? Surgical fires and needle sticks sound a lot more serious than data loss. However given the increasing number of HIPPA violations reported around the country in 2010 and in many cases the costly fines and horrendous publicity that came with them make this kind of concern understandable.

Some of these violations would never have been prevented by even the most sophisticated of IT security systems though. Take the recent reports about a physician who transmitted a great deal of personal patient information via email to his home in a completely insecure and unencrypted manner.

There was no malice involved, the man was merely trying to have the information at hand to review properly at the end of his long day. The story though highlighted the continuing need for the education of everyone who handles PI in what is and is not allowable under the HIPPA rules and regulations.

How Safe Is the Data in my EHR and Practice Management System?

Dr. Sharham Famorzadeh, Nuesoft’s Chief Technology Officer, explains the security benefits of medical practice management systems that run in the cloud, and addresses common concerns related to cloud computing. Do you agree? would you consider a cloud based practice management system?

Is HIPAA Already Outdated?

Is HIPAA as it currently stands really up to the task of protecting patient information as it should in its current form? After all despite a few revisions the majority of the legislation dates back to 1996, a time when the Internet was a novelty not an everyday part of almost everybody’s’ lives.

The simple fact is that barely a week goes by when the efficacy of the current HIPAA privacy paradigm in the new information age isn’t called into question by someone . For example:

In 2009 , a number of parents sued the Texas Department of State Health Services when they learned blood samples taken from infants for public health purposes, were used without parental consent for research. The suit finally led to the destruction of more than 5 million samples.
In February of 2010 , the not-for-profit news website Texas Tribune reported the same state program also provided hundreds of the infant blood samples to the Armed Forces DNA Identification Laboratory for the creation of a genetics database to be used for military, law enforcement and security purposes, causing further uproar.

In May of 2010 , PatientsLikeMe, a social-networking site for patients with serious and life-ending diseases ranging from depression to ALS, discovered, according to its co-founder, that it had been scraped of members’ information by an unauthorized data-collection service run by the Nielsen Co, the famous global marketing research firm. A Nielsen spokesman says it has since halted what he called a “legacy” practice.
Examples like this can be citied on and on. Issues such as these simply would not have existed in 1996 so never needed to be considered.
Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel said in a recent interview with Modern Healthcare. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

What do you think? What would you see changed about the HIPPA statutes in the Internet age? Let us know in the comments.

97% of Americans Want Control of Their Healthcare Information

Dr Peel

A new survey, conducted by privacy advocate Dr Deborah Peel ‘s Patient Privacy Rights Foundation and Zogby International found that a whopping 97% of the 2,000 adults questioned want the right to control their own personal medical information and be allowed to limit with whom their “sensitive information” is shared.

Many of those surveyed want to be in control of all of their electronic medical records and have the right to limit with whom their doctors, insurance companies and even the government can allow the information to be given to. Some expressed concern that employers, researchers, ex-spouses and abusive partners may be able to get a peek at sensitive information.

In a press release accompanying the release of the survey results Dr Peel said “No matter how you look at it, Americans want to control their own private health information. They overwhelmingly believe that they are the only people in the right position to make decisions about how their information can be used. Researchers do not get a free pass.”

Dr Peel’s Austin, TX based advocacy group is calling for the creation of a “do not release” list, something that would work along the same lines as the “do not call” lists that telemarketers must abide by. 73% of those surveyed said they would sign up if such a list were ever to be created.

Privacy Advocates Question OPM Central Data Base Plans

Uh oh is Big Brother raising its ugly head in healthcare management? Many privacy advocates are saying yes .

Their beef is with the federal Office of Personnel Management. The agency has been tasked with creating a comprehensive database of health insurance claim records for the Federal Employee Health Benefit Program (FEHBP), the newly established National Pre-Existing Condition Insurance Program and the forthcoming Multi-State Option Plan by President Obama’s Patient Protection and Affordable Care Act.

Last month the OPM told various media sources that a central database would be the “best value for both enrollees and taxpayers” as such a system will enable them to manage the various programs more efficiently.

The OPM insist that all the data will be de-indentified but they have so far been rather vague about what exactly that will entail. And that is what has some people rather worried. “There are far too many unknowns about the program for it to be acceptable,” at this point, Harley Geiger, policy counsel for the Center for Democracy and Technology, told ComputerWorld in a recent interview.

The CDT and fifteen other organizations have now put their concerns in writing in the form of a letter to OPM Director John Berry. In the letter they express a number of concerns over the agency’s lack of actual policy. They go on to suggest that a central database is not necessary and express concern over a plan to make data available to third-party researchers and analysts and for certain law enforcement and judicial purposes.

“The government, researchers and covered entities already possess the necessary authority to carry out the described uses for the warehouseʼs data. Rather than duplicate sensitive enrollee information by copying it into the warehouse, government agencies and researchers could access data already routinely collected in the ordinary course of business by the health plans participating in the affected insurance programs,” the letter states.

Whether or not the letter will have any impact remains to be seen. There is no set timeline for the creation of the database at this time.

Did Absentee Ballots Violate HIPAA Rules in PA?

You might not expect that the November midterm election would promote a disagreement about HIPAA laws when there were so many other issues up for discussion, but in Lancaster County, PA that is exactly what happened when some people protested that the county’s absentee ballot forms violated HIPAA privacy rules.

In order for Lancaster residents to complete an absentee ballot rather than heading to the polling station in person they had to fill out s form detailing the exact nature of the medical condition or disability that prevents them from voting in person as well as including the name and address of their doctor.

As the form is mailed, and has to be returned, on a postcard leading some residents who needed to file the form to wonder if this information being out in the open in this manner was a violation of their HIPAA rights.

Not so said Larissa Bedrick, a spokeswoman for the state Bureau of Commissions, Elections and Legislation. HIPAA, she explained to concerned locals via the local Lancaster Online website, “restricts health-care providers and insurance companies from releasing that information. … It doesn’t apply to settings outside of that.” Including patients voluntarily releasing their own personal data.

The incident highlights once more how little the general public really understands the HIPAA laws and their rights under them. More patient education is definitely needed across the board.

As for those uncomfortable with the level and nature of the information Lancaster County was asking them to reveal to anyone who happened to work at the post office Bedrick had a suggestion – put the postcard in an envelope before mailing it (and pay extra postage)

Holiday Gifts for HIPAA Professionals

Looking for the perfect holiday gift for the HIPAA professionals in your life? Head over to carry a great collection of HIPAA themed merchandise including mugs, t shirts, even slip on shoes, all at very reasonable prices. If you can’t quite find what you are looking for you can create your own original design instead – you can even create your own HIPAA themed toilet paper (if you really must)