ClickCare Café

HIPAA HITECH Omnibus Rule 2013 and Healthcare Collaboration

Posted by Lawrence Kerr on Sun, Feb 24, 2013 @ 11:23 AM

HIPAA? I know about it, but I text anyway because it is good patient care.HIPAA requirements for telemedicine cannot be contradicted

Do you really want to say that?

Our advice: Don’t even think about it! And moreover, forget it and move on -- there is too much to worry about that you can change, and this, you can’t.

We are taught to understand as well as follow. Here is some understanding.

The Federal Register, on January 25, 2013, added another 563 pages (78 Fed Reg. 5566) to the voluminous hundreds of pages that constitute three acts over the past 17 years. These are HIPAA, HITECH and GINA, and an entire industry has been built on these rules. The 563 pages as a totality constitute the Omnibus Rule of 2013.

What does all of this mean to us providers? What does all of this mean to us who help providers? Since this post is conversing with patient care professionals, many of whom are mere HIPAA laymen, these answers are brief and focused.

Four main points for day-to-day care:

1. There is increased penalty and enforcement. 

Fines can be avoided with use of HIPAA secure telemedicine

2. Business associates are responsible for all their subcontractors. Did a cleaning lady, employed by a cleaning service pick up a CD? Reasonable Cause -- an act or omission in which a CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the CE or BA did not act with willful neglect. 

3. Any disclosure of PHI will be presumed to be a breach, and HHS will, not may, investigate.

4. Individuals have enhanced rights to obtain electronic copies of their records. With this, is an enhanced right to restrict disclosure of PHI. Patients who pay solely for care by cash can restrict release to insurance companies and billers.

Some collateral damage to be aware of:

  • Schools  -- Immunizations can be shared.
  • Research -- Special notes about current research releases, and how they may apply to future analysis of the same data with different research.
  • Genetics -- Genetic information is protected and cannot be used against the patient.
  • Marketing and Fundraising -- Defines how information is used. Can you ask for money from patients for a cause you know that they are near and dear to?
  • Notification -- You may have to send new notifications to your patients about your privacy policy. Did you ever get one of those from your credit card company?

How much time is there to comply?

The final rule was announced on January 25, 2013. It is effective March 26, 2013 (including penalties), and compliance (such as notifications) must be completed by September 23, 2013.

Cost and Conclusion.

The cost of all of this...114 to 225.4 million dollars (government estimate, your experience may vary). In 2011, the CDC estimates 1 billion physician office visits. That works out to 23 cents per visit.

Finally, there is a lot to this and a lot to read. Download the "Omnibus Rule -- High Overview" to learn more and send you speedily on your way.

 

Omnibus High Level Overview

 

It is not totally depressing. But, as Jim Croce says,

"You don't tug on superman's cape

You dont' spit into the wind

You don't pull the mask of the ol' lone ranger

And you don't mess around with ..."

 

Find the compilation of References here:

1.http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

2. Debbie Tokos, RHIT, CHPS, United Health Service, Johnson City, NY 13790

3. http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html

Tags: HIPAA, HITECH, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, Omnibus Rule

Telemedicine Security and HIPAA: What if you lose your iPhone?

Posted by Lawrence Kerr on Wed, Apr 04, 2012 @ 11:36 AM

You’ve followed HIPAA, now you’ve lost your phone. Now what?

It happens more than you would think. In 2011, statistically, each owner lost his phone at least once.

The most common places to lose your phone are:

  1. Coffee Shop
    Telemedicine and HIPAA are add to the stress of loss of iPhone
  2. Bar
  3. Office   
  4. Restaurants
  5. Apartment & Condo
  6. Grocery Store
  7. Gas Station
  8. Residential
  9. Pharmacy or Drug Store
  10. Park                                                   Source: Lookout Mobile Security March 22, 2012. Image: Wikihow.com

Since for many of us, the “office” is the floor, the ER or the Operating room, and we rarely get to the park, the grocery store, or bar, the list shrinks considerably. 

Here are some suggestions for not losing your phone:

  • Keep it in the same pocket all the time, pants, shirt or pocketbook.
  • Pat that pocket as you do your wallet.
  • Don’t hold it, put it away.
  • When at home keep it attached to the charger. Don’t let children play with it. It is a good substitute babysitter, but easier to lose, believe it or not.
  • In the operating room, check your scrubs before they go into the laundry. If placed on a table or shelf, keep it away from the rest of the equipment and supplies.
  • When using Medical iPhone Photography, take the picture, put the phone away, and then do your procedure. For instance, laying it down on the bed while changing a dressing has two problems:  (1) The patient lies on it and gets another pressure sore or (2) you lose it and the picture you just took.

Medical collaboration is not enhanced by searchingThis brings us to why we at ClickCare are making note of this study. First, replacing an iPhone is expensive. But, paying the HIPAA and HITECH fine is worse. A $500 loss could quickly become a $50,000 loss if the phone compromised patient privacy.

Second, if the picture is lost, and as the saying goes—you may have had only one shot at it--collaboration is that much more difficult.

iClickCare was specifically designed to solve these problems. 

First, even if your phone is lost, the pictures which were taken are hidden within a secure log-on barrier. Second, when an iClickCare visit or consultation is created, the data is sent, stored and available on the secure server. You may have wasted $500, but you have not lost your patient's information.

If you have lost your cell phone, just call or text it. Maybe someone can answer it.  Let it ring long enough for them to pick up. Provide contact information in the text.

The iPhone has the Find My iPhone feature. You can also kill the iPhone remotely. Here is a helpful article from PCMag about different phones and different choices. Another good article is in www.wikihow.com/

If you are lucky, like us, the nice people at the Roscoe Diner will put it behind the cash register for safe keeping!

 

Click me                             Click me

                                       

Lost phones can compromise telemedicine hipaa securitySource: www.liveintentionally.com

References:

Lookout Projects Lost and Stolen Phones Could Cost U.S. Consumers Over $30 Billion in 2012

Lost cellphones added up fast in 2011 – USATODAY.com

10 Ways NOT To Lose Your Cell Phone! | Schmoozins

Americans Lost $30 Billion Worth Of Cellphones In 2011, Study Finds

http://www.pcmag.com/article2/0,2817,2363526,00.asp

http://www.wikihow.com/Find-a-Lost-Cell-Phone

http://www.liveintentionally.org/2011/03/30/things-you-dont-have-time-not-to-do-13-make-a-place-for-everything/

 

 

Tags: HITECH, HIPAA Collaboration, iPhone medical apps

HIPAA Violations, Audits, and Medical Collaboration

Posted by Lawrence Kerr on Mon, Feb 27, 2012 @ 09:28 PM

There are both moral and regulatory reasons to protect our patients' privacy.

 
HITECH and HIPAAHIPAA and HITECH, at times, seem to be over the top. The regulations have certainly been interpreted, reinterpreted, over implemented, and a plethora of “saviors” has created an entire industry around them. I doubt some of the extreme responses to fear of enforcement and fear of technology are intentional, but never-the-less, we live with the unintended consequences that make our day difficult at best, impossible at worst.

That said, there seems to be 3 active responses by providers:

  • Ignoring the rules.
  • Never confronting the problem by never coming out of one's silo.
  • Begrudgingly, following the rules, but hurting the patient.

How many times have you heard (or said): 

  • “I just send an email.”
  • “I just send an email, but I asked the patient.”
  • “I am the doctor (nurse, therapist), I do what is right, the rules are stupid and don’t matter.” 

These are dangerous (to self and patient) responses to an impossible situation. There will be continuing enforcement, and there are easier solutions. We offer a good one.

Review this graphic from OnLine Tech. First, HIPAA audits are funded. $9.2 million to KPMG for 150 audits and $182,000 to Booz Allen Hamilton for Audit Candidate Identification. The funds come from the Office of CIvil Rights. Completion date is 12/31/2012.  

Violations of HIPAA and HITECH 

    The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

    1. Private Practices;
    2. General Hospitals;
    3. Outpatient Facilities;
    4. Health Plans (group health plans and health insurance issuers); and,
    5. Pharmacies.

    Most of these are easily solved. If one removes the simple Physical causes (77%), then the risk of violation is now left to Hacking (6%) and Unauthorized access/disclosure  (16%) and unknown at !%. No one is immune from hacking, although ClickCare works hard to protect against that. No one has to use email and risk enforcement, and as you see above, it is the small guys who top the list.   

     The message here:                                   

    • This is real.                    
    • This is significant.
    • This is avoidable.

    We owe our patients more than protecting ourselves by opting out.  There is an inexpensive and easy solution.

    Click me

    Sources:

    HIPAA Audits Are Coming: KPMG Contracted to Perform 150 Audits Through 2012

    2011 HIPAA Violations and Audits

    HSS Office of Civil Rights (OCR)

    Award Notice

     

    Tags: HIPAA, HITECH, Personal Health Information, Patient Privacy

    HIPAA Compliance and Medical iPhone Photography...Chapter 2

    Posted by Cheryl Kerr on Thu, Oct 27, 2011 @ 08:16 PM

    • What is clinical photography? Is it medical photography?
    • What is the best camera for clinical photography.
    • What makes a good clinical photograph.

    Chapter 1 reminded us about the importance of the obvious: Take the picture. Hold the camera still. And archive the picture for easy retrieval!

    HIPAA important to photography

    In Chapter 2, we will get Permissions, HIPAA and HITECH carefully understood. You might subscribe to our blog so that you don't miss a chapter!

    Throughout the course of 9 serial lessons we will show you how to maximize the remarkable capabilities of the iPhone, understand the principles of medical and clincal photography, and feel comfortable with documentation both descriptively and visually.

    There is quite a history, but the value of good consistent clinical photographs is without change.

    At this point in time, the quality from that small camera "in your pocket" is amazing because the picture is taken instead of missed. When coupled with the techniques in these chapters, the communication is only improved.

    Click me

    Medical iPhone Photography will be released one chapter a week until mid December...as both an iBook for the iPad or iPhone or a PDF for everything else. Then the book will become available in printed form for holiday giving to your favorite healthcare provider.

    Tags: HIPAA, HITECH, clinical photography, medical photography, iPhone

    HIPAA and HITECH: What is the Difference?

    Posted by Lawrence Kerr on Mon, Oct 24, 2011 @ 01:48 PM

     

    What you are expected to know, but never quite understood...

    * HIPAA – Health Insurance Portability and Accountability Act (Clinton, 1996)   
    * HITECH – Health Information Technology for Economic and Clinical Health Act (Obama, 2009)
     
    The United States Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA in 1996. For the very first time, security standards came into existence to protect health information.
    HIPAA and HITECH Guard Privacy like a Swiss Guard
    Then, in 2009, the scope and complexity of HIPAA was extended with the presentation of the Health Information Technology for Economic and Clinical Health Act (HITECH).

    Both HIPAA and HITECH have risen to great importance with the health industry’s continual acceptance of electronic information systems.  

    Electronic data date systems and applications and electronic health records (EHRs or EMR’s), have considerably upgraded billing, surveillance and productivity. However, new security threats have arisen as well. As compared to paper charts, electronic health information is at greater risk of being distributed, tampered with or stolen which could lead to public disclosure.


    In order to eradicate these threats, strict standards governing security and privacy were implemented by HIPAA and HITECH. Consequently, anyone who transmits any information in electronic form is required to comply with the standards implemented by the Department of Health and Human Services. 


    Both HIPAA and HITECH are similar rules: They address the safekeeping and discretion of healthcare protocols. Both Acts contain privacy requirements and have numerous effects on research and clinical care. But, the additions are important.  For example:

       * Section D of the HITECH Act will have significant and varied ramifications on health care participants. Four tiers of culpability and penalty are listed.

      * HITECH restructures and strenghtens civil and criminal consequences for non-compliance.  These are significant with the fine being $50,000 for each violation, not to exceed $1,500,000 for the calendar year.  Prison terms have been issued as well.
        * HITECH necessitates justifying the disclosure of PHI (Protected Health Information), even when it is done for healthcare treatment and billing.

    What does this mean practically?  
    Email cannot be used unless it is within a closed and secure system. However, secure email is not only inadequate for retrieval and study, but it is also awkward to use and available only to a few participants tightly controlled within a system. Standard email meets no HIPAA requirements whatsoever.  Beyond being public, it is increasingly the fodder of search engines. To place oneself above the law because of the perception of the higher importance of medical care and patient permission is not good for any of us.

    There’s a need for a platform that provides an all-inclusive structure to help organizations restructure and systematize all facets of HIPAA/HITECH compliance. Among other things, this would ease time-tracking, email notices and operative effectiveness with the goal of condensing the time and energy necessary for security compliance.

    Click me

    In summary, HIPAA and HITECH are two powerful entities. They should be handled with extreme caution as they are mission critical to America’s healthcare and its people.

    Tags: HIPAA, HITECH, Personal Health Information, Patient Privacy, Telemedicine and HIPAA, PHI

    Subscribe By Email

    Recent Posts

    Posts by Topic

    see all