Tremaine Health Care Compliance and Regulatory Update
Mr. Gerry Dumatol attended the Davis Wright Tremaine Health Care Compliance and Regulatory Update. A Seminar held February 19th, 2015 at the J.W. Marriott at LA Live in Los Angeles, California. The information gained was exposure to current events from Compliance Officers experiencing OCR activity under HIPAA enforcement, and a good understanding of where the rollout of EHR is today. Some interesting information that seems new was achieving Meaningful Use through EHR Donation.
ISMG's Fraud Summit
ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges.
FEBRUARY 24, 2015 - Hilton Los Angeles / Universal City
ROUND 2: PREPARE FOR NEXT WAVE OF HIPAA AUDITS
by Marianne Ramolete
Last March 30, 2014, the Office of Civil Rights has announced its plans to begin a new phase of HIPAA Privacy, Security, and Breach Notification audits. This new audit protocol will look more comprehensive as compared to the previous phase of the HIPAA Audits. The OCR will take on a more hands-on approach as they will be conducting the audits themselves. In the first phase of the audit, contractors were assigned between 2011 and 2012 to conduct the audits. In the second phase, however, the OCR will have their staff undergo significant training to ensure meticulous attention to details in auditing. With the implementation of a new methodology, the OCR will take a change in strategy to better address audit objectives and goals.
PHASE ONE OF HIPAA AUDITS: THE RESULTS
It is known that under the HITECH Act (Audit Section 13411), HHS (Human Health Services) is required to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Security, and Breach Notification Standards.
With the implementation of HIPAA Audits, OCR aimed for a comprehensive yet flexible process for analyzing entity efforts to ensure regulatory protections and rights. A plan of action to identify the best practices to disclose risks and vulnerabilities was conceptualized to better uncover flaws in other enforcement tools. This phase had also encouraged consistent attention to meet compliance standards.
The design of the Audit Protocol in phase one used databases of covered entities, surveys, program evaluations, and other materials. As a result, 115 performance audits were made through December 2012 to identify findings in standards adherence. The initial 20 audits tested the original audit protocol while the remaining 95 audits were done using the modified audit protocol.
The results gathered during Phase One of HIPAA Audit are as follows:
- No findings or observations for 13 entities (11%)
- Security accounted for 60% of the findings and observations – 28% of potential total
- Providers had a greater proportion of findings and observations (65%) than reflected by their proportion of the total set (53%)
- Smaller, Level 4 entities struggle with all three areas (Privacy, Security, and Breach Notification)
Also, results under the Security audits exposed that there were ‘No complete and accurate risk assessment in two-thirds of entities’.
These results were identified with an overall cause analysis. The cause analysis stated that there are entities that are unaware of the requirement! It is determined that more entities are more unaware of the requirements in Privacy, while awareness in Security and Breach Notification comes second and third respectively. Other causes noted were the lack of application of sufficient resources, incomplete implementation, and complete disregard in standard adherence.
Entities had admitted that they were not aware of the requirements under the Privacy Rule the Notice of Privacy Practices, the Access of Individuals, the Minimum Necessary, and Authorizations. As for the Security Rule, entities are unaware of Risk Analysis, Media Movement and Disposal, and Audit Controls and Monitoring requirements.
PHASE TWO OF HIPAA AUDITS: WHAT TO EXPECT?
WHO CAN BE AUDITED?
- Any Covered Entity (Health plans of all types, Health care clearing houses, individual and organizational providers)
- ANY BUSINESS ASSOCIATE (by selection through covered entities)
OCR is expected to contact 550-800 entities and will use results of survey to select a projected 350 covered entities to audit. 100 audits will be in Privacy, another 100 for Breach Notification, and 150 for Security (50 of which will be on Business Associates). Adam H. Greene tells the public how to prepare for Phase Two of the audits here.
How does Phase Two differ from the previous phase?
- The approach in Phase Two will be primarily internally staffed.
- Entities under selection will receive notification and data requests in fall 2014 and will be asked to IDENTIFY THEIR BUSINESS ASSOCIATES and provide their current contact information.
- OCR will be selecting business associate audit subjects for 2015 among the BAs identified by Covered Entities.
- Desk Audits of selected provisions as well as comprehensive on-site audits as resources allow.
PHASE 2 DESK AUDITS (taken from a report done by OCR):
CE address verification
Pre-audit surveys link sent to Covered Entity pool
Notification and data request letters to selected entities
Period for entity response
OCT 2014-JUNE 2015
CE Audit Reviews
With the Desk Audits,
- Data request will specify content and file organization, file names, and any other document submission requirements.
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- Auditors will not have opportunity to contact the entity for clarifications or to ask for additional information, so it is critical that the documents accurately reflect the program.
- Submitting extraneous information may increase difficulty for auditor to find and assess the required items.
- Failure to submit response to requests may lead to referral for regional compliance review.
- This will target particular provisions that were the source of a higher number of compliance failures in the pilot audits.
Under the new Phase Two protocol, auditors will assess entity efforts through an updated methodology, reflecting the changes in Omnibus Rule and more specific test procedures. Sampling methodology will be used in a number of provisions to assess compliance efforts. An updated protocol will be available on the website, allowing entities use it for internal compliance assessments.
This new phase in audit to start soon this year will focus on Covered Entities’ compliance according to Security (Risk analysis and risk management), Breach (content and timeliness of notifications), and Privacy (Notice and Access).
In 2015, Business Associates will be audited for Risk Analysis and Management, and Breach Reporting to Covered Entities. The second part of audits in 2015 will be for Covered Entities’ adherence to Device and media controls, transmission security for the Security Rule and Safeguards, training to policies and procedures for the Privacy Rule.
GOOGLE SCANS USERS’ EMAIL ON UPDATES IN TERMS
by Marianne Ramolete
An intrusion into user privacy is one of the common complaints of privacy groups as users become aware of Google’s updated terms of services reflecting ‘analyzing user content including emails to provide users tailored advertising, and customized search results among other features’.
Microsoft jumped at this news pointing out Outlook.com’s email service superiority over Gmail for it does not check emails to customize ads for the user.
District Judge Lucy H. Koh notably said that Google’s terms of service and privacy policies did not explicitly notify the plaintiffs that Google will intercept emails for creating targeted advertising. The action of Google updating their terms might have been triggered by these comments.
In their defense, Google said that the users of Gmail and Google Apps had explicitly consented to its alleged interceptions.
The new Google terms of service has now added the provision that “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”
HIPAA COMPLIANCE – AND WHY IT IS IMPORTANT FOR YOUR COMPANY
by Marianne Ramolete
Protecting sensitive patients’ healthcare information is a major issue in the United States. And because of this, the United States government had implemented HIPAA (Health Insurance Portability and Accountability Act) in 1996. HIPAA requires that any company managing protected healthcare information must ensure measures to protect healthcare information at all costs.
Data security and compliance now play a huge role in the United States as the country has opted for a much stricter HIPAA law as to counter the increasing number of breaches and losses caused by non-compliance of firms.
In 2012, the United States had developed an auditing tool for HIPAA and HITECH associated companies’ compliance that monitors healthcare information from every vendor or firm that helps a healthcare provider carry out its operations.
With all that being said, if your business handles electronic healthcare records or medical information regardless being a Covered Entity (CE), healthcare provider, health plan, or a HIMBPO (Healthcare Information Management Business Process Outsourcing) firm – strict HIPAA compliance should be the major concern for you.
The fine for HIPAA violations has increased from $25,000 a year to a whopping $1.5 million dollars a year for every violation. Deliberate neglect, ignorance, and failing to be HIPAA compliant may lead to investigations and penalties can be raised by any complaint, breach, and exposed violations.
These exposed violations can be detected through New Breach Notification rules that surely increases the number of HIPAA violations classified as breaches. Proper notices can trigger federal investigations leading to consequential fines and penalties.
Last September 23, 2013, it was mandated that all Covered Entities, business associates, and firms handling ePHI (Electronic Protected Health Information) must have already updated their HIPAA policies and all procedures regarding compliance; such concerns a substantial documentation of policies and procedures pertaining to HIPAA compliance. This also requires that business associates be HIPAA Privacy and Security Rules compliant.
In an article found in the website of Data Breach Today, a dermatology clinic in Massachusetts had been hit hard with a $150,000 penalty. It was reported that an unencrypted thumb drive containing patients’ information of more than 2,000 individuals was stolen and had never been recovered. The investigation reveals that HIPAA compliance procedures were never fully observed by the firm. This accident could have been avoided if there were no deficiencies in HIPAA compliance.
Being a diligent HIPAA compliant greatly reduces the chances of listed in the HIPAA “Wall of Shame”. If your company gets exposed as a HIPAA violator, the reputation damage your firm will face will be monumental. It may even lead not only to wholly revenue losses on the part of the company, but in the industry as a whole.
BY April 1st, 2014, Microsoft will no longer support the Windows XP Professional Operating System. All HIPAA covered entities and business associates, as well as sub-contractors, would need to replace these legacy systems into Windows 7 Professional or higher Professional Operating Systems to continue to maintain the implementation specifications required under the technical safeguards of the HIPAA Security Final Rule. This only applies to HIPAA covered entities.
HIPAA Security requires covered entities to periodically evaluate the effectiveness of the security measures implemented to mitigate, if not eliminate the risks and vulnerabilities to e-PHI identified by a HIPAA Risk Analysis. Under an evaluation, it should recommend changing these legacy systems because it would simply be reasonable and appropriate for risk management. Microsoft is ceasing the support for security updates against the constantly evolving tech-threats we address, especially when connected to the world through our internet service provider (ISP).
WHAT SHOULD YOU DO?
Identify how many Windows XP Professional computers you have in your company and replace them with Windows 7 Professional or a “higher” Professional Operating Systems before April 1st, 2014. This will be true for Windows 2003 Server too. The new server is Windows 2008 which is good till tear 2020 (budget for $4000.00 if you are currently using a Windows 2003 Server).
HOW CAN DUMATEK HELP?
For over a decade, Dumatek has guided many covered entities and business associates with their compliance efforts to HIPAA Security as well as supply them with their computer network needs. A standard “low-cost” Windows 8.1 Professional workstation is made available to quickly replace the old Windows XP Professional systems. This includes attaching the systems to the pre-existing network and re-establishing the resources needed for the system user to conduct his/her job. This comprises the connection of the new computer system to the company’s EHR or medical practice management system. Taking this approach allows a covered entity to get this issue addressed in the most cost effective and expediently quick manner as well as get a quick review of the status of their HIPAA Security compliance. ($868.00 per system)
There are financing options available as well since for some entities, this would be a full overhaul on the company’s computer network infrastructure.
Please contact DUMATEK at 714-460-5508 or DUMATEK - PI at 896-45-88 for more information, or assistance.
Want to see DUMATEK USA? Click HERE.
Intensity 10: Propelling Healthcare Information Management to Exponential Growth
Last November 12, 2013, the Healthcare Information Management Outsourcing Association of the Philippines (HIMOAP) organized the 4th HIMOSC with the title Intensity 10: Propelling Healthcare Information Management to Exponential Growth with the help of TeamAsia, an award-winning strategic marketing communications firm that develops place, corporate and personal brand strategies, creative concepts, and marketing communications programs incorporating events, public relations, and Web 2.0 tools for our clients. It was held at Intercontinental Hotel, Makati where it was attended by key industry players and providers to discuss issues and trends in healthcare outsourcing.
Being a member of HIMAO, DumaTek-PI was able to participate in said event as an exhibitor. Other entities also participated as exhibitors at this event: such as Cognizant, PLDT SME-Nation, SPi Global, Sky Cable, MediCard, and TeleDevelopment to name a few. We met important people from banks, from other BPO companies, and from public and private entities that has an interest in the expansion of the outsourcing industry in the country.
The first topic was about Harnessing Opportunities in Healthcare Policies where several regulations and laws such as the Health Insurance Portability and Accountability Act (HIPAA), a DumaTek-PI specialty, and the recently-signed Philippine Universal Healthcare Law were extensively discussed.
The second topic was concentrated on harnessing local talent to meet global standards. The panelists talked about BPOs providing skills training to hone each individual's talents to allow them to respond to global challenges and therefore become globally competitive HIM professionals. Providing attractive careers to healthcare professionals was also discussed in relation to this.
The third topic was centered on the International Classification of Diseases (ICD). According to the World Health Organization (WHO), the ICD is the standard diagnostic tool for epidemiology, health management and clinical purposes. It is primarily used to classify diseases and other health problems recorded on many types of vital records including death certificates and health records. The ICD is already on its tenth revision and it was endorsed by the Forty-third World Health Assembly in May 1990 and came into use in WHO Member States beginning in the year 1994. On this, the panelists primarily talked about the effect of ICD 10 on current and future HIM services and the preparations the Philippine HIM sector is doing to keep up with the changes that the ICD 10 could bring forth.
Topic number 4 was about the implementation of mobile healthcare in the Philippines. The effectivity of its implementation is a major concern that is why the panelists talked about the opportunities such implementations will have in terms of service, technology and infrastructure and in a bigger sense, the effect of global trends on the Philippine HIM industry.
The fifth was about the HIM industry's success depending on the delivery of the highly efficient and reliable services. Best practices in pharmaceutical benefits management, data management, medical transcription, medical coding and billing, revenue cycle management and healthcare IT practices were presented.
The sixth and last topic was all about the future of the Philippine HIM industry, The Everest Group, an advisor to business leaders on the next generation of global services, described the Philippine healthcare information management sector as the country's "hidden jewel" as it is the country's fastest-growing sector under the Philippine IT-BPM industry.
The information put together on the above article are from the notes DumaTek-PI personnel had when they attended the conference. This article was made with the purpose of keeping the DumaTek-PIs clientele up-to-date with current news.
Are you AWARE?
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It was enacted by the US Congress in 1996. They are the single most significant legislation affecting the health care industry since the creation of the Medicare and Medicaid programs in 1965. They provide the ability to transfer and continue health insurance coverage for millions of American and their families when they change or lose their jobs, it helps reduce health care fraud and abuse, it mandates industry-wide standards for health care information on electronic billing and other processes and it requires the protection and confidential handling of protected health information.
Currently, the HIPAA law is divided in 5 titles.
Title I: HIPAA Health Insurance Reform protects health insurance coverage for workers and their families when they change or lose their jobs. Title II: HIPAA Administrative Simplification requires the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. it also addresses the security and privacy of health data. adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care. Title III: HIPAA Tax Related Health Provisions provides for certain deductions for medical insurance, and makes other changes to health insurance law. Title IV: Application and Enforcement of Group Health Plan Requirements specifies conditions for group health plans regarding coverage of persons with pre-existing conditions, and modifies continuation of coverage requirements. Title V: Revenue Offsets includes provisions related to company-owned life insurance, treatment of individuals who lose US Citizenship for income tax purposes and repeals the financial institution to interest allocation rules.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). It is described by the head of the Office for Civil Rights (OCR) in the HHS as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." It promotes the adoption and meaningful use of health information technology through electronic health records (EHR) and addresses the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
The HITECH Act stipulates that from 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The Act also establishes grants for training centers for the personnel required to support a health IT infrastructure.
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule is a set of final regulations modifying the HIPAA Privacy, Security and Enforcement Rules to implement various provisions of the HITECH Act in 3 specific areas:
- Privacy, Security, and Breach Notification policies and procedures (and in some cases, new workflows and forms);
- Notice of Privacy Practices (NPP); and
- Business Associate (BA) Agreements
The HIPAA Omnibus Rule clears out all the grey areas when the HIPAA and HITECH Act where passed into law.
The information put together on the above article are not DumaTek-PI property but are put together by U.S. health sites. This article was made with the purpose of keeping the DumaTek-PIs clientele up-to-date with healthcare news.