The BridgeBlog

By Peter Cizik

Judging by the number of calls we’re getting, many organizations impacted by HIPAA are taking a serious renewed look at their HIPAA compliance stance. Maybe you should too. It may be because:

1. The continued publication of data breach stories (there are too many to list in our latest HIPAA Flash e-Newsletter);
2. OCR audits are fully ramped up now
3. The requirement to attest to HIPAA compliance as a requirement of the meaningful use incentive program
4. State Attorney Generals are trained to audit on HIPAA and many see fines as a new ‘income’ source for their state
5. Recent visibility of breaches and the time and money it takes to deal with them

I don’t have to remind anyone reading this that healthcare is a highly regulated industry and it’s not going to get any better. HIPAA is “low hanging fruit” from a compliance standpoint—as long as you treat it with the ’seriousness’ it deserves. Get your documentation ducks in a row and train your staff.

I didn’t say it would be easy—it does take time to get the proper documentation in place and actually follow it. You already have to train employees on other topics annually—add HIPAA to the list. Don’t view it as a “check-off” item—make sure the content really meets your needs, is current and updated, and tie it to what you do internally to manage HIPAA compliance.

One size does not fit all. The people calling us today had training in place, but violations were still occurring. The programs were too long (couldn’t get staff to take them), were not up-to-date, were too generic (didn’t incorporate organization-specific information), and the person delivering them was too busy to keep up or all of the above.

Do yourself a favor—make sure your organization is as prepared as possible. We’re all staring at the looming ICD–10 transition in 2013—the last thing you need is to be distracted with HIPAA violations and breaches. BridgeFront has the tools and resources to help you each step of the way.

Visit our website for more information about our HIPAA compliance products and services. You can also contact us directly by emailing info@bridgefront.com or call (866) 447-2211.

By Kent Lane

You get the OCR audit notification letter and the panic begins. You are one of the ‘unlucky’ providers or health plans to be audited as part of the OCR’s HIPAA HITECH audit program; what do you do first?

During & After the Audit

On the OCR website, it details each step of the new HITECH audit program, including a timeline of events. Below are five critical steps:

1. Required documentation of your privacy and security compliance efforts (see below for more information)
2. Interviews with key personnel on site, and observe processes and operations to help determine compliance
3. Following the site visit, auditors will develop and share with the entity a draft report
4. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified
5. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity

Documentation Must Include Policies, Procedures & Training

In accordance with HIPAA regulations, all Covered Entities and Business Associates must institute and document its policies, procedures, and practices—which includes initial and refresher staff training—to improve the privacy and security of protected health information (PHI).

Your training must address privacy and security regulations:

• Privacy training must include all elements of the federal, state and organization privacy regulations
• Security training should cover topics such as, the use of virus protection software to prevent or lessen the threat of malicious software; login and password management; and how to respond to security incidents
• The training should also include your organizational security policies and procedures

BridgeFront HIPAA Online Training

We offer simple to use, cost effective online training and guides. Training is easily modified to include your policies and procedures. We guarantee our training and guides will pass your audit.

For more information on our HIPAA training and education, visit us at www.bridgefront.com or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

By Kent Lane

Over the past 10 years of visiting clinics and hospitals, for business or personal reasons, it’s hard for our consultants not to observe HIPAA compliance; and most of the time they’re surprised at what they see. The question on their mind is, “who will be the next data breach victim?” Below are some common HIPAA violations scenarios from our experience and from a recent Physicians Practice article.

Lack of new hire and refresher staff education

The first violation noted is usually lack of staff education. Current HIPAA Privacy and Security regulations require this:

• Everyone in your organization be trained on HIPAA
• Annual, refresher training be provided
• Training is documented
• Your Business Associates are trained

We see everything from “no training” to “word of mouth training.” Education is the first thing auditors will look for when conducting compliance audits.

Bulletin boards identifying patient information

Upon walking into a clinic, Judy Norman was greeted by a beautiful bulletin board that welcomed new patients to the practice, identifying the patient by their full name and town. Patient names and addresses are protected health information under HIPAA and may not be shared in this manner without authorization from the patient.

Announcing patient names

In most practices, patients are called up in the waiting room by their full names in front of everyone. Using first only is recommended. Also, refrain from conversations in the lobby such as, “How is your knee feeling?”

The check-in process

The check-in process for patients often leaves much to be desired in terms of privacy. Consider this common interaction at a doctor’s office:

Staff: What’s your birth date?
Me: March 5, 1990
Staff: Is your name Ericka Adler?
Me: Yes
Staff: Is your address still ___________?
Me: Yes
Staff: Are you still with Blue Cross Blue Shield?
Me: Yes

In this one conversation, overheard by everyone, information is revealed that is protected health information under HIPAA and which could be used for identity theft. This is an interaction that is unnecessary and inappropriate. Patients should be spaced out so they cannot be overheard with the reception staff. In addition, the amount of information reviewed verbally should be minimized. Consider asking if anything has changed or request the patient review private information on a computer screen to confirm its accuracy.

Patient charts in plain view

Pete Johnson is sitting in a room waiting for his physician. He sees another patient’s chart sitting on the desk in plain view. Then, as he is paying his bill at the receptionist’s desk after his visit, he sees additional charts in plain view that identify a patient’s name, address and other information without the need to even open the chart.

Jennifer Cortez brings her daughter to a practice for a procedure and in the procedure room a large mounted screen identifies the scheduled procedures for the day: every patient’s full name and birthday, the time of the procedure, the assigned physician, and the service being provided. This is a blatant disclosure of protected health information.

Patient names and addresses are protected health information under HIPAA and should not be readily accessible or in plain view of other patients.

Protected health information and social media

An OB/GYN practice client ran into trouble when its receptionist recognized a woman from her neighborhood who came in for STD testing. The receptionist promptly posted a gleeful message on Facebook regarding the patient’s medical issue after tracking down the test results, and common acquaintances on Facebook became privy to this confidential information.

Improper access to patient information by office staff and dissemination of these details using social media are significant challenges that must be addressed.

Use these scenarios as part of your next group discussion

Since you’re reading this, you probably understand the importance of patient privacy and security and the consequences when violations occur. However, does your organization share your expertise? Consider sharing these scenarios in your next staff meeting or group discussion. This activity and annual training will enable them to gain expertise and competency on HIPAA privacy and security, keeping your organization safe from violations and penalties.

For more information on HIPAA training and education, visit us at www.bridgefront.com or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

There are two new ‘HIPAA sheriffs’ in town…both ready to monitor and audit your HIPAA compliance practices. Recently, the OCR granted the authority to assess healthcare’s HIPAA compliance practices to State Attorney Generals (AGs) and the firm KPMG under the 2009 HITECH Act.

Steps to Survive a HIPAA Audit

In preparing for a visit from your State AG or a HITECH auditor, BridgeFront and the OCR recommend these steps:

1. Implement an annual employee training program
2. Ensure you’ve documented patient information safeguards
3. Review privacy and security policies and procedures
4. Vigilant implementation of policies and procedures
5. Regular internal audits and risk assessments
6. A prompt action plan to respond to data breach incidents

OCR Announces State Attorney General HIPAA Authority

This spring, the OCR announced its new HIPAA training program for State Attorney Generals (AGs). Under the 2009 HITECH Act, AGs now have the authority to bring civil actions on behalf of state residents for HIPAA violations.

“Most state AGs are elected into office…which means there is more pressure to pursue HIPAA violations, particularly if there’s a ‘good story’ behind the data breach. They want to be seen as protecting the little guy,” says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP.

HITECH Auditors Set to Begin

Last week, the Department of Health and Human Services (HHS) awarded a $9.2 million contract to the consulting firm KPMG to launch its HIPAA audit program as mandated by the HITECH Act. The HHS will work with KPMG to roll out the program in three phases, says Susan McAndrew, OCR’s deputy director for health information privacy…starting later this year.

“This is just another opportunity for covered entities to take a moment for a self-assessment,” McAndrew says. “This will help them down the road in terms of building their own capacity for a robust compliance program…”

In a recent BridgeFront compliance study more than 60% of participants indicated they use online education as part of their compliance program.

BridgeFront is the leading provider of compliance online education. Visit us on the web for a free course trial at www.bridgefront.com/trial or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

By Peter N. Cizik, CEO of BridgeFront

Let’s talk about the new term, “data liquidity.” No—it’s not some new physics concept. For those of you in health information technology, it’s a term you may begin to hear.

As the industry lurches forward trying to connect the many unique health information systems (EHRs, CPOE, eRx, disease registries, HIEs, etc.), there is a push to standardize and streamline information, so all the systems can talk to each other.

Hence—make data more “liquid” so it can easily flow from one system to the other. This is clearly a necessary step to realize the goals of increased patient safety, better population health, and decreased health system cost.

One huge hurdle that has yet to be satisfied is the privacy and security controls to prevent unintended consequences of all this “open access.” As data becomes more liquid, the potential consequences of a breach grows exponentially, since the volume of data flowing within the entire system is considerably higher.

At this point, I don’t think anyone has the “right” solution—both sides are passionately arguing their position—on the surface, fully integrated systems that allow for the free flow of information sounds like the absolute right answer. What makes privacy advocates cringe are the unintended consequences and potential abuse that could occur if information falls into the wrong hands.

They argue that people need to have the power to restrict where their information flows. I don’t have the answer—but you should be aware of the issue and get involved in the debate.

——————————————————————————————————————————————————————–

If your organization needs help with HIPAA compliance, BridgeFront is your number one resource. We can step in, initiate a compliance program, or move the process along; we can also take a back seat and simply support your staff during the process.

Our consultants are experts in both HIPAA Privacy and Security regulations. We can quickly assess your organization’s level of compliance and help you develop a plan to eliminate any risks. We offer HIPAA risk assessments, certification, and consulting services.

Get started by downloading a free HIPAA compliance self-assessment. Then, learn more by visiting us online or contacting us directly. Call (866) 447-2211 or send an email to info(at)bridgefront.com.

Next week we are flying to sunny Orlando for the 2011 Healthcare Compliance Association’s (HCCA) Compliance Institute—that takes place April 10-13. We’re excited about our debut appearance at the conference in booth number 109. Here are three reasons you should be excited too:

#1 Live Demonstrations of Our New Mobile Learning Platform

Did you know that 2011 was dubbed ‘the year of mobile?’ Mobile learning is catching on like wildfire and BridgeFront is one of the first e-learning providers to offer it. Don’t miss a glimpse at the future of e-learning by joining us for a 5-minute demonstration of the new mobile learning platform. Learn first-hand about the evolving world of e-learning.

#2 Chance to Win a SmartPen

Stop by and enter our drawing for a chance to win a SmartPen—this product is a great learning tool which converts written notes and audio into text, right on your own computer. This tool is ideal for seminars, conference sessions, workplace meetings, and much more.

#3 Meet BridgeFront Face-to-Face

BridgeFront team members Tamara Wanamaker and Chelsey Slack will be in booth number 109 ready to meet you and answer your questions. We are also attending the afternoon “speed networking” session on Sunday, April 10—it’s like speed dating, but for attendees and exhibitors to network.

The 2011 HCCA Compliance Institute, the nation’s largest compliance conference, is expecting more than 2,000 attendees. Here are some of the topics covered in the educational sessions: long-term care, privacy and security, physician compliance, legal and regulatory, auditing and monitoring, and quality of care. Learn more about the conference by visiting www.compliance-institute.org.

BridgeFront offers compliance online education, written compliance guides, template policies and procedures, and risk assessment services. Since 2002, BridgeFront has served more than 10,000 organizations with its educational services. Learn more about BridgeFront’s compliance education by visiting www.bridgefront.com.

By Peter N. Cizik, CEO of BridgeFront

If you don’t know what you don’t know – then what? How’s that for a little riddle at this beginning of the New Year?

We’ve been working with several Regional Extension Centers across the country trying to decipher how to structure our new Meaningful Use education in a way that is most helpful for providers. One area that’s obvious is education on how to perform a HIPAA risk assessment, since that is one of the core measures of the Meaningful Use criteria.  OK – go ahead and roll your eyes – here we go again! Many provider practices hear this and say: “We’re fine!” “We already did this years ago.” “My Office Manager took care of it.”

However, if someone walked into to your office today and said, “Show me written evidence of a risk assessment,” could you do it? You may be just fine, but if you can’t show it and show that it’s relatively current, then you don’t meet the test of HIPAA compliance. By the way – insert Business Associate anywhere I refer to providers – all these rules apply to you as well!

Here’s the real reason you should care – a proper risk assessment will do several things:

1. Validate that any controls that have been implemented are actually working.

2. Identify areas that lack controls that should have something implemented.

3. Provide an audit trail documenting that each area of risk identified within the HIPAA regulations has been analyzed and addressed.

You now know what you don’t know – and can do something about it.

Things can still go haywire and result in a breach, but with written evidence of a risk assessment you can show that you’ve applied “reasonable” effort to prevent it. That is the goal. BridgeFront is developing a course to help organizations perform their own risk assessment. We hope this will demystify the whole process for those who’ve never formally completed one or those that should do it again. Now, this is not a “one off” event. You need to periodically refresh the assessment to make sure what you thought you knew… is still accurate.

Happy New Year everyone!

Whether you agree with the goals of healthcare reform and the way it’s being implemented or not – one thing we all can agree on is that it’s creating concern, confusion and most of all – change. Much of that ‘change’ has yet to unfold, but several components are here.

The HITECH Act in 2009 brought additional regulations around tracking and reporting breaches, while significantly increasing the responsibilities of Business Associates. This reporting requirement is causing a significant increase in the number of breaches.

Breaches have always been a problem, but now a bright light is shining on this issue (e.g. wikileaks). It shows us how prolific it has become. Also, I still think the number of breaches is under reported; many organizations just don’t have the controls in place to detect them. I can’t tell you how many times I hear stories of documents with PHI being emailed unsecured.

Now, we have the HIPAA compliance requirement as part of the ‘Meaningful Use’ rules.  For those of you who don’t swim in these waters…providers that meet certain requirements are eligible to receive $44,000 if they implement an Electronic Health Record (EHR) system and meet certain ‘Meaningful Use’ measures. One of those measures is demonstrating compliance with HIPAA.

This is not just a ‘feature’ in an EHR; HIPAA compliance is a combination of people, process and technology. The EHR technology is just one of the three legs of the stool. Contact BridgeFront if you want help with the other two legs – people and process.

Learn more about BridgeFront’s HIPAA compliance education or contact us directly for more information.

You can also sign-up to receive our quarterly HIPAA e-newsletter.

Are new business associate agreements needed with the coming HITECH deadline?

This is probably the most common question I get asked these days. There are two camps of thought.

1. Many business associate agreements are written with “evergreen” language that automatically incorporate any future changes to HIPAA regulations. So – you could make an argument that the HITECH changes are incorporated by reference. While technically accurate, I think it’s a risky path to take.
2. Contracts tend to be relied on when things go wrong – such as if there is a breach of PHI. In that situation, both parties will be better served if the agreement lays out specifically what should occur and where responsibilities lay. If it’s gray – you’ll spend precious time arguing over who should do what and who should pay for it. Better to have that debate now -  before the unpredictable happens.

Having an agreement discussion has the positive side effect of forcing organizations to consider the potential risks and liabilities of a breach and taking proactive steps to ensure the risk is minimized in the first place – which is a good thing for everyone.

For specific information concerning the upcoming HIPAA changes, here are a few resources -

• HHS HITECH Act Enforcement Interim Final Rule>>>

• HHS HITECH Breach Notification Interim Final Rule>>>

• CDT Releases HITECH HIPAA Guidance>>>

To report a breach to the HHS, go to: http://transparency.cit.nih.gov/breach/index.cfm.

Learn about our HIPAA training and learning services by going to: www.hipaarx.net.

Please send questions and comments to info@hipaarx.net or call 866.447.2211.