Posted on Leave a comment

In Health and Safety in the USA, how HIPPA smart are you!

As a supervisor in the United States and or a COMPANY have you explained FULLY with your employees the HEALTH part of Safety and how HIPPA plays a big part in your safety program.  A little clarity, no problem Employee A hurts himself at work and is now injured and needs medical assistance or correction, the HIPPA data maybe restricted and how did you as a company protect under the new HIPPA rules.  So let me ask you again DID YOU FULLY EXPLAIN to the WORKER his or hers rights under HIPPA?

HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

·        Individual’s Right under HIPAA to Access their Health Information

·        HIPAA Access Associated Fees and Timing

·        HIPAA Access and Third Parties

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

What is HIPAA ComplianceHIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). This guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.

Cloud computing takes many forms. This guidance focuses on cloud resources offered by a CSP that is an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs.  Common cloud services are on-demand internet access to computing (e.g., networks, servers, storage, applications) services. We encourage covered entities and business associates seeking information about types of cloud computing services and technical arrangement options to consult a resource offered by the National Institute of Standards and Technology; SP 800-145, The NIST Definition of Cloud Computing – PDF.[1]

The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) establish important protections for individually identifiable health information (called protected health information or PHIwhen created, received, maintained, or transmitted by a HIPAA covered entity or business associate), including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information. Covered entities and business associates must comply with the applicable provisions of the HIPAA Rules. A covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain billing and payment related transactions electronically. A business associate is an entity or person, other than a member of the workforce of a covered entity, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. A business associate also is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules.  As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

Paying attention yet, oh not yet well: $750,000 settlement highlights the need for HIPAA business associate agreements

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to execute a business associate agreement prior to turning over PHI of 17,300 to a potential business partner. Raleigh Orthopaedic is a provider group practice that operates clinics and orthopaedic surgery center in the Raleigh, North Carolina area. The settlement includes a monetary payment of $750,000 and a robust corrective action plan.

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

HIPAA regulations “covered entities.”

Covered entities include:

·        Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.

·        Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

·        Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

What Information Is Protected

·        Information your doctors, nurses, and other health care providers put in your medical record

·        Conversations your doctor has about your care or treatment with nurses and others

·        Information about you in your health insurer’s computer system

·        Billing information about you at your clinic

·        Most other health information about you held by those who must follow these laws

How This Information Is Protected

·        Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

·        Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.

·        Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

·        Your Health Information, Your Rights! – PDF

HIPAA General Fact Sheets

·        Your Health Information Privacy Rights – PDF

·        Privacy, Security, and Electronic Health Records – PDF

·        Understanding the HIPAA Notice – PDF

·        Sharing Health Information with Family Members and Friends – PDF

As of January 17th, 2013, HIPAA regulations have had a massive update and overhaul to protect patients. The new laws more extensively hold second and third party businesses responsible to keep Patient Health Information (PHI) private. The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) adopted the HIPAA Omnibus Rule as an overall and update to the USA’s existing volumes of the HIPAA Law and HI TECH Law. The Final Rule or final HIPAA omnibus rule (78 Fed. Reg. 5566) has some important modifications to HIPAA as we know it. They are required to begin functioning within your workplace, beginning March 26, 2013.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

·        Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims

·        Companies that help administer health plans

·        People like outside lawyers, accountants, and IT specialists

·        Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

All healthcare facilities must comply with these guidelines and have written proof that they are doing so! The employees at these healthcare facilities must be fully trained and compliant on a daily basis. This includes:

·        Healthcare Facilities

·        Clinics

·        Employees handling PHI, ePHI & HER (Protected Health Info, electronic PHI, Electronic Health Records)

·        IT Techs that maintaining healthcare related internet websites

As of March 2013 there are new HIPAA Laws called the Omnibus Rules or the Final Rule: HIPAA law makes did a complete overhaul of the existing HIPAA laws in an effort to reduce Identity Theft emanating from within healthcare facilities. The Omnibus Rules are 580 pages in length.

Hippa Complaint and Investigations

f you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.

OCR has investigated and resolved over 24,331 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate, which may include settling with the entity in lieu of imposing a civil money penalty. To date, OCR has settled 37 such cases resulting in a total dollar amount of $39,989,200.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

In another 11,055 cases, our investigations found no violation had occurred.

Additionally, in 14,535 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

In the rest of our completed cases, (82,521) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:

·        OCR lacks jurisdiction under HIPAA.For example, in cases alleging a violation by an entity not covered by HIPAA;

·        The complaint is untimely, or withdrawn by the filer.The activity described does not violate the HIPAA Rules;

·        The activity described does not violate the HIPAA Rules.For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

·        Impermissible uses and disclosures of protected health information;

·        Lack of safeguards of protected health information;

·        Lack of patient access to their protected health information;

·        Use or disclosure of more than the minimum necessary protected health information; and

·        Lack of administrative safeguards of electronic protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

·        Private Practices;

·        General Hospitals;

·        Outpatient Facilities;

·        Pharmacies; and

·        Health Plans (group health plans and health insurance issuers).


Terry Penney

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.