DISCLAIMER: This article should not be taken as legal advice, instead it is a basic introduction to some changes that have been promulgated to the HIPAA/HITECH Acts final rules.
When asked, almost any small practice owner would respond that he doesn’t have to worry about HIPAA compliance, their EMR (common terminology in vogue for practice management systems) is certified. Most don’t even know what HITECH or Omnibus rules are. If you try to explain, they take it as someone trying to eek out a few bucks from their already over-burdened cash flow.
Well, let’s go through a list of items that would really make a covered entity compliant with HIPAA and related regulatory obligations. This should give one a fair idea if merely having a certified EMR would suffice to be considered compliant. The following list has been updated to reflect implications of the recently modified HIPAA/HITECH rules that became effective March 26, 2013 and all CE’s are required to be compliant by September 23, 2013:
- The very first requirement for HIPAA compliance is to have a Risk Assessment/Analysis study conducted to identify security and privacy vulnerabilities in your business environment, which extends beyond your place of business as almost all systems provides remote and mobile access. Any audit or inquiry will begin by asking you to provide a copy of you risk assessment report. The risk analysis is an ongoing process and you need to be proactively monitoring your environment for any new or upgraded risks that you should mitigate.
- The Notice of Privacy Practices (NPP or NOPP) needs to be updated. You probably got a template over from somewhere and have been using that. The terms need to be updated with latest requirements that cam into effect this year (2013). You can get some recently updated NPP samples from the websites of VA, Stanford University Hospitals, etc. and develop yours accordingly/
- Your business associates (BA’s) have now become covered entities and you need to update your Business Associate Agreements to cover these requirements. Any agreements signed before the March 23, 2013 effective date can be update within next 18 months, but any new BAA’s dated after this deadline need to be updated by September 23, 2013.
- Update your policies and procedures, and train your work force to be aware or the privacy and security requirements. All staff including the higher management are required to undergo training and tested and documented at least once annually , as well as at the time of initial employment. The key words here are training, testing and documentation.
- Your computer environment must be protected by firewall to prevent unauthorized access, anti-virus protection to avoid theft or loss of protected health information and backup system to recovery within reasonable time from any disaster.
- Mobile Devices are being utilized more and more to access and update information to EMRs, either locally (on premises) or remotely (off premises). Some protective measures to consider include use of complex passwords to access the devices, enable data encryption (both during transmission and local storage – local cache), file sharing apps should be disabled, use only secured Wi-Fi connection – never use public Wi-Fi hot spots, enable remote locking and wiping of the devices to guard against lost or stolen devices.
- The Omnibus rule (Effective March 26, 2013) dis-allows transmission of information on specific patient procedures/treatment to the health plans if the patient pays out of pocket for that service. Your process for coding and billing should be set up to take care of such cases.
- Physical access to your facilities should be well controlled to protect against unauthorized access to PHI. In addition track the backup copies of your data, hard copy information, thumb/external hard drives, CD’s/DVD’s, tapes and other portable storage media should be properly accounted for. Remember to wipe computers, devices and even your networked copiers/printers before disposing them off as they may have PHI that can be accessed by unauthorized persons.
- You should be able to produce logs of who logged into your EMR/EHR, when and where the logged in from, and which data or files did they access. Review these logs periodically and in case of any discrepancies, record and take appropriate actions based on violations.
- Be prepared for Disasters, natural and physical failures, and quick recovery to ensure continuous access to patient data.