Do you know the HIPAA monitoring rules?Don't look now
Don't Look Now is an Anglo-Italian thriller, directed by Nicolas Roeg and released in 1973. It is based on a short story by Daphne du Maurier. , but HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, has some regulatory teeth. On second thought, please do review the following to make sure you're in compliance and not asking for sanctions. [ILLUSTRATION OMITTED] As you may recall, April 21, 2005, was the go-live date for implementing the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA) for most providers. Included in the regulation is the requirement that each covered entity monitor its compliance with the Act. The new Enforcement Rule gives the Office for Civil Rights the authority to investigate complaints and to require corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or and levy penalties. The bottom line to remember is that HIPAA compliance is not a onetime event. But first a disclaimer: This article is not intended to be legal advice, but rather the author's interpretation and understanding of the current HIPAA Security and Enforcement Rules. Facilities should always review compliance issues with competent legal counsel. (Also, see "A Road Map to HIPAA Compliance," May 2004, p. 65, for additional background and a glossary.) Who Is Responsible? HIPAA places the responsibility for compliance on the covered entity, not the individual worker. It is the organization's responsibility to safeguard electronic protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (EPHI EPHI Electronic Protected Health Information (HIPAA) ). Administrators can delegate the authority to conduct HIPAA compliance assessment, monitoring, and corrective actions, but cannot delegate the responsibility of achieving compliance. Changes Two major changes to the HIPAA regulatory environment occurred last year: The Centers for Medicare & Medicaid Services (CMS (1) See content management system and color management system. (2) (Conversational Monitor System) Software that provides interactive communications for IBM's VM operating system. ) issued the HIPAA Administrative Simplification: Enforcement Final Rule (February 16, 2006, 45 FR 8390), and the HIPAA Security Guidance for Remote Use of and Access to Electronic Health Information (December 28, 2006). HIPAA now has regulatory "teeth" as well as guidance capabilities regarding off-site access to your facility's EPHI. Your organization's compliance plan must now account for these requirements, building on its past plans. Nothing has been removed from the HIPAA requirements--if anything, because of recent high-profile losses of federal data, scrutiny has increased. Approaches to Compliance Review An annual focused review of the organization's HIPAA compliance is an appropriate measure to improve compliance and to show good-faith effort. In addition, whenever new software or hardware is put into service, a risk assessment of the affected processes and systems is needed. The scope and complexity (and cost) of compliance monitoring is expected to vary according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the covered entity's size and complexity. However, all providers must show good-faith efforts to comply with HIPAA standards. Four elements are needed to monitor HIPAA compliance: 1. Designated person. This may be the administrator, deputy, health information specialist, privacy officer, or other person who reports to the administrator. This position will require dedicated time that must be budgeted for. 2. Knowledge of the HIPAA requirements. The Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) and CMS have produced extensive educational materials to assist providers. Nursing homes, home care providers, health information professionals, and trade associations have developed checklists and training offerings for members. Private training firms may also offer training. Appropriate budget must be dedicated to ensure that the responsible people have the information to do their job. The HHS and CMS materials are free, as are many of the association and state offerings. 3. A plan. CMS has developed a HIPAA Security Rule "Basics of Risk Analysis and Risk Management" that forms the outline of an initial plan. However, each covered entity must adapt a plan to its own unique circumstances. The plan developed for implementation a year ago may just need to be reviewed and updated. Or it may be better to simply start over. 4. Action. The plan must be carried out and documented, and corrective actions implemented and enforced. It may also be useful to have an outside review of HIPAA security compliance. This can be by arrangement with sister covered entities; i.e., one nursing home compliance officer reviewing the practices of another home, with reciprocity reciprocity In international trade, the granting of mutual concessions on tariffs, quotas, or other commercial restrictions. Reciprocity implies that these concessions are neither intended nor expected to be generalized to other countries with which the contracting parties . Of course, private consultants are available from various sources. Considerations for Post-Acute and Long-Term Care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. The Security Standards were written to apply to the whole continuum of healthcare entities that create, maintain, or transmit EPHI. Nursing homes and home care agencies are in the continuum but have needs that are different from those of hospitals and ambulatory care ambulatory care n. Medical care provided to outpatients. ambulatory care, n the health services provided on an outpatient basis to those who can visit a health care facility and return home the same day. settings. Most nursing homes and home care agencies get their computer support from third-party vendors. Vendors and systems vary greatly in their ability to comply with HIPAA requirements. Providers must evaluate systems concerning their own compliance, demand assurances of compliance from outside elements the provider cannot evaluate, and monitor the ongoing use of their systems to ensure that the protections are used by staff and are effective. In short, policies must be developed, trained, and enforced. New areas of emphasis that must be considered in revising Security compliance plans are: Remote access. HHS has growing concern about systems that can be accessed remotely. CMS stresses that in situations involving the remote use of and access to EPHI, covered entities must make reasonable efforts to ensure that any such use or access is authorized and limited, as required by the HIPAA Security Rule. Facility staff who access EPHI remotely must be trained in and use appropriate procedures to safeguard the EPHI. Requiring the use of secure communications for this should be considered, as should prohibiting access from public terminals. Again, most nursing homes rely on third-party vendors for their software. The common practice of allowing a vendor's programmer to dial into a system containing EPHI should be evaluated through formal risk analysis. The vendor can be set up as a business associate, with the usual certifications of compliance with HIPAA practices. In any event, the confidentiality, integrity, and availability of EPHI must be maintained. Vendor programmers should not be able to change EPHI or access information not needed to perform their system maintenance function. All wireless access points must be protected by strong encryption An encryption method that uses a very large number as its cryptographic key. The larger the key, the longer it takes to unlawfully break the code. Today, 256 bits is considered strong encryption. As computers become faster, the length of the key must be increased. and viable passwords. Portable devices. The growing use of portable devices to access, store, and transport EPHI produces evolving challenges. Theft of laptops, PDAs, home computers, and the like can compromise EPHI. Risk analysis must be performed, followed by policy development, training, and enforcement, regarding these devices. The business case for allowing the use of portable devices should be evaluated against the risks. In many cases the risks can be mitigated through the use of strong passwords A password that is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters, and (2) mixing numeric digits, upper and lower case letters and special characters ($, #, etc.). See password. to protect laptop boot, laptop hard disk access, storage device access, and similar access techniques. Laptop computers have provisions for physical locks to make theft more difficult (that little slot on the back or side can be locked to a cable device). Some laptops promoted for healthcare uses require a keypad A small keyboard or supplementary keyboard keys; for example, the keys on a calculator or the number/cursor cluster on a computer keyboard. See programmable keypad. password to access the boot process, and some have biometric devices biometric device - biometrics built in. The need for or appropriateness of any technique should be determined through your risk analysis and planning process. The benefits of portable devices can be extensive. Thoughtful security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security can make them safe. Therefore, include portable devices and remote access in your Security assessment. Conclusion Protecting EPHI is a core organizational competency in today's world. We all long for the time when we could leave our doors unlocked and the keys in the ignition. Those days are gone. IT security has fallen victim to the same societal changes. Start living in today's real world. David M. Oatway, RN, MPH, is a long-term care IT consultant based in Key West, Florida “Key West” redirects here. For other uses, see Key West (disambiguation). Key West is a city and an island of the same name near the southernmost tip of the Florida Keys in Monroe County, Florida, United States. . To send your comments to the author and editors, e-mail oatway0307@nursinghomesmagazine.com. BY DAVID M. OATWAY, RN, MPH RELATED ARTICLE: Resources Readers may download an official copy of the Final Rule for reference: www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf Frequently asked questions (FAQs) about HIPAA: www.hhs.gov/ocr/hipaa/assist.html HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information: www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf Educational material for compliance with the Security Rule: www.cms.hhs.gov/EducationMaterials/Downloads/Basics.pdf The National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ) has an excellent document, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule, available for download. This is the gold standard for HIPAA security for federal-covered entities. It can serve as an excellent guide for private efforts: http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf NIST has many resources dealing with many aspects of electronic security, from electronic signature standards to standards for use of radio frequency identification See RFID. devices (RFID (Radio Frequency IDentification) A data collection technology that uses electronic tags for storing data. The tag, also known as an "electronic label," "transponder" or "code plate," is made up of an RFID chip attached to an antenna. ). The CMS Web site also has several Med Learn articles. The author is glad to e-mail copies of the cited documents upon request and would appreciate any case studies or anecdotes of approaches that worked for you, and issues that had to be addressed. We may use them in future articles. --David M. Oatway, RN, MPH RELATED ARTICLE: Sanctions The Health and Human Services Noun 1. Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Department of Health and Human Services, HHS (HHS) Office for Civil Rights (OCR OCR in full optical character recognition Scanning and comparison technique intended to identify printed text or numerical data. It avoids the need to retype already printed material for data entry. ) is responsible for enforcing HIPAA regulations. HHS considers the right of privacy of medical records as a fundamental civil right. Enforcement activities include: [ILLUSTRATION OMITTED] * responding to state requests for exception determinations * investigating complaints and conducting compliance reviews * responding to events that suggest compromise of HIPAA requirements * where voluntary compliance cannot be achieved, seeking civil monetary penalties and working with the Department of Justice (DOJ (Department Of Justice) The legal arm of the U.S. government that represents the public interest of the United States. It is headed by the Attorney General. ) in seeking criminal prosecution To try to put more teeth into the civil penalties, OCR will be enforcing the civil side and the DOJ will enforce the criminal side. Civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year. Improperly obtaining or disclosing individual health information or improper use of unique health identifiers is subject to the following penalties:
Fine Prison
Knowingly $50,000 1 year
False Pretenses $100,000 5 years
For Profit, Gain, or Harm $250,000 10 years
--David M. Oatway, RN, MPH |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion