Reed Tinsley, a Houston CPA and consultant, advises physicians, medical groups, and healthcare entities on managed care, operations, and business strategy.

Business associates -- who are you?

It’s never too late to learn the actual definition of a business associate (BA) when it comes to HIPAA.

A BA, as defined in HIPAA, means a person who “performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of individually identifiable health information,” according to HHS.

Examples of business associates include:

Third party administrators
Pharmacy benefit managers for health plans
Claims processing or billing companies
Transcription companies
Persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information

November 28, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

HIPAA acknowledgments

Reprinted with permission by HcPro. Please check out their premium monthly newsletter Briefings on HIPAA (BOH).

Do HIPAA acknowledgements need to be renewed by patients every year? No. The HIPAA privacy rule requires covered entities to obtain an acknowledgment when they first give their notice of privacy practices to patients. Covered entities do not have to reissue the notice or obtain a new acknowledgment on subsequent visits unless there are material (significant) changes to the notice. If there are significant changes to the notice, the covered entity should provide the new notice to patients as they return for care and obtain a new acknowledgement.

Covered entities that are health plans face an additional requirement every three years to notify individuals covered by the plan of the availability of the notice and how to obtain it.

p.s. I’m headed to Phoenix today to speak at the AICPA National Healthcare Conference. Check out my tweets from the conference at www.twitter.com/rtacpa.

September 23, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Tips to Get Your Business Associates to Comply with HIPAA

Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010. That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President on Obama February 17, 2009. If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is. Encryption. Destruction. Firewall protection. There's a lot to it.

And their problem is your problem. After all, it's your patients' information at stake. If your BA is good, you're good. If they're bad, well…just picture the front page of your local newspaper with your facility's name next to the word "breach" in a headline. So where do your BAs begin? Hopefully, they've already started.

Here are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline next February:

1. Perform a risk assessment.

Determine your primary vulnerabilities. Find what your biggest threats to the security of your PHI are. You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there.

2. Make your own way.

As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity. You need to be responsible for your own security program with HIPAA. Do not simply accept what is thrown your way - Your program should be built based upon your organization's own unique risks. That's what your risk assessment will reveal.

3. Run a gap analysis on covered entity contracts.

HITECH is new, and existing contracts will probably leave gaps. We haven't been in this world before; Find your gaps and what you will do about them. You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.

4. Don't rewrite the entire contract.

The changes to the BA contracts should be minimal. Include a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.

5. Add breach notification language to BA contracts.

The language should require the BA to notify the covered entity within five days of a breach. Also add language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals.

6. Add language about the Red Flags Rule.

Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1.

7. Build your breach notification processes.

This is perhaps the biggest change for BAs. BAs must put a policy in writing per the HITECH Act. You need to be able to coordinate this by fall [of 2009] at the latest - This is going to be a big issue for a lot of BAs.

8. Train, train, train.

I’ve seen horrible training in the BA community. Make sure your policies document the need for regular training, along with ongoing awareness communications, and then use effective training content. Just throwing words in front of your personnel is not training.

Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done.

July 20, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Educate patients on HIPAA rights

You can change your physician practice’s stance regarding patient education by bringing staff members on board with a plan and being creative with ideas that are relatively painless for them to embrace. Here are a few examples:

Put a sign on the reception desk saying something similar to, “Do you know your privacy rights? Ask us and we’ll tell you!” Make sure you have plenty of copies of the notice of privacy practices available to give to patients.
Put posters on the reception area wall and in the patient care area hallways, listing the actions your organization is taking to safeguard and protect PHI, such as:

We Care About Your Privacy And Safeguard Your Personal Information! We do this by:
- Making sure no one has access to your personal information except those who need it to perform their jobs;
- Following best practice security and privacy practices;
- Complying with privacy laws such as HIPAA. “If you have a question about how we protect your information, please ask!

Hang posters in patient care areas reminding staff members of privacy practices.
Include blurbs about information security and privacy in the healthcare statements you send to patients.
Put magazines about privacy and security in waiting rooms.

July 15, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Notices of privacy practices

Do notices of privacy practices (NPP) apply to business associates of a covered entity, such as a billing agency for physician practice? A covered entity (e.g., a physician practice) issues an NPP to tell patients what information it collects about them, how it will use that information, and what patients’ rights are with respect to their information. The NPP does not provide any specific protection for the physician practice, and it does not apply to business associates, such as a billing agency. However, the covered entity (physician practice) must have a business associate agreement with the billing agency to protect the information the billing agency can access.

June 10, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Does Overhead paging = HIPAA violation?

So is overhead paging a patient by name back to a clinic or hospital area a HIPAA violation? Well it depends on whether the name of the clinic or area would reveal anything about the patient’s condition. Paging, “John Jones to report to the HIV Clinic,” would obviously violate his privacy. Paging him to the Medicine Clinic would reveal much less information. A better approach, though, would be to ask the patient to dial a specific extension for more information (e.g., “John Jones, please call extension 2500”) if possible.

All healthcare organizations should attempt to significantly limit the amount of overhead paging that staff members do, to both protect patient privacy and minimize disruptions to others. Some organizations actually give patients flashing pagers, similar to those used to in restaurants, to notify them when to return to treatment areas.

May 16, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Watch out for HIPAA’s ‘Incidental Uses and Disclosures’

You’ve heard all about HIPAA by now, but did you know that you (at the front desk) could easily be the first line of defense in your office against a potential HIPAA violation? Can you spot the difference between an "incidental disclosure" of protected health information (PHI) and a HIPAA privacy-rule violation? Better yet, can you hear the difference?

You can minimize most incidental uses and disclosures involving paper or electronic forms of PHI by moving medical charts or computer screens out of ready view. But more often than not, incidental PHI disclosures would likely result from overheard conversations within your office. It’s easier to overhear and harder to fix those overhearing problems than it is to move a physical piece of equipment or documentation.

Have a look at these four conversations and determine for yourself whether each is a permitted incidental disclosure under HIPAA or an impending privacy violation:

Conversation #1: A patient waiting in an examination room overhears a nurse relaying another patient’s test results to a physician in the next room.

Conversation #2: A patient overhears two staff making unkind comments about the waist measurement of a patient who’s expecting triplets.

Conversation #3: A patient overhears a conversation between a receptionist and an insurance-company representative during which the receptionist is attempting to secure preauthorization for another patient’s procedure.

Conversation #4: A bartender overhears your medical assistant telling a friend about a famous actor who visited your office today.

April 22, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

HHS Publishes First HITECH HIPAA Guidance

On April 17, 2009, the U.S. Department of Health and Human Services (HHS) published its first guidance under the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act. The HITECH Act amends the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA). This new guidance provides key information to health care providers, health plans, health care clearinghouses and their business associates about the security of protected health information. Read more...

April 21, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

HIPAA pitfalls at physician practices

The following lists the following common HIPAA violations seen regularly in physician offices. Check your practice against this list to see if your staff commits the same common violations, and if so, address these problems in advance during training:

Not providing the notice of privacy practices (NPP), even though they require patients to sign a statement indicating they had been provided with, and read, the NPP.
Not having documented internal information security and privacy policies for staff members to follow.
Exposing PHI to anyone within the office facilities (e.g., patient file folders left out on the check-in desk unattended, patient file folders left in the wall pockets outside examination rooms with health information facing out and visible, etc.)
Healthcare workers calling out the full names of patients in the waiting room or in front of other patients.
Not obtaining consent from patients to film them and then use the video, or to tape audio with them for marketing purposes.
Selling prescription information to marketing and pharmaceutical companies, often as an additional revenue stream.
Not providing any training or ongoing awareness communications, or providing training just once, and never again.
Insecure disposal of PHI, such as unshredded into open and publicly available trash bins, into the trash dumpster behind the office building, etc.
Not documenting or retaining information about PHI changes and access for the required six years.

April 10, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

HIPAA: Children in the office

What if one of your employees on occasions have one of their children stop by the office and the child sometimes waits for the employee in his or her in her office – and this office contains patient charts. Is this a HIPAA violation? How would this pertain to a physician’s spouse who would wait in the physician’s private office where charts could be found?

This should not be a HIPAA violation, if reasonable steps are taken to protect patient privacy. Keeping patient records closed and out of the reach of small children is a good first step. Older children should be educated about patient privacy and the expectation that they will not access confidential information.

March 23, 2009 in HIPAA | Permalink | Comments (0) | TrackBack

Business associates -- who are you?

HIPAA acknowledgments

Tips to Get Your Business Associates to Comply with HIPAA

Educate patients on HIPAA rights

Notices of privacy practices

Does Overhead paging = HIPAA violation?

Watch out for HIPAA’s ‘Incidental Uses and Disclosures’

HHS Publishes First HITECH HIPAA Guidance

HIPAA pitfalls at physician practices

HIPAA: Children in the office

Subscriptions

Recent Posts

Topics

Archives

Favorite Blogs