The American Health Information Management Association held its annual convention this week, and HIPAA compliance was among the hot topics. Data privacy and security are the focus of this week's Clinical Documentation News Roundup, with several stories coming out of the AHIMA conference. In addition, new information on the HIPAA omnibus rule defines a business associate, someone who contracts with health care organizations.
- HIPAA Framework Could be Expanded, Privacy Expert Says from Modern Health Care: “The HIPAA privacy and security framework could be broadened as Congress and several federal regulatory agencies outside of healthcare grapple with privacy and security concerns created by mobile and other newer technologies, a Washington, D.C., privacy expert told members of the American Health Information Management Association. ‘There are all kinds of companies gathering all kinds of health information and not having anything to do with HIPAA,’ said Kirk Nahra, a lawyer with Wiley Rein, during a session on ‘Next Generation Privacy and Security Issues’ at the AHIMA convention in Atlanta. Security breaches, both in healthcare and outside with commercial records, and heightened federal attention to cybersecurity as a part of national defense are combining to put a spotlight on the privacy and security of all electronic records, he said.”
- Quick Action Can Mitigate Breach Impacts from Health Data Management: “‘If you haven’t had a breach at your organization, you aren’t looking hard enough because everyone has them.’ That’s the message health attorney Kirk Nahra, a partner at Wiley Rein LLP in Washington, D.C., brought to an education session at the American Health Information Management Association’s annual conference in Atlanta. Walking through components of the revamped HIPAA rules now in effect, Nahra counseled that the single most important thing to do in a breach situation is to act quickly to understand and mitigate effects of the breach to eliminate a realistic chance of risk and be able to avoid public notification. ‘In an extraordinary amount of cases, you can actually fix the problem if you act quickly.’ While covered entities have a year from the Sept. 23, 2013, compliance date to sign new business associate agreements with contractors, Nahra cautioned not to wait--get it done now.”
- Trickle-down Effects of New HIPAA Omnibus BA Definition from Health IT Security: “While much of the attention around the HIPAA Omnibus Rule is focused on the modified standard for breach reporting, another requirement is having a significant operational impact. Prior to the most recent HIPAA changes, a Business Associate (BA) was defined narrowly and many requirements did not extend, practically speaking, beyond the BAs contracting with the healthcare provider to their subcontractors. BAs, which now include subcontractors that previously did not need to be aware of HIPAA requirements, now must follow the entire HIPAA Security Rule, which includes a legal obligation to follow the privacy provisions of a standard Business Associate Agreement (BAA) and the HITECH provisions. HIPAA now mandates that those who “maintain and transmit” protected health information (PHI) on behalf of Covered Entities (CEs) are subject to many of the same rules as the CEs.”
- 5 Things to Know About Omnibus HIPAA Enforcement from GovernmentHealthIT: “The omnibus rule, which kicked in a little over a month ago in September, establishes a new set of expectations and possibilities on the enforcement front. HIPAA provisions now apply to Business Associates, creating new accountabilities for vendors doing business with healthcare, which increases the Office for Civil Rights (OCR) flexibility in pursuing formal action, and provides for an expanded set of subjective criteria for determining fines. It is not likely to dramatically change OCR’s approach to enforcement, however, or the office’s commitment to the protection of patient information through appropriate compliance as the primary goal of its enforcement activities. Indeed, there is plenty to understand about the Final Rule on Privacy & Security, such as sharing responsibility and lifted constraints.”
- From AHIMA: Look Closer at Vendor HIPAA Compliance from Health Data Management: “With stronger HIPAA privacy and security requirements now in effect, health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions. Larger vendors understand, but many smaller ones may not--and hospitals often contract with small local vendors, particularly shredding firms, notes Nancy Davis, privacy officer at 15-hospital Ministry Health in Milwaukee, serving parts of Wisconsin and Minnesota. And that could cause trouble when the HHS Office for Civil Rights starts auditing business associates as expected in 2014. In an interview at the American Health Information Management Association’s annual conference in Atlanta, Davis noted that she routinely assesses business associate compliance with HIPAA.”
To learn more about HIPAA compliance and what your medical practice needs to know, sign up today for our Nov. 13 webinar on HIPAA risk assessment.
Logan Solutions uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their ERM and Dragon Medical software systems. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation software needs.