We had a great response to our "HIPAA Risk Assessment: What You Need to Know" webinar last week. In case you missed it, here are the presentation slides and some highlights:
In the run-up to the Sept. 23 deadline for implementing the latest HIPAA updates, we got several requests for information about changes in the HIPAA law. We expected more, however, and were wondering if physicians’ practices and other health care organizations are properly updated when it comes to current HIPAA regulations under the 2009 High Tech Law.
While healthcare organizations have been dealing with HIPAA for 17 years, it’s been going through several updates since then, including these changes that went into effect in September:
- Covered entities are required to notify patients if there’s a breach of protected health information, or PHI.
- All breaches are now considered reportable unless there’s a low probability of access to PHI, and there are guidelines to determine whether a breach is low probability.
- Physicians may not disclose to insurers any out-of-pocket care a patient has received.
- If physicians want to send marketing communications to patients, they must first receive specific written permission.
- Sale of PHI is strictly prohibited, unless written permission is obtained from the patient.
- Physicians must provide PHI within 30 days of a request. That's down from the former time-frame of 60 days.
Some have argued that HIPAA isn't heavily enforced, but violations can result in civil and criminal penalties. There have been over 85,000 privacy complaints made under the law since 2003 and 25 percent of those have been investigated and enforced. There have also been 738 security complaints since October of 2009, with 74 percent resulting in corrective action.
The most common HIPAA violations are:
- Impermissible uses and disclosure of PHI.
- Lack of safeguards for PHI.
- Lack of patient access to PHI.
- Uses or disclosures of more than the minimum PHI.
- Lack of administrative safeguards for electronic PHI.
All of these are preventable through proper risk assessment and training. To perform a risk assessment, Logan says there are three options: Going it alone, getting some help through someone who has gone through it before, or hiring a consultant.
If you missed the webinar and want to learn more, you can watch a video of the full presentation.
Logan Solutions sells Dragon Medical software and a HIPAA risk assessment product, and uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their clinical documentation systems and HIPAA compliance practices. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation and HIPAA compliance software and procedural needs.