One of the biggest data privacy acts got a lot of attention this past week as committees, think thanks and even a state supreme court reviewed HIPAA's specifics and oversights. The verdict? It's too much of a burden, or it's not being enforced correctly, or it simply needs an overhaul. It all depends on who you ask.
This week's Clinical Documentation News Roundup brings you the latest on HIPAA and medical data privacy from this week's news.
- HIPAA Burdensome to Big Data Healthcare Efforts, BPC Says from FierceHealthIT: “The Health Insurance Portability and Accountability Act is ‘misunderstood, misapplied and over-applied’ to the point of being burdensome to the sharing of patient information for improved care, according to a report published this week by the Bipartisan Policy Center. The report--based on a policy forum held last June that focused on the potential of big data in healthcare--says that while HIPAA specifies how data should be de-identified, too much variability exists in the execution of anonymization. ‘Seeking consent from patients to use their data for clinical trials or observational research can help mitigate concerns about privacy, but there is evidence that using "opt-in" or "opt-out" patient data results in bias,’ the report's authors write."
- HIPAA Disclosures Rule Revamp Endorsed from GovInfoSecurity: “The Department of Health and Human Services should make several revisions in its long-delayed plans for a revamp of the HIPAA accounting of disclosures rule and conduct pilot tests before implementing a final rule, an advisory committee recommends. At its Dec. 4 meeting, the Health IT Policy Committee endorsed the recommendations of its Privacy and Security Tiger Team regarding guidelines for disclosing access to patients' electronic health records. Those include: Taking an incremental approach to implementing the requirements; initially focusing on disclosures of records to those outside of a covered entity; greatly scaling back plans for providing patients with detailed access reports, providing them only if patients request investigations into suspected inappropriate access; conducting technology pilots before a rule is finalized by HHS' Office for Civil Rights.”
- Small Healthcare Providers Digging Through HIPAA Paperwork from HealthITSecurity: “Nearly three months after the Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) began enforcement of the HIPAA Omnibus Rule, compliance has been a mere formality for many large healthcare organizations. But how are smaller providers handling the vast amount of paperwork that’s involved with the changes to the HIPAA Omnibus Rule? Eileen Elliott, partner at the Vermont-based law firm Dunkiel Saunders, works with a mix of healthcare providers, business associates (BAs) and subcontractors that have varying connections to HIPAA. There’s little doubt, according to Elliott, that bigger organizations with more resources had a leg up on smaller providers when HIPAA omnibus was initially announced. ‘The larger the institution and the more familiar it is with business associate (BA) responsibilities and privacy and security and encryption, the more aware it is of its revised responsibilities since the rule was issued earlier this year, and therefore the more prepared and compliant it is,' Elliott said."
- Tennessee Supreme Court Dismisses Lawsuit on HIPAA Compliance Failure from Inside Counsel: “Last week, the Tennessee Supreme Court completely dismissed one woman’s lawsuit because she failed to comply with HIPAA’s medical release requirements. According to the Supreme Court decision filed on November 25, Christine Stevens filed the suit after the 2010 death of her husband, Mark Stevens, who had looked for treatment at the Hickman Community Hospital emergency room. Interestingly, there was a big difference between how the Tennessee trial judge and the state Supreme Court Justice Sharon G. Lee, who wrote for the majority, viewed Christine Stevens’ responsibility in providing a HIPAA-compliant release to the defendant, Hickman Community Health Care Services. The trial court said that Stevens was excused from offering the release because of ‘extraordinary circumstances.’ Meanwhile, the Supreme Court said that a medical release requirement provides a means for the defendant to evaluate the merits of a plaintiff’s claim by giving the defendant early access to a plaintiff’s medical records.”
- OCR Not Fully Enforcing HIPAA from FierceHealthIT: “The Office for Civil Rights, the agency that enforces privacy provisions of HIPAA, has not fully enforced the law's requirements, according to a report from the U.S. Department of Health & Human Services Office of Inspector General. OCR has not conducted the required audits of covered entities to determine how they handle patient information and has failed to maintain documentation to support key decisions, according to the report. In addition, it says OCR has focused on interoperability in systems to process and store information to the detriment of system and data security. It criticizes the agency for not completing privacy impact assessments, risk analyses or system security plans for two of the three systems used to oversee the Security Rule."
Logan Solutions uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their ERM and Dragon Medical software systems. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation software needs.