hipaatraining.net

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCR’s investigation also revealed the following issues:

– Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;

– Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

– Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and

– Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR) announced that the BCBS of Tennessee (BCBST) agrees to pay $1.5 Million to the U.S. Department of Health and Human Services (HHS) to settle the case regarding violation of the HIPAA (Health Insurance Portability and Accountability Act) Act of 1996. He also indicated that the BCBST has agreed to implement a corrective action plan to take care of any gaps in their HIPAA compliance program. The enforcement action is the first caused by a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

This investigation is a result of a notice submitted by the BCBST to HHS that around 57 unencrypted hardware devices were stolen from a facility in TN. These devices contained PHI (Protected Health Information) of over 1 million individuals including their names, demographic details, social security numbers, diagnosis codes, their health plan details, date of birth, etc. The OCR’s probe into this matter indicated that BCBST did not perform the required security evaluation in response to the operational changes by not implementing appropriate administrative safeguards to protect the information at that facility – which caused stealing of PHI resulting in breach of HIPAA compliance. Apart from this, the probe also indicated that the BCBST had failed to implement proper physical safeguards by not having adequate facility access controls. Both administrative and physical safeguard measures form an integral part of the HIPAA Act.

OCR Director Leon Rodriguez said that – now that the settlement is done, a very important message has been sent to both healthcare providers and health plans that the OCR expects a carefully designed, delivered, and monitored HIPAA compliance program in place to avoid any violations in future. The HITECH Breach Notification Rule is a crucial enforcement tool and OCR will continue to vigorously protect patient’s right to private and secure health information.

Apart from the $1.5 Million settlement, the agreement with the OCR requires BCBST to review, revise, and maintain its Privacy and Security Policies and Procedures. The agreement also requires them to conduct regular and quality training of the BCBST employees in covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Security Rule protects all health information in the electronic form by requiring the covered entities to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HIPAA Privacy Rule gives individuals rights over their PHI and sets rules and limits on who can look at and receive that health information. Both these rules together form the crux of the HIPAA compliance program.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of PHI, or a breach or violation, of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals need to be reported to the secretary on a yearly basis.

Centers for Medicare and Medicaid Services gave the following statement on November 17^th regarding its decision to offer 90-days grace time for enforcement of the HIPAA 5010 transactions sets, which have a compliance date of Jan. 1, 2012 :

Today the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) declared that it might not initiate any enforcement activity until March 31, 2012, regarding any HIPAA covered entity that isn’t in compliance with the ASC X12 Version 5010 (Version 5010), NCPDP Telecom D. 0 (NCPDP D. 0) and NCPDP Medicaid Subrogation 3.0 (NCPDP 3.0) criteria. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for use of these new criteria stays January 1, 2012 (small health plans have until January 1, 2013 to abide by with NCPDP 3.0).

CMS’ Office of E-Health Standards and Services is the U.S. Department of Health and Human Services’ component that enforces compliance with HIPAA transaction and code set standards.

All covered entities are encouraged by the OESS to continue working with their partners to get compliant with the new HIPAA guidelines, and check if they are ready to accept the new standards as of January 1^st 2012. OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D. 0 and NCPDP 3.0 transaction standards during the 90-day period beginning January 1, 2012, though there will be no enforcement action that will be taken. If called for by OESS, covered entities that are the subject of complaints (known as “filed-against entities”) must bring forth evidence of either compliance or a good faith attempt to become compliant with the new HIPAA standards during the 90-day period.

OESS’s decision for a discretionary enforcement period based on industry feedback reveals that – though just 45 days are left before the compliance date of January 1^st 2012, testing between some covered entities and their trading partners has not yet hit a stage where most of the covered entities would be able to get compliant by that date. Responses indicate that the number of transactions, number of submitters and other testing data used as industry’s readiness to comply with the new guidelines has been less across some sectors. OESS has also received reports that many covered entities are still awaiting software upgrades.

Version 5010, NCPDP Telecom D. 0 and NCPDP Medicaid Subrogation 3.0 standards stand for significant betterment over the present standard versions. NCPDP Telecom D. 0 addresses certain pharmacy industry needs. NCPDP Medicaid Subrogation 3.0 allows state Medicaid programs to reimburse payments for pharmacy services in cases where a third party payer has the main financial responsibility. Version 5010 particularly provides more functionality for transactions such as eligibility requests and health care claims status Execution of Version 5010 also is a requirement for using the updated ICD-10 CM diagnosis and ICD-10-PCS inpatient procedure code set in electronic health care transactions effective October 1, 2013.

Brief Summary: To ensure that all covered Healthcare entities and its associates are complying with the HIPAA Privacy and Security Policies and also maintaining the Breach Notification Standards, periodic audits have to be conducted by the HHS as per the American Recovery and Reinvestment Act of 2009 and Section 13411 of the HITECH Act. To enforce this, OCR is coming up with a plan to conduct up to 150 audits on covered entities to evaluate their privacy and security compliance measures. The first set of audits conducted by the OCR will start in November 2011 and close by December 2012.

Objectives of this plan: This plan of conducting audits stands as one of the newer sections of the OCR’s health information privacy and security compliance program. The OCR will use this plan to gauge the HIPAA compliance of many Healthcare establishments and their associates and to discover best practices by identifying the risks involved which might not have emerged during the regular compliance reviews and investigations.

1. Beginning of the audits:

This first time audit plan is a three-step process. They begin by developing the initial protocols and follow it by conducting a few audits in an initial wave so as to test these protocols and its implications. The initial audits are expected to start in November 2011 and based the outcomes of which, the next set of audits will take place. Post this first phase, the protocols are reviewed and revised to suit the objective so that the next phases of audits are conducted. The final step will involve carrying out the rest of audits with the help of revised protocols which are expected to conclude by December 2012 as per the OCR’s plan.

2. Audits for Covered entities:

All Healthcare entities and their business associates and those who come under the HIPAA regulation are covered in the audit program. The first phase of audits is supposed to offer an analysis associated with the complex nature of various healthcare establishments. The OCR, who is responsible for the selection of entities that will be audited, will try to cover a wide range of all sizes and types of entities. This will include individuals and organizations related to health service providers, health insurance companies of various sizes, healthcare clearing houses. The OCR expects the entities selected for audits to extend their optimum cooperation as per the HIPAA Enforcement Rule.

Healthcare business associates will be considered during the next phase of audits.

3. The audit plan:

The privacy and security functioning audit procedure will include the general audit components. The OCR will inform the entity selected by them for the audit and will be requested to documentation privacy and security compliance attempts. Since this is the initial phase, each audit will involve a site visit followed by an audit report. During the site visits, the auditors will talk to and question some of the important members of that entity, will observe and take note of operations related to privacy and rules. After the visit, the auditors will prepare a report containing how the audit was conducted; they will generally describe any findings and the response of the entity to those findings. The auditors will then share it with the entity and follow it up with discussions to address the identified concerns and come up with solutions to be implemented. The final report is then prepared to be submitted to the OCR. It will contain all the compliance concerns addressed by the audit team and the corrective measures taken up by the entity to resolve them, besides coming up with better practices for the entity.

4. Time taken for each audit:

The OCR will inform the selected covered in writing once they have been selected for the audit program. This letter will have the audit contractor’s information, will detail about audit process and its expectations and will explain the initial documentation process and information requests. Apart from this, it will also contain how and when to get back to the OCR with the requested information. The healthcare entities that are selected for the audit process are expected, by the OCR, to return back with the information within 10 business days of the request.

The selected entities are ideally informed between 30-90 days prior to the expected date of onsite audit. Depending on the size, type, materials and staff availability, and complexity of the entity, the audit process may take around 3-10 business days. Once the onsite audit is done, the auditor will provide the final draft to the entity, post which the entity will have up to 10 business days to review the same and return back with all written comments to the auditor. Once the auditor receives the information back from the entity, he will prepare the final report within 30 business days which is then submitted to the OCR.

5. After the audit:

On submission of the final audit report to the OCR, they will review the findings and the action taken by the entity for compliance improvement. The aggregate results of the audits will enable the OCR to better interpret compliance attempts of the entity with particular views of the HIPAA rules. The OCR will use this report to assess what type of assistance can be given to the entity, what corrective actions can be developed, which of them would be most effective, etc. In case the report shows up any serious compliance issue, the OCR might even go ahead and implement compliance review to take care of that issue. The OCR will ensure that it does not post a list of audited entity or any findings of the audit done. These audits are primarily taken up as compliance improvement activity.

6. The effect on its consumers:

The audit plan presents another aspect by which the OCR guarantees compliance with HIPAA securities of health information to the advantage of consumers. As an instance, the audit program may bring out reasons many health information breaches are happening and help OCR produce various mechanisms for covered entities to better protect individually identifiable health information. Fears about compliance identified issues and corrected by an OCR audit will help to improve the privacy and security of health records. The technical assistance and best practices that OCR brings forth will also aid covered entities and their business associates in amending their attempts to keep health records safe and secure.