By Laura Gerdes Long
Since the Health Information Portability and Accountability Act of 1996 (HIPAA) was implemented in 2003, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has not conducted a formalized plan for auditing health care providers, insurance plans and other covered entities … until now.
OCR recently announced its pilot program to audit covered entities for privacy and security compliance and says in 2012 it will conduct up to 150 audits in their effort to ensure that covered entities and their business associates are complying with the HIPAA Privacy and Security Rules and the Breach Notification Standards. The OCR website provides useful information about this program and its objectives.
Previously, there was no mandated auditing process as a part of HIPAA, but rather reviews of covered entities typically would occur as complaints were raised by patients or consumers. With the American Recovery and Reinvestment Act of 2009, Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH) amended portions of HIPAA and requires HHS to develop procedures for auditing covered entities to verify compliance with the Privacy Rules and breach notification.
Covered entities need to ensure that their policies and procedures are updated for privacy and security compliance efforts. The entity must be prepared to provide documentation of its procedures, including with regard to breach notification, and documentation that its key personnel have been trained. Training does not include simply having a notebook containing policies and procedures that no one knows how to use.
According to the OCR website, the timeline is fairly quick, so individuals within the covered entity should be prepared to know what to do upon receiving a written notification that an audit is coming. If a “serious compliance issue” is found, OCR may initiate a compliance review to address the problem.
Of course, OCR will continue to accept complaints from individuals and covered entities through their privacy officers must continue to accept complaints from individuals. The goal of the pilot audit program appears to be to identify best practices and discover risks and vulnerabilities that otherwise have not come to light through the complaint process.
Covered entities that are prepared will shine, while those that are not prepared will have some explaining to do.
Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.
02/17/12 2:48 PM
Employment Law, Healthcare, Litigation | Comment (0) |
Permalink
A Long Road to HIPAA Compliance: Privacy and Security Audits
By Laura Gerdes Long
Fate of the Patient Protection and Affordable Care Act Lies in Hands of Supreme Court
According to the National Law Journal, the Supreme Court justices granted review in three of the five petitions that it had before them regarding the Patient Protection and Affordable Care Act, all from the 11th Circuit Court of Appeals. That court had struck down the mandate that individuals who can afford health insurance must purchase coverage or pay a penalty.
The Journal article lists the issues on which the Court would hear arguments and the amount of time allotted to each issue, for a total of five and one-half hours.
Oral arguments will be made by the United States Solicitor General, 26 state attorneys general (handled by a single lawyer from a Washington firm), and the National Federation of Independent Business (NFIB).
Typically, Supreme Court oral arguments are scheduled for two hours of argument. Arguments are likely to be held in March.
Undoubtedly, with all of the questions raised by the health care act, five hours will not be sufficient time to answer all of them.
Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.
11/17/11 1:37 PM
Business Law, Healthcare, Litigation | Comments Off |
Permalink
Supreme Court: Will Five and a Half Hours Be Enough?
By Laura Gerdes Long
The federal government’s efforts at incentivizing medical providers to use electronic health records (EHRs) may be putting some practices at risk.
In “Electronic Records May Increase Malpractice Lawsuit Risk,” Neil Versel with Information Week refers to a white paper published by the AC Group, a Montgomery, Texas, health IT research and consulting firm. The white paper describes the kinds of risks that medical practices may face if they try to implement EHRs too quickly without the appropriate vendors.
Even vendors who have been certified by the Office of the National Coordinator for Health Information Technology (ONC) have been found lacking in the area of “medico-legal training.” For example, according to Versel, it has been discovered that ONC certification may not require providers “to check drug orders against laboratory results or take into account social and family medical history in creating alerts,” such as the need for more frequent mammograms for a female patient with a mother who has had breast cancer.
Here are just a few other issues that have arisen :
- Critical safety alerts are being missed due to incomplete medication lists;
- Problems with time synchronization of records between electronic charting systems; and
- A high percentage of EHRs do not run drug interaction checks when filling prescriptions.
So to the medical practice community: buyer beware.
Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.
10/28/11 12:03 PM
Healthcare, Litigation | Comments Off |
Permalink
Electronic Health Records: Could Your Practice Be at Risk?
