The latest TMC newsletter contains articles on Reporting Breaches to Health & Human Services, Radiation Dental Manual Updates for NC Clients, Compliance Resolutions to Keep for 2012 and Medical Infection Control Attendees-Important Notice!
Click here to print a copy of The Advisor
Both the HIPAA Security Rule and Meaningful Use (MU) regulations require a practice to conduct an annual Risk Analysis, take corrective action with identified issues and document the analysis and the corrective action, both system changes and procedures. There is a technical and a managerial element to the Annual Risk Analysis.
The HIPAA requirement has been in effect for 5 years, the MU regulation is relatively new. If you are in compliance with the HIPAA Security Rule, you will meet the Risk Analysis requirement for MU.
OCR (Office for Civil Rights) has already conducted some audits of healthcare organizations as a result of a breach where the circumstances reported seemed to indicate that adequate technical and administrative precautions were not in place. In 2012 programmed audits will begin to look at overall compliance of organizations selected.
Obtaining specific input from an IT Professional is a critical piece of your annual Risk Assessment.
Practices must depend on their Information Technology (IT) professionals to perform the technical review for the areas or systems they service. Your IT professional may be on your staff if you have a large practice and/or may be one or more vendors or companies who provide help on a continuing basis.
Ask all of your IT professionals for a Risk Assessment on the system they provide or service to help you meet the technical part of the analysis. The vendor must be knowledgeable on HIPAA as well as meaningful use regulations. Be sure they address the HIPAA requirement for a violation, and vulnerability as it relates to a breach. (You can have a breach without being in violation of the HIPAA Security Rule.) They can then tell you the issues and discuss with you the possible solutions, which need to be documented as well.
Few system environments, if any, will be absolutely secure. You just need to understand the issues and risks so you can make an informed management decision as to the type of corrective action or protective steps to take.
As the manager, you can and must ask your IT professional specific critical questions that will prompt the appropriate review by them. The ultimate responsibility of compliance with all of the regulations rests with the practice so you must know and document the specifics. General comments that your systems are compliant are not sufficient to meet this test.
The TMC HIPAA Annual Risk Analysis document includes those critical questions that must be answered for the manager. You want to be sure any system you own, run or purchase keeps you compliant with regulations. The IT person should know the HIPAA requirements and be able to vouch for the system they are providing.
The IT professional that provides your general service- fixing technical problems, integrating systems and processes, etc.- must be prepared to proactively alert you to issues you may never even know exist. Examples: (1) You have a scanner and fax machine that retains all data on a hard drive that is not encrypted and cannot be encrypted. (2) When you ship a server to be repaired there is a risk because the data is not encrypted. (3) The system you are about to purchase cannot be encrypted. (4) The thumb drives in use are not encrypted and cannot be. (5) Your wireless system in place can be easily accessed and potentially could expose your patient data.
You can then make informed management decisions as to what must be corrected and what cannot be corrected immediately. Then you must take extra precautions to reduce the risk in some other way.
Total Medical Compliance can provide the assistance you need to ask the right questions, document the information as required by regulation, determine the level of risk by working with you and your IT professional and help you formulate management solutions.
Working with IT professionals that understand the technology that is acceptable under HIPAA is the other critical element. Be sure your IT professional has a deep understanding of HIPAA and the latest HITECH requirements. Do they have a written program in place for their organization? This is a requirement under the new regulations. See the TMC Business Partners page on our website to see those companies with HIPAA Programs provided by TMC. www.TotalMedicalCompliance.com.
Don’t wait until you have a breach or you receive notice from OCR that you have been selected for an audit. Waiting could be costly for your practice.
Read more in the September issue of the TMC Advisor, a monthly compliance newsletter.
I was recently very excited to learn of the CDC release entitled Guide to Infection Prevention in Outpatient Settings. Since a large portion of my time is spent in infection prevention I am always looking for new and updated information to share in order to help practices provide a safer patient encounter. Just to clarify, the out-patient setting in this document refers to all delivery systems in the medical community in which the patients do not remain overnight with the exception of dialysis centers. While this document’s focus is on the medical environment, it certainly can apply to the dental environment as well. But, keep in mind, dental practices have Guidelines for Infection Control in Dental Health Care Settings, a very clearly outlined set of infection control standards which were published by the CDC in 2003.
Continue reading “Getting Back to Infection Control Basics – Five Basic Principals” »
UPDATED JULY 25, 2011
Proposed regulations to implement the Accounting of Disclosures changes mandated by the HITECH Act of 2009 have been published by the Department of Health and Human Services.
As is usual with HHS regulations to implement HITECH changes, there are some surprises. HHS added a new Right to an Access Report which they determined was necessary to comply with the HITECH direction on Accounting of Disclosures for the patient to know of disclosures for purposes of treatment, payment and operations. Access by workforce members of practices and business associates must be included in the access report under the new regulations in addition to access by outsiders.
Continue reading “HIPAA Accounting of Disclosures Proposed Regulations Published” »
My CPR Pros LLC and Total Medical Compliance are pleased to announce a partner arrangement in the field of health care. The two companies will partner to provide turnkey medical compliance and medical emergency training solutions to medical and dental practices throughout the Southeast and Mid-Atlantic regions of the United States.
Continue reading “Health Care Compliance And Medical Emergency Training” »
TMC is conducting a series of No-Cost Webinars on a number of compliance topics to help you better understand the most recent regulation changes and what they mean to your practice or business. Each webinar is only one hour, yet will provide tons of timely and important compliance information to get you up-to-speed with the recent changes.
Compliance information and programs specific to healthcare practices is our business, and we understand how confusing the laws and regulations can be. In the last few years there have been many new regulations as the efforts to reduce fraud, improve patient outcomes and automate healthcare records escalate. All of these initiatives have generated some significant changes for practices along the way.
Continue reading “CELEBRATE OUR NEW WEBSITE LAUNCH WITH US” »
By Karen Gregory, RN, Director of Compliance and Education for Total Medical Compliance.
Today I sit looking out my office window thinking about the snow we had this past winter. It seems winter was long and very unusual this year. Even the coast of our fair state (NC) received some of the white flakes. I must admit I long for the day I can throw open the windows and just air out my little space, otherwise known at our house as “spring cleaning”.
But, what does spring cleaning have to do with compliance? At each of the Infection Control/SPICE seminars I present I have attendees go through an activity. I will challenge each of you now, as I do for those attending the seminar: the next time you enter your office, walk in the front door as a patient or potential new employee or even an OSHA inspector would enter. Now, ask your selves the following questions:
Continue reading “Is Spring Cleaning A Compliance Strategy?” »
Infectious Waste Disposal – pdf
Every practice that generates infectious waste must register with the South Carolina Department of Health and Environmental Control (DHEC). You must renew your registration every three years [R.61-105.F(3)]. In 2010 the regulations were updated by SC and those updates do impact small quantity generators. Read more about the requirements and access the new regulations and guidance.
Continue reading “Infectious Waste Disposal in South Carolina” »
The Genetic Information Nondiscrimination Act (GINA) of 2008 deals with the collection and use of genetic information by primarily employers and health insurance companies. The Equal Employment Opportunity Commission (“EEOC”) published the final regulations related to GINA in late 2010 with an effective date of January 10, 2011.
Medical practices are impacted both as employers and as a source of providing genetic information to other employers from company sponsored physicals and to insurance companies.
Continue reading “GINA Regulations Prohibit Collecting Genetic Information” »
The Red Flag Program Clarification Act of 2010 was signed into law by President Obama on December 18, 2010, after having been passed by both the Senate and the House of Representatives. This Act clarifies the definition of creditor. Considering the updated definition of “creditor”, most physician and dental practices will not be classified as creditors, and thereby will no longer have to comply with Red Flags Rule.
Continue reading “Red Flag Clarification Excludes Most Healthcare Practices” »
Continue reading “OSHA Modifies the Hazard Communication Standard” »
Who Is A Business Associate – pdf
Health and Human Services (HHS) has published guidance information on Business Associates multiple times from 2002-2010. The Business Associate information has been extracted from these publications and is provided to assist practices in making decisions on who is and is not a business associate, the responsibility of the practice for the actions of Business Associate, information on the need for and purpose of a contract and what Business Associates must do to comply with the regulations.
The documents include the HIPAA regulations, Guidance document of 2002, Guidance document of 2005 & the 2010 Guidance, the July 14, 2010 NPRM on comments and decisions by HHS, HHS Q&A on their web site, OCR rulings on complaints received from patients that set a precedent for future rulings, the 2009 HITECH Act and HHS regulations on Breach and Enforcement published as required by HITECH.
A sample list of who is and is not a Business Associate is provided to assist practices with this decision.
 |
Coming Soon
|
You are currently browsing the archives for the Latest News category.
