Read The Advisor articles

Click here to print a copy of The Advisor

More…

See Prior TMC Compliance Newsletters

Read The Advisor articles

Click here to print a copy of The Advisor

 More…

See Prior TMC Compliance Newsletters

Read The Advisor articles

Click here to print a copy of The Advisor

More…

See Prior TMC Compliance Newsletters

Read The Advisor articles

Click here to print a copy of The Advisor

More…

See Prior TMC Compliance Newsletters

The HIPAA requirement has been in effect for 5 years, the MU regulation is relatively new. If you are in compliance with the HIPAA Security Rule, you will meet the Risk Analysis requirement for MU.

OCR (Office for Civil Rights) has already conducted some audits of healthcare organizations as a result of a breach where the circumstances reported seemed to indicate that adequate technical and administrative precautions were not in place. In 2012 programmed audits will begin to look at overall compliance of organizations selected.

Obtaining specific input from an IT Professional is a critical piece of your annual Risk Assessment.

Practices must depend on their Information Technology (IT) professionals to perform the technical review for the areas or systems they service. Your IT professional may be on your staff if you have a large practice and/or may be one or more vendors or companies who provide help on a continuing basis.

• You may use an IT company that handles your PC’s, servers and system integration maintenance.
• You may also use a practice management system that is maintained and serviced by the vendor who installed it.
• You may have an IT person on staff as well.
• Almost always there are multiple players who support your technology environment whether large or small.

Ask all of your IT professionals for a Risk Assessment on the system they provide or service to help you meet the technical part of the analysis. The vendor must be knowledgeable on HIPAA as well as meaningful use regulations. Be sure they address the HIPAA requirement for a violation, and vulnerability as it relates to a breach. (You can have a breach without being in violation of the HIPAA Security Rule.) They can then tell you the issues and discuss with you the possible solutions, which need to be documented as well.

Few system environments, if any, will be absolutely secure. You just need to understand the issues and risks so you can make an informed management decision as to the type of corrective action or protective steps to take.

As the manager, you can and must ask your IT professional specific critical questions that will prompt the appropriate review by them. The ultimate responsibility of compliance with all of the regulations rests with the practice so you must know and document the specifics. General comments that your systems are compliant are not sufficient to meet this test.

The TMC HIPAA Annual Risk Analysis document includes those critical questions that must be answered for the manager. You want to be sure any system you own, run or purchase keeps you compliant with regulations. The IT person should know the HIPAA requirements and be able to vouch for the system they are providing.

The IT professional that provides your general service- fixing technical problems, integrating systems and processes, etc.- must be prepared to proactively alert you to issues you may never even know exist. Examples: (1) You have a scanner and fax machine that retains all data on a hard drive that is not encrypted and cannot be encrypted.  (2) When you ship a server to be repaired there is a risk because the data is not encrypted. (3) The system you are about to purchase cannot be encrypted. (4) The thumb drives in use are not encrypted and cannot be. (5) Your wireless system in place can be easily accessed and potentially could expose your patient data.

You can then make informed management decisions as to what must be corrected and what cannot be corrected immediately. Then you must take extra precautions to reduce the risk in some other way.

Total Medical Compliance can provide the assistance you need to ask the right questions, document the information as required by regulation, determine the level of risk by working with you and your IT professional and help you formulate management solutions.

Working with IT professionals that understand the technology that is acceptable under HIPAA is the other critical element. Be sure your IT professional has a deep understanding of HIPAA and the latest HITECH requirements. Do they have a written program in place for their organization? This is a requirement under the new regulations. See the TMC Business Partners page on our website to see those companies with HIPAA Programs provided by TMC. www.TotalMedicalCompliance.com.

Don’t wait until you have a breach or you receive notice from OCR that you have been selected for an audit. Waiting could be costly for your practice.

Read more in the September issue of the TMC Advisor, a monthly compliance newsletter.

Read The Advisor articles

Click here to print a copy of The Advisor

More…

See Prior TMC Compliance Newsletters

Read The Advisor articles

Click here to print a copy of The Advisor

More…

See Prior TMC Compliance Newsletters

PRICE: $0 – Limited Time Only!

 Total Medical Compliance is a Preferred Partner of the South Carolina Medical Association.


Topics Covered In This Session

Objectives:

1. Discuss the new breach regulations

2. Explain the documentation process for an inappropriate access or release (incident).

3. Explain the process to complete a Breach Risk Analysis.

4. Describe the breach reporting process

5. Be able to assess when you need to contact an attorney

6. Recall the penalties and enforcement actions outlined in the HITCH rules

7. Identify the relationship between HIPAA Breach and State Identity Theft Laws.

Instructor: Debra Gordick

Presented by TMC’s Debra Gordick, an expert in the rules and regulations of HIPAA. She was instrumental in the development of the TMC HIPAA program and assists TMC clients daily with questions and issues on HIPAA. She has again met the needs of our clients by creating this informative and timely Webinar.

Debra is the Director of Operations for TMC working with TMC clients, consultants and partners.

Attendance & Cancellation

Cancellations received within 10 days of the seminar date may transfer their registration to another date. No refunds will be provided.

Cancellations prior to the last 10 days will be eligible to receive a full refund.

Total Medical Compliance is an ADA CERP Recognized Provider.

ADA CERP is a service of the American Dental Association to assist dental professionals in identifying quality providers of continuing education. ADA CERP does not approve or endorse individual courses or instructors, nor does it imply acceptance of credit hours by boards of dentistry.

  ]]> http://www.totalmedicalcompliance.com/all-products/hitech-act-changes-hipaa-for-healthcare-%e2%80%93-breach-business-associates-enforcement-and-others/feed/ 0 http://www.totalmedicalcompliance.com/latest-news/infection-control-basics-healthcare/ http://www.totalmedicalcompliance.com/latest-news/infection-control-basics-healthcare/#comments Sat, 02 Jul 2011 03:18:08 +0000 lawelles http://www.totalmedicalcompliance.com/?p=3734 I was recently very excited to learn of the CDC release entitled Guide to Infection Prevention in Outpatient Settings. Since a large portion of my time is spent in infection prevention I am always looking for new and updated information to share in order to help practices provide a safer patient encounter. Just to clarify, the out-patient setting in this document refers to all delivery systems in the medical community in which the patients do not remain overnight with the exception of dialysis centers. While this document’s focus is on the medical environment, it certainly can apply to the dental environment as well. But, keep in mind, dental practices have Guidelines for Infection Control in Dental Health Care Settings, a very clearly outlined set of infection control standards which were published by the CDC in 2003.

So pen in hand, ready to take notes, I dug in and was surprised to find the document is a review of the most current CDC and Heathcare Infection Control Practices Advisory Committee (HICPAC) recommendations published in 2007. So, while the information is not new it is vastly important. The focus of the document if I could sum it up in a few words is: let’s all get back to basics.

You may be surprised to note the following facts:

• More than three quarters of all operations in the US are delivered in an out-patient setting
• Most individuals will visit their physician practice on average three times each year
• Physician office visits approached one billion annually in 2007

When you add all these facts together and understand that in most out-patient environments infection control resources are not at the same level as those provided in the in-patient environment, reminders about infection control basics are of utmost importance.

Changing the Culture

Infection prevention is not simply a list of tasks, provision of appropriate equipment, and policies and procedures. We will review the most important elements and while all are necessary, there must be a culture in the organization of patient safety. From leadership to volunteers each must be committed to improved patient outcomes and also a safe environment for employees, protecting them from transfer of infection.

Basic Principle #1 – Implement Administrative Controls

• Development of policies and procedures addressing infection control needs. These documents should support the types of services provided by the facility. Areas of need may include: hand hygiene, employee immunization status, appropriate use of PPE, surface disinfection, sterilization, and last but not least post exposure management.
• Availability of supplies including hand-hygiene products, PPE, surface disinfection products, safety needles/devices, and sterilization supplies (wraps, pouches, chemical indicators, spore test).
• Assigned individual to monitor infection control compliance who is on-site the majority of the time. The ideal candidate would have training in infection control principles. This is a requirement in the State of North Carolina and for all Medicare Certified Ambulatory Surgery Centers and additionally in the state of South Carolina, if providing sedation.

Basic Principle #2 – Provide Education and Training

• All staff members should be reminded frequently of the need for stellar infection control procedures. This can be handled through monthly staff meetings, informational posters placed in prominent areas as reminders, and on an annual basis with other compliance training. TMC newsletters are a great source of infection control information. To review past editions of the newsletter sign in using your user name and password and select Newsletters.
• Task specific training for employees as well as contract labor and volunteers is recommended.
• Competency documentation is critical for high risk tasks such as operation of the autoclave or spore testing.

Basic Principle #3 – Enforce the Appropriate Use of PPE

• Accessibility of PPE to include gloves, face protection and if indicated protective gowns.
• Employee education on the appropriate use is not only important from an infection control standpoint it is required in the Bloodborne Pathogen standard on an annual basis (1910.1030(2)(vii)F).
• A surgical mask should be utilized when injecting or placing a catheter in the epidural or subdural space.

Basic Principle #4 – Focus on Injection Safety

• Use aseptic technique when preparing and administering medications. Always cleanse the diaphragms of medication vials/IV access ports with a sterile alcohol pad prior to access.
• Single use vials should be utilized whenever possible.
• When using multi-dose vials, ensure a sterile needle/syringe is utilized each time the vial is accessed.
• Never administer medication from a single syringe to multiple patients.
• Fluid infusion and administration sets should be utilized for one patient only.

Basic Principle #5 – Monitor and Report

• Collection and evaluation of data related to infection prevention is indicated to improve overall function of the facility. Information may include patient infection rates, hand hygiene compliance, and spore test results.
• All local, state, and federal reporting requirements must be met to include reporting of diagnosed communicable diseases.

This has been but a brief review of some of the concepts clearly outlined in the most recent CDC publication. Download the new CDC Guide to Infection Prevention in Outpatient Settings.

TMC also offers infection control training in both the seminar and webinar format. See the latest training schedules and register in the TMC store, or you may call us at 888.862.6742.

Infection control is critical to the success of your organization and to the safety of patients who literally trust you with their lives. The resources outlined here will help you create a safe environment for employees and patients if you will go back to basics!

By Karen Gregory, RN
Director of Compliance & Education
Total Medical Compliance

Proposed regulations to implement the Accounting of Disclosures changes mandated by the HITECH Act of 2009 have been published by the Department of Health and Human Services.

HHS adds a new patient right to HIPAA regulations

As is usual with HHS regulations to implement HITECH changes, there are some surprises.  HHS added a new Right to an Access Report which they determined was necessary to comply with the HITECH direction on Accounting of Disclosures for the patient to know of disclosures for purposes of treatment, payment and operations. Access by workforce members of practices and business associates must be included in the access report under the new regulations in addition to access by outsiders.

HHS also extends the Right to an Access to any electronic designated record set, not just access to PHI in an electronic medical record (EMR). You may have multiple electronic systems that house PHI – billing systems, patient management systems, EMR, etc. – acquired at different times. This would create a situation where you would be required to produce access reports for some but not all systems in 2013. HHS encourages all practices to prepare for implementation of all systems by January 1, 2013 to avoid patient confusion.

The Access Report will need to identify the person accessing the data, when, action the user took in the system and the data accessed if available. The purpose of the access is not a required part of the report. Additionally it applies solely to electronic information access, not access to paper records. Generally it requires information that can be produced by the systems.

Accounting of Disclosure VS Access Reports

Account of Disclosure Reports cover both paper and electronic information and require the inclusion of more detailed information on the report.

Compliance date was extended for some parts as allowed by HITECH

Practices with electronic medical record (EMR) systems acquired after January 1, 2009 are required to produce the new access reports and disclosure reports by January 1, 2013, extending the time from January 1, 2011. If your system was acquired before 2009, the January 1, 2014 date remains the same.

But don’t think this allows you extra time. You must be able to produce a report on data for the previous 3 years which means you need to have been accumulating data on disclosures AND accesses since January 1, 2010. HHS says; “Covered entities and business associates should already be logging access to electronic PHI and should have the ability to generate access reports now pursuant to other requirements of the Security Rule.” Basically the extra time is to develop the capability to aggregate data from multiple sources and access logs.

HHS is asking for comments on the industry capability to produce access reports across all systems by this date. The possibility of some breathing room on this exists but I would not wait to begin by counting on that. It will be much better to be able to produce reports and not have to than the reverse.

Can you produce access reports today for any access to any electronic patient information? Does every system record every access? If unsure talk with your IT team or system providers.

The proposed regulations were published in the Federal Register May 31, 2011.

How can you get the details about what this means?

TMC has just begun the analysis of this proposed regulation. We will publish more detailed information over the coming days and weeks in multiple instructional documents. Check the website HIPAA Information page and the Latest News for these documents. TMC webinars will cover this proposed new material as well.

Even though this is a proposed regulation, most requirements will be implemented as written. Where there is uncertainty, HHS asks for guidance in the document.

TMC clients will receive procedural and policy inclusions for their HIPAA Manuals as usual along with recommended terminology changes and timing for the Notice of Privacy Practices document, updates the Business Associate Agreements if necessary and training material to ensure employees are aware of this required reporting.

Download the HIPAA Accounting of Disclosures Proposed Regulations

• Five Major Changes to Accounting of Disclosure – Proposed Regulations Published
• Accounting of Disclosure Report Changes
• CE & BA Action Now & Later for Accounting of Disclosures
• Proposed Regulations Add New Patient Right To Access Report