Medicare expects its fee-for-service systems will be tested and fully operational on the X12 5010 standard by January 1, 2011. That’s bad news for health plans that may have been hoping the big payer would run late and create an industry-wide delay.

The upgrade to the HIPAA transaction 5010 standard was announced in tandem with the January 2009 final rule mandating the upgrade to ICD-10-CM and -PCS. The 5010 standard is necessary to support ICD-10.

According to a timeline published in the final rule, by the end of 2010 covered entities should have completed internal testing and can send and receive compliant transactions (”level 1″ testing). In January 2011 they begin testing with trading partners and move into production (level 2). The compliance date for all covered entities is January 2012, one year in advance of the ICD-10 deadline.

Read more in the current issue of AHIMA ICD-TEN newsletter.

A Wisconsin woman who was fired in September 2008 for accessing her estranged son’s medical records was reinstated last month after an arbitrator deemed the punishment excessive.

After learning her son sought care at the hospital, the woman, a health unit coordinator at St. Francis Hospital for 30 years, accessed his records eight times in one year in hopes of learning his current address or when he was next scheduled for an appointment. The mother acknowledged that her actions were inappropriate, but said she accessed her son’s records to find out whether he was okay after one of his friends was murdered in 2007.

The woman was unable to contact her son because his medical records listed her residence as his home address and listed no appointments. However, after someone saw her son enter a residence, the woman sent him a birthday card to that address. The son, who is in his mid-20s, then filed a complaint with the hospital alleging she must have gotten the address through his confidential medical records, which prompted the investigation and her firing. (more…)

A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process. (more…)

If you ever wonder what progress the Office for Civil Rights is making as it works its way through HIPAA privacy rule complaints, the numbers are easy to find. Each month OCR reports top-line results of the HIPAA cases it has received and resolved.

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS. (more…)

Many in healthcare still haven’t made their peace with HIPAA’s accounting of disclosure requirements—the provision under which covered entities, upon request, must provide patients with a record of the entities to whom they have disclosed the patient’s protected health information (PHI). They consider it an undue administrative burden for requests they rarely receive. Now new requirements in the American Recovery and Reinvestment Act have upped the accounting ante.

The law singles out covered entities that maintain PHI in electronic health records, requiring them to account for disclosures of PHI made even for purposes of treatment, payment, and healthcare operations—actions exempted under HIPAA. Under the new law, covered entities must be able to provide disclosures dating back three years from the patient request. (more…)

Mixed in with the billions of dollars for health IT in the American Recovery and Reinvestment Act are new privacy and security regulations for using it. It’s reminiscent of 1996, when HIPAA mandates on transacting certain health information electronically required accompanying standards for doing so securely.

After the initial trumpet of ARRA’s wake up call, something of a lull is ensuing. The industry is chewing over the published legislation while waiting on the details that will come in interim rules.

ARRA plays largely off HIPAA, which makes this lull a good time to brush up on the HIPAA security rule. A strong working knowledge of the rule will help organizations interpret and implement the new ARRA provisions. It’s been six years since the final rule was published, and it never did get the kind of attention that the privacy rule received.

AHIMA’s policy and governance team offered an analysis of the HIPAA security final rule upon its publication back in February 2003. The article offers a good place start.

AHIMA’s Body of Knowledge library is also rich with subsequent articles on interpreting and working with the rule (requires AHIMA member log in). The Department of Health and Human Services offers guidance and links.

A 19-year-old college student uses her university clinic for gynecological visits. Her parents contact the clinic and ask to see her health record in order to find out if she is using birth control. The clinic shares the record with the parents. Did the clinic staff do wrong?

Maybe not.

The behavior would seem to fly in the face of the HIPAA privacy rule, but virtually all public schools and most private and public postsecondary institutions are covered by a different federal law.

The Family Educational Rights and Privacy Act, or FERPA, regulates the privacy of students’ education records. These can include student health records if the institution chooses to classify them as such. The HIPAA privacy rule does not apply to records covered by FERPA.

It’s a complicated intersection of federal law, and the Department of Health and Human Services and the Department of Education have issued guidance to help schools navigate it. See “When FERPA and HIPAA Collide” in the Winter 2009 issue of AHIMA’s Academic Advisor e-newsletter.

AHIMA has posted reviews of the American Recovery and Reinvestment Act. The law, previously known as the stimulus bill, allots approximately $19 billion to promote the adoption of health IT. It also introduces significant new privacy and security requirements for healthcare entities.

There are two overviews on the AHIMA site: the first on the general provisions of the legislation and the second specifically dedicated to the privacy provisions.

A third review identifies the reports and other submissions the law require from the Department of Health and Human Services and other federal agencies, some of which are due beginning next month.

Provisions in the law will be put into effect over the course of the next two years, with regulations, guidance, and reports still to come. AHIMA offers additional analysis and comments on industry matters at its Advocacy and Public Policy Center.

Get hip with HIPAA.

That’s just one of the taglines attached to Sharp Healthcare’s HIPAA education modules. Photos from the age of hip—the late 1960s and early 1970s—permeate the online HIPAA training modules. Musicians Jimi Hendrix and Bob Dylan and era-TV icons like the Get Smart cast mingle with privacy requirements and confidentiality factoids.

The hip-themed training is just one theme in a series of HIPAA privacy, security, and confidentiality training modules at the San Diego-based facility.

The incorporation of a new theme each year assures that Sharp’s staff of 12,000 employees learn more than how to fall asleep during training, says Paul Belton, RHIA, Sharp’s vice president of corporate compliance and creator of the unique training programs.

“All this is to just try and keep this fresh,” Belton says. “You come up with something that would be tasteful and flavorful to them to [avoid] the dry and boring education modules that are so typical.”

Keeping a facility’s HIPAA education program interesting year after year can be a challenge for privacy officers. They must develop interesting, comprehensive programs that stick for new employees as well as fresh refresher programs for current staff. (more…)

An Arkansas woman who was the first in her state to be prosecuted under the Health Insurance Portability and Accountability Act (HIPAA) was sentenced to probation and community service.

Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas. (more…)