If you ever wonder what progress the Office for Civil Rights is making as it works its way through HIPAA privacy rule complaints, the numbers are easy to find. Each month OCR reports top-line results of the HIPAA cases it has received and resolved.

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS. (more…)

Many in healthcare still haven’t made their peace with HIPAA’s accounting of disclosure requirements—the provision under which covered entities, upon request, must provide patients with a record of the entities to whom they have disclosed the patient’s protected health information (PHI). They consider it an undue administrative burden for requests they rarely receive. Now new requirements in the American Recovery and Reinvestment Act have upped the accounting ante.

The law singles out covered entities that maintain PHI in electronic health records, requiring them to account for disclosures of PHI made even for purposes of treatment, payment, and healthcare operations—actions exempted under HIPAA. Under the new law, covered entities must be able to provide disclosures dating back three years from the patient request. (more…)

Mixed in with the billions of dollars for health IT in the American Recovery and Reinvestment Act are new privacy and security regulations for using it. It’s reminiscent of 1996, when HIPAA mandates on transacting certain health information electronically required accompanying standards for doing so securely.

After the initial trumpet of ARRA’s wake up call, something of a lull is ensuing. The industry is chewing over the published legislation while waiting on the details that will come in interim rules.

ARRA plays largely off HIPAA, which makes this lull a good time to brush up on the HIPAA security rule. A strong working knowledge of the rule will help organizations interpret and implement the new ARRA provisions. It’s been six years since the final rule was published, and it never did get the kind of attention that the privacy rule received.

AHIMA’s policy and governance team offered an analysis of the HIPAA security final rule upon its publication back in February 2003. The article offers a good place start.

AHIMA’s Body of Knowledge library is also rich with subsequent articles on interpreting and working with the rule (requires AHIMA member log in). The Department of Health and Human Services offers guidance and links.

A 19-year-old college student uses her university clinic for gynecological visits. Her parents contact the clinic and ask to see her health record in order to find out if she is using birth control. The clinic shares the record with the parents. Did the clinic staff do wrong?

Maybe not.

The behavior would seem to fly in the face of the HIPAA privacy rule, but virtually all public schools and most private and public postsecondary institutions are covered by a different federal law.

The Family Educational Rights and Privacy Act, or FERPA, regulates the privacy of students’ education records. These can include student health records if the institution chooses to classify them as such. The HIPAA privacy rule does not apply to records covered by FERPA.

It’s a complicated intersection of federal law, and the Department of Health and Human Services and the Department of Education have issued guidance to help schools navigate it. See “When FERPA and HIPAA Collide” in the Winter 2009 issue of AHIMA’s Academic Advisor e-newsletter.

AHIMA has posted reviews of the American Recovery and Reinvestment Act. The law, previously known as the stimulus bill, allots approximately $19 billion to promote the adoption of health IT. It also introduces significant new privacy and security requirements for healthcare entities.

There are two overviews on the AHIMA site: the first on the general provisions of the legislation and the second specifically dedicated to the privacy provisions.

A third review identifies the reports and other submissions the law require from the Department of Health and Human Services and other federal agencies, some of which are due beginning next month.

Provisions in the law will be put into effect over the course of the next two years, with regulations, guidance, and reports still to come. AHIMA offers additional analysis and comments on industry matters at its Advocacy and Public Policy Center.

Get hip with HIPAA.

That’s just one of the taglines attached to Sharp Healthcare’s HIPAA education modules. Photos from the age of hip—the late 1960s and early 1970s—permeate the online HIPAA training modules. Musicians Jimi Hendrix and Bob Dylan and era-TV icons like the Get Smart cast mingle with privacy requirements and confidentiality factoids.

The hip-themed training is just one theme in a series of HIPAA privacy, security, and confidentiality training modules at the San Diego-based facility.

The incorporation of a new theme each year assures that Sharp’s staff of 12,000 employees learn more than how to fall asleep during training, says Paul Belton, RHIA, Sharp’s vice president of corporate compliance and creator of the unique training programs.

“All this is to just try and keep this fresh,” Belton says. “You come up with something that would be tasteful and flavorful to them to [avoid] the dry and boring education modules that are so typical.”

Keeping a facility’s HIPAA education program interesting year after year can be a challenge for privacy officers. They must develop interesting, comprehensive programs that stick for new employees as well as fresh refresher programs for current staff. (more…)

An Arkansas woman who was the first in her state to be prosecuted under the Health Insurance Portability and Accountability Act (HIPAA) was sentenced to probation and community service.

Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas. (more…)

AHIMA has submitted official comments on the adoption and implementation of the ICD-10-CM and ICD-10-PCS classification systems. In part, AHIMA:

• Recommends that the implementation of the two classifications and the related HIPAA transaction updates should occur over a three-year period, with the date of final compliance no later than October 1, 2012
• Supports a single compliance date across the entire US healthcare industry and recommends that the compliance date, once designated, not be extended, which would cause confusion and add costs (more…)
  

AHIMA has posted an analysis of the ICD-10 Notice of Proposed Rule Making. The analysis is a summary, offered to the healthcare industry as an aid when considering the proposal. It is not AHIMA’s position on the adoption of ICD-10-CM and ICD-10-PCS. AHIMA will publish its comments and recommendations prior to the close of the public commenting period on October 21. (more…)

An Arkansas woman who pled guilty to disclosing a patient’s health information was the first in her state to be convicted under the Health Insurance Portability and Accountability Act (HIPAA).

Andrea Smith, a 25-year-old woman from Trumann, AR, admitted to wrongfully disclosing individually identifiable health information for personal gain, according to a statement from Jane W. Duke, United States Attorney for the Eastern District of Arkansas. (more…)