Free CME: Patients' right of access under HIPAA The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has launched a new training module for providers on patients' right of access under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. With limited exceptions, the HIPAA Privacy Rule provides individuals with the right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans. The new module provides an in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care. It also provides helpful suggestions about how health care providers can integrate aspects of the HIPAA right of access into their medical practices. The module is available via Medscape or at OCR's Training and Resources webpage. Physicians can receive 0.5 units of continuing medical education (CME) credit. For more information on the permitted uses and disclosures of protected health information under HIPAA as well as California law, see California Medical Association (CMA) On-Call document #4205, “Patient Access to Medical Records.” This and other documents in CMA's health law library are free to members at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2 per page. For more CMA HIPAA resources, visit www.cmanet.org/hipaa. August 8, 2017 General Continuing Medical Education, CME, HIPAA, HIPAA Privacy Rule, Medical Records 0 0 Comment Read More »
Child Health and Disability Prevention code and claim form conversion effective July 1 The California Department of Health Care Services (DHCS) is currently transitioning Child Health and Disability Prevention (CHDP) program billing processes to be compliant with HIPAA standards for national health care electronic transactions and code sets. Rather than billing on the CHDP Confidential Screening/Billing Report (PM 160) claim form, claims will be submitted using CPT codes on the CMS 1500 or UB-04 claim forms or equivalent electronic claim transactions. The transition, effective for dates of service on or after July 1, 2017, affects claims for Medi-Cal Early and Periodic Screening, Diagnosis and Treatment, well-child health assessments and immunizations through the CHDP program. After July 1, these services will also be billed as Medi-Cal services in accordance with Medi-Cal policy, will be reimbursed per the Medi-Cal fee-for-service fee schedule and will receive payment on the standard Medi-Cal warrant. DHCS has released an updated CHDP Code Conversion Table, which is accessible on its website. Services provided prior to July 1, 2017, should be billed on the CHDP PM 160 claim form. The California Medical Association (CMA) has received calls from physicians who report that for their practice, the transition to reimbursement based on the Medi-Cal fee-for-service schedule may result in a decrease of up to 20 percent for some services. CMA has also received questions about whether problem-focused evaluation and management visits, when billed with a preventive medicine visit, will continue to both be reimbursed as they were under the CHDP program. CMA has reached out to DHCS for clarification. For more information, view June 2017 DHCS NewsFlash update. June 22, 2017 Managed Care, Medi-Cal Child Health and Disability Prevention Program, Department of Health Care Services, DHCS, HIPAA, Medi-Cal, CHDP 0 0 Comment Read More »
HHS begins second phase of HIPAA audits The second phase of audits for compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations is underway. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) selected a total of 167 health plans, health care providers and health care clearinghouses to be audited. Selected physician practices would have received an email from OCR on July 11. The email may be incorrectly classified as spam, so check your spam and junk folders to make sure you didn't miss it. The 2016 phase 2 HIPAA audit program is a key part of OCR’s health information privacy, security and breach notification compliance activities. The audit program allows OCR to assess covered entity compliance with the HIPAA regulations. The phase 2 audit places more attention on areas of greater risk to the security of protected health information and on pervasive non-compliance, based on OCR’s phase 1 audit findings and observations, rather than a comprehensive review of all of the HIPAA standards. OCR said that physicians selected for audits should view them as a tool to identify best practices and discover risks and vulnerabilities, not as an enforcement activity. The ultimate goal of the audits, the agency said, is to help OCR provide better guidance to the health care community. If your practice has been selected for an audit, you will need to submit the requested documentation and any written comments demonstrating your compliance with the following HIPAA requirements to OCR by July 22. The final audit report will be completed within 30 days of your response and OCR will share a copy of the final report with you. For more information about the audit, click here. August 5, 2016 General HIPAA, HIPAA Privacy Rule, Audits 0 0 Comment Read More »
HHS begins phase 2 of HIPAA Audit Program As part of continued efforts by the U.S. Department of Health and Human Services (HHS) to measure and evaluate HIPAA compliance among covered entities and their business associates, the HHS Office for Civil Rights (OCR) has begun phase 2 of its HIPAA Audit Program. OCR is required to perform periodic audits of covered entities and their business associates to ensure HIPAA compliance. Over the next several months, OCR will notify selected covered entities via email to request documentation for a desk audit. Those selected will be required to provide the requested information in digital form, through a secure online portal, within 10 business days. While the HIPAA Audit Program will consist mainly of desk audits, some covered entities may be selected for an onsite audit to be conducted over three to five days, depending on the size of the entity. After the audits are completed, OCR will review and aggregate the information gathered from all of its reports. The aggregated data will help OCR determine any systematic issues with fulfilling particular HIPAA requirements, the types of technical assistance that should be developed, and corrective actions that would be most helpful to covered entities and consumers. OCR's primary objective is to assess HIPAA compliance across the health care industry, taking into account a wide range of factors in potential auditees. Selected participants for this phase of the program will represent a range of health care providers, health plans, clearinghouses and business associates. Those already undergoing compliance reviews or complaint investigations will not be selected for the audit. To learn more about OCR's HIPAA Audit Program objectives and procedures, please review its frequently asked questions page. April 29, 2016 General OCR, Department of Health and Human Services, HHS, HIPAA, Office for Civil Rights 0 0 Comment Read More »
HHS modifies HIPAA Privacy Rule as part of executive actions to curb gun violence Last week, the Obama Administration unveiled a number of executive actions to address gun violence in the United States, including an amendment to the Health Insurance Portability and Accountability Act (HIPAA) that would make it easier for mental health providers to disclose the identities of individuals who are disqualified from shipping, transporting, possessing or receiving a firearm. Both the Brady Handgun Violence Prevention Act of 1993 and the Gun Control Act of 1968 prohibit gun ownership and gun sales to individuals that have been involuntarily committed to a mental institution for mental illness or drug use; found incompetent to stand trial or not guilty by reason of insanity; or otherwise determined by a court to be a danger to themselves or others or unable to manage their own affairs due to mental illness, incompetency, condition or disease. Up until now, however, the HIPAA Privacy Rule generally prohibited mental health providers and HIPAA covered entities from disclosing patient information to the National Instant Criminal Background Check System (NICS) – a system maintained by the Federal Bureau of Investigation (FBI) to conduct background checks on people who may be legally disqualified from owning firearms based on statutorily defined federal “mental health prohibitor” categories. Under this final rule, certain covered entities with lawful authority to make adjudications or commitment decisions that make individuals subject to the federal mental health prohibitor are permitted to disclose the information to NICS. The information that can be disclosed is limited to demographic and certain minimum necessary information needed for NICS to determine whether a potential firearm recipient is statutorily prohibited from possessing or receiving a firearm. According to the U.S. Department of Health and Human Services, the modification better enables the reporting of these individuals to the background check system, while continuing to strongly protect individuals’ privacy interests. It gives states improved flexibility to ensure accurate but limited information is reported to NICS. The new rule is narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA-covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their states to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS. The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical or other mental health treatment information. Click here to read the final rule. Contact: CMA's legal information line, (800) 786-4262 or legalinfo@cmanet.org. January 15, 2016 General Guns, HIPAA, HIPAA Privacy Rule, Mental Health, Public Health, CPLH 0 0 Comment Read More »
HHS releases security risk assessment tool to help providers with HIPAA compliance The U.S. Department of Health and Human Services (HHS) has released a new tool to help guide health care providers in small to medium sized practices conduct information security risk assessments of their organizations. The tool, available at www.HealthIT.gov, is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). It is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The tool also produces a report that can be provided to auditors. HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. The tool is available for both Windows operating systems and iPad. Download the Windows version here. The iPad version is available from the iTunes App Store (search “HHS SRA tool”). For more information, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2/page. April 9, 2014 General HIPAA, HIT, Medical Records, Health Information Technology 0 0 Comment Read More »
Are you using Windows XP? You may need to upgrade Physician offices using Windows XP should be aware that Microsoft will no longer be providing support for Windows XP after April 8, 2014. This means that updates, bug fixes, security patches and troubleshooting will not be available for systems operating Windows XP, making such systems vulnerable to security risks. While the California Medical Association (CMA) has received concerns from physicians who are being told that they will be in "automatic violation of the Health Information Portability and Accountability Act (HIPAA)" for using Windows XP after April 8, the HIPAA security rule does not specifically mandate any minimum operating system requirements. Physician offices using Windows XP however, should be aware that continuing to use an unsupported operating system without the proper maintenance in place to protect electronic patient health information (PHI) increases their risk of security breaches. The HIPAA security rule requires a security management process, which means the development and implementation of policies and procedures to prevent, detect and correct potential risks and vulnerabilities to electronic PHI. An unsupported operating system should be identified as a risk and physician practices using Windows XP should conduct a risk assessment to determine the appropriate measures to reduce any risks to electronic PHI, including upgrading to a more current, supported operating system. For more information, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase On-Call documents for $2 per page. Contact: CMA Center for Legal Affairs, (800) 786-4262 or legalinfo@cmanet.org. April 4, 2014 General HIPAA Security Rule, Health Information Technology, HIPAA 0 0 Comment Read More »
HHS announces new rule that gives patients direct access to lab test results Patients will soon be able to obtain their medical test results directly from the laboratory, rather than having to request a copy from their physician's office, according to a new rule announced Monday by the U.S. Department of Health and Human Services (HHS). The rule is part of a broader effort to give Americans more control over their health care. It supersedes state law and will have particular significance in 13 states that currently prohibit labs from releasing test results directly to patients. Current California law allows the release of lab results to patients if providers give approval. Although under the Health Insurance Portability and Accountability Act (HIPAA), physicians and other covered entities were already required to provide patients with copies of their protected health information (PHI) upon request, many laboratories were exempt from this requirement. “The right to access personal health information is a cornerstone of the [HIPAA] Privacy Rule,” said HHS Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals and adhere to important treatment plans.” While patients can continue to get access to their lab tests from their physicians, under the new rule, labs will be required to provide patients copies, including electronic copies, of their lab test results within 30 days of a request. The new rule becomes takes effect 60 days after publication in the Federal Register, which is expected to happen Thursday. HIPAA-covered labs will have 180 days from the effective date of the rule to comply. The final rule amends the Clinical Laboratory Improvement Amendments (CLIA) of 1988. Before the revisions, CLIA stipulated that labs could release test results to only three types of individuals: the person authorized under state law to order or receive results, typically a physician; the person responsible for using the test results for treatment; and a referring lab that requested the test. The final rule is available for review at www.federalregister.gov. February 7, 2014 General Diagnostic Testing, HIPAA, HIPAA Privacy Rule, Clinical Laboratories 0 0 Comment Read More »
Are your business associate agreements up-to-date? Physician practices must review and update business associate agreements to comply with new HIPAA regulations. HIPAA requires a physician practice to enter into a written business associate agreement with any third party contractors or vendors that may create, receive, maintain or transmit protected health information on behalf of the physician practice. These agreements describe how the business associate will use and protect the protected health information it receives from the physician practice. The new HIPAA regulations, known as the HIPAA Omnibus Final Rule, implement many of the key provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. These regulations broadened the definition of a "business associate," which may mean that some contractors that were not business associates in the past may now be considered business associates. Physician practices should review their third-party vendors and contractors to determine whether they are business associates and ensure that proper agreements are in place. Business associate agreements that were already in place prior to the September 23 compliance date have one more year until September 22, 2014, to update those existing agreements. The California Medical Association (CMA) has recently updated its business associate agreement with CMA members. In order to advocate on a member's behalf, it may be necessary for CMA staff to receive and review documentation that may include protected health information about patients. Physician practices that contact CMA for certain member services may be asked to sign a business associate agreement. CMA members who have previously signed a business associate agreement with CMA will be asked to execute an updated agreement. If you would like a copy of CMA's updated business associate agreement with members, please contact legalinfo@cmanet.org or (800) 786-4262. For more information on business associate agreements and a sample business associate agreement, see CMA On-Call document #4103, "Business Associate Agreements." For more information on the new HIPAA regulations or HIPAA generally, visit www.cmanet.org/hipaa. October 23, 2013 General HIPAA, Medical Records, Health Information Technology 0 0 Comment Read More »
Are you ready for the next HIPAA compliance deadline? The Department of Health and Human Services (HHS) released new regulations in January 2013 that made important changes to the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). These new regulations, known as the HIPAA Omnibus Rule, implement many of the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Covered entities have until September 23 to comply with these changes. Physician offices will, at minimum, need to review and update their business associate agreements, office privacy and security policies and notice of privacy practices. Some of the key changes made by the HIPAA Omnibus Rule include, but are not limited to, an updated definition of a business associate, new rules surrounding certain permitted uses and disclosures of protected health information (PHI), such as the sale of PHI and the use of PHI for fundraising and marketing, and rules controlling how patients can obtain medical records that are kept by a physician electronically. It also made significant changes to the breach notification rule. For more information and for an updated sample notice of privacy practices and business associate agreement, see the California Medical Association’s (CMA) On-Call documents #4101 “HIPAA ACT SMART: Introduction to the HIPAA Privacy Rule” and #4103 “Business Associates.” These documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2 per page. CMA is also hosting a webinar, "HIPAA Compliance: The Final HITECH Rule," tomorrow, August 21 at 12:15 pm. If you are unable to participate in the live event, it will be available in the resource library shortly after the webinar for on-demand playback at your convenience. Contact: CMA's Center for Legal Affairs, (800) 786-4262 or legalinfo@cmanet.org. August 22, 2013 General Health Information Technology, HIPAA 0 0 Comment Read More »
