CMA On-Call: Retention of Medical Records California regulations regarding retention of medical records in a physician’s office are a perennial hot topic in the California Medical Association (CMA) On-Call health law library. To ensure physicians understand their rights and obligations under the law, CMA published On-Call document #4005, “Retention of Medical Records,” which discusses major issues raised by the retention, abandonment, theft and destruction of medical or health insurance information and physician practice business records. Issues covered include statutory record retention requirements, the rules applicable to records abandoned in bankruptcy or otherwise, recommended retention periods, options for record management on the sale or closing of a medical practice, record destruction requirements, obligations for safeguarding patients’ personal information, and for responding when records containing identifying information are stolen or otherwise breached. About CMA On-Call On-Call is CMA's online health law library, which contains nearly 5,000 pages of legal information related to the practice of medicine. The searchable library contains all the information available in the California Physician's Legal Handbook, an annual publication of CMA's Center for Legal Affairs. CMA On-Call documents are available free to members at www.cmanet.org/cma-on-call. Nonmembers can purchase On-Call documents for $2 per page. January 30, 2018 CMA, General CMA On-Call, CPLH, Medical Records 0 0 Comment Read More »
Free CME: Patients' right of access under HIPAA The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has launched a new training module for providers on patients' right of access under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. With limited exceptions, the HIPAA Privacy Rule provides individuals with the right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans. The new module provides an in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care. It also provides helpful suggestions about how health care providers can integrate aspects of the HIPAA right of access into their medical practices. The module is available via Medscape or at OCR's Training and Resources webpage. Physicians can receive 0.5 units of continuing medical education (CME) credit. For more information on the permitted uses and disclosures of protected health information under HIPAA as well as California law, see California Medical Association (CMA) On-Call document #4205, “Patient Access to Medical Records.” This and other documents in CMA's health law library are free to members at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2 per page. For more CMA HIPAA resources, visit www.cmanet.org/hipaa. August 8, 2017 General Continuing Medical Education, CME, HIPAA, HIPAA Privacy Rule, Medical Records 0 0 Comment Read More »
What is commercial risk adjustment? Over the past few months, CMA has received several calls from practices who had received requests for medical records from various payors stating the records are needed for “risk adjustment.” The records requests are a result of the commercial risk adjustment program created by Section 1343 of the Affordable Care Act. The primary goal of the risk adjustment program is to spread the financial risk borne by payors more evenly in order to stabilize premiums and provide issuers the ability to offer a variety of plans to meet the needs of a diverse population. Similar to Medicare risk adjustment audits, the commercial risk adjustment program is designed to identify the health status and demographic characteristics of enrollees in non-grandfathered plans in the individual and small group markets to determine a risk score average. The risk score is a relative measure of how costly an individual is anticipated to be. If at the end of the annual risk adjustment assessment, Plan A has a lower-risk average score than Plan B, then Plan A has to issue a payment to Plan B. In a nutshell, the program is intended to prevent payors from cherry picking only healthy enrollees. Because the information reported by physicians and other providers is at the heart of payment adjustments, health plans must engage providers by requesting copies of medical records that accurately reflect diagnoses and/or underlying health conditions to comply with risk adjustment program requirements. [77 Fed.Reg. 17220, 17241 (March 23, 2012)] The risk adjustment program is a requirement on the payor; however, through managed care contracts, payors typically require their contracting physicians to comply with the risk adjustment medical record requests. Non-contracted physicians are under no obligation to comply with the request. Most payors appear to be contracting with a third-party vendor to handle the record requests and collection. A frequently asked question by physicians about the requests is whether the records can be released without written authorization from the patient under HIPAA. Both HIPAA and California’s Confidentiality of Medical Information Act permit disclosures of protected health information to third-party payors for treatment and payment purposes without patient authorization, including to plans for risk adjustment purposes. However, when dealing with sensitive medical information such as mental health records or psychotherapy notes, the circumstances in which disclosures may be made to third-party payors absent the patient’s signed authorization are limited. Given the sensitivity of this information, provisions allowing for permissive disclosure of these records should be interpreted narrowly and physicians should err on the side of caution with regards to disclosures absent patient authorization. For more information, see CMA On-Call document #4250, “Confidentiality of Sensitive Medical Information.” At least one payor appears to be offering to provide a scanner technician upon request, paid for by the plan, who will come to the practice to retrieve the needed records; others are requiring the practice to handle the copying/scanning and submission either by fax or mail. Additionally, the commercial risk adjustment audits usually involve only a handful of patients per practice, but if the request is voluminous, practices may wish to contact the payor and request that it send a copy/scanner service out to the practice. For more information on the commercial risk adjustment program, click here. June 26, 2015 General, Managed Care Payors, Medical Records 0 0 Comment Read More »
Data breaches in California increase 600 percent The second annual report on financial data breaches in California was released yesterday by the California Attorney General and showed that the number of reported data breaches in 2013 was up 28 percent from the previous year, and the total number of records breached increased by more than 600 percent, from 2.5 million in 2012 to 18.5 million in 2013. Breaches in the health care sector made up 15 percent of the total, with 1.5 million records compromised. The majority of health care breaches resulted from physical theft – accounting for 70 percent, compared with 19 percent in other industry sectors. Data breaches by malware and hacking only made up 9 percent of health care losses. Fifty-five percent of health care breaches involved the theft of Social Security numbers, but the most common type of data breach is health information, which was compromised in 75 percent of health care data breaches, according to the report. Over the study period there were 31 data breaches in health care, 24 resulting from stolen hardware, five from lost media and two from stolen documents. The stolen hardware was taken from the workplace, an employee car and an employee home, and included 16 laptops and eight desktops. The report said that the “strategic use of encryption” should be used by those in health care to protect medical and financial information on laptops, portable devices and desktop computers. The report also cites a recent study by the Ponemon Institute, which found that criminal attacks targeting the health care system are growing. READ THE REPORT. November 5, 2014 General Medical Records, Electronic Health Record, Health Information Technology (HIT) 0 0 Comment Read More »
HHS releases security risk assessment tool to help providers with HIPAA compliance The U.S. Department of Health and Human Services (HHS) has released a new tool to help guide health care providers in small to medium sized practices conduct information security risk assessments of their organizations. The tool, available at www.HealthIT.gov, is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). It is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The tool also produces a report that can be provided to auditors. HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. The tool is available for both Windows operating systems and iPad. Download the Windows version here. The iPad version is available from the iTunes App Store (search “HHS SRA tool”). For more information, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2/page. April 9, 2014 General HIPAA, HIT, Medical Records, Health Information Technology 0 0 Comment Read More »
Are your business associate agreements up-to-date? Physician practices must review and update business associate agreements to comply with new HIPAA regulations. HIPAA requires a physician practice to enter into a written business associate agreement with any third party contractors or vendors that may create, receive, maintain or transmit protected health information on behalf of the physician practice. These agreements describe how the business associate will use and protect the protected health information it receives from the physician practice. The new HIPAA regulations, known as the HIPAA Omnibus Final Rule, implement many of the key provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. These regulations broadened the definition of a "business associate," which may mean that some contractors that were not business associates in the past may now be considered business associates. Physician practices should review their third-party vendors and contractors to determine whether they are business associates and ensure that proper agreements are in place. Business associate agreements that were already in place prior to the September 23 compliance date have one more year until September 22, 2014, to update those existing agreements. The California Medical Association (CMA) has recently updated its business associate agreement with CMA members. In order to advocate on a member's behalf, it may be necessary for CMA staff to receive and review documentation that may include protected health information about patients. Physician practices that contact CMA for certain member services may be asked to sign a business associate agreement. CMA members who have previously signed a business associate agreement with CMA will be asked to execute an updated agreement. If you would like a copy of CMA's updated business associate agreement with members, please contact legalinfo@cmanet.org or (800) 786-4262. For more information on business associate agreements and a sample business associate agreement, see CMA On-Call document #4103, "Business Associate Agreements." For more information on the new HIPAA regulations or HIPAA generally, visit www.cmanet.org/hipaa. October 23, 2013 General HIPAA, Medical Records, Health Information Technology 0 0 Comment Read More »
