With so much going on in healthcare, it would not surprise me if a lot of practices missed the February 2010 deadline for three expanded HIPAA rules. This expansion was dictated by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in February 2009.
If you haven’t already, get started now with the new requirements.
- New obligations for business associates (BA) – February 17, 2010 Remember that a BA is a person or organization outside of your entity with whom you share protected health information (PHI) so they may provide services to you. Good examples are your billing service, collection agency, attorney, consultant, computer vendors, attorneys and providers of documentation abstracting or coding services. Under HITECH, BA have the same responsibilities for breaches as the healthcare entity does, but it is the healthcare organization’s responsibility to have an updated, signed BA agreement in place that describes this new responsibility. Here is an excellent example of a BA agreement (first link under Publications) that you can download and tweak for your practice.
- New disclosure agreement provision – February 18, 2010 This is a big one! Patients now may waive their right to have you file their medical insurance, pay for your services themselves and request that their medical information NOT be disclosed to their insurance plan or any other entity. In other words, patients may elect to become “self-insured”. I recommend that you create a new financial class for these patients so they neither fall into the standard self-pay/financial assistance class or into their actual insurance class. These patients, if you have any, will need to be identified according to their wishes, which could mean that they want you to file insurance for some services and not for others. This means their record must be tagged for what records can be released and what records cannot. There could be an argument made either way for whether or not these patients should receive self-pay discounts that you have in place for your non-insured patients. I would be interested to know how different groups have decided to handle this. There are sample forms for PHI disclosure accounting and for patients to request an accounting of PHI disclosures in the Manage My Practice Library under Operations.
- Information breach notification – February 22, 2010
We’ve heard a lot about this one as the media (along with HHS) must now be notified if a PHI breach involves 500 people or more. Breaches are being reported weekly as non-encrypted laptops are stolen or repurposed, and as copier hard drives (story here) go unnoticed as a security risk. If a breach involves 500 people or less, each individual must receive written notice with details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information. Several of my employees have received notification letters from health plans and they have been horrified that this could happen. Note that entities that secure health information through encryption or destruction don’t have to provide notification in the event of a breach!
Enforcement is also beefed up.
Criminal penalties will apply to covered entities that violate privacy rules AND to those organizations’ individual employees (can you track who accesses whose records when?) Civil penalties have been increased and harmed individuals may share in the booty. Probably most importantly, HITECH gives state attorneys general the power to enforce HIPAA rules.
Other resources:
My personal list of new employee orientation best practices has been shaped by my experiences in private practices as well as hospitals. Every organization has different resources to draw upon, but each group has core goals that must be fulfilled by a good orientation:
- completion of paperwork including federal and state W-4s, I-9, direct deposit and benefit elections
- emergency contact information (included in hospital employee health intake)
- orientation to the organization, including designations, specialties, departments, sites, affiliates and an organizational chart
- completion of mandatory annual training such as safety, standard precautions, and HIPAA
- mechanics of name tags, parking tags, lockers, keys and codes
- signing off on understanding and agreement to confidentiality, compliance and personnel policies
In addition to these core goals, critical information to be shared during this time should minimally include:
- personnel policy review with emphasis on important (typically abused?) policies
- code of conduct/ shared basic competencies (mission and values, professionalism, communication, chain of command)
- computer security (passwords, internet policy, protection of PHI)
- workstation ergonomics and patient lifting policy (sadly lacking in many medical practices)
Important training that is rarely covered:
- Customer service (what is it and how do we measure our success or lack thereof?)
- Cultural sensitivity and diversity training
- Non-clinical employees’ role in medical emergencies
- Personal safety (coming in early or leaving late, patients threatening staff by phone or in person)
- Expectations for the first 90 days (training, communication, questions, problems)
Making Orientation Memorable
Whether the title is manager, medical practice manager, physician practice manager, administrator, practice administrator, executive director, office manager, CEO, COO, director, division manager, department manager, or any combination thereof, with some exceptions, people who manage physician practices do some combination of the responsibilities listed here or manage people who do.
Human Resources: Hire, fire, counsel, discipline, evaluate, train, orient, coach, mentor and schedule staff. Shop, negotiate and administer benefits. (more…)
By Carla Hannibal, CMM,CPM,CIMBS
Recovery Audit Contractors (RACs) will pursue corrections of Medicare claims by auditing for overpayments and underpayments under Part A or B of the title XVIII of the Social Security Act. Health care providers will be affected as Medicare has recently contracted with RACs for 2009 and beyond. RACs will audit every United States and Peurto Rico health care provider who files with Medicare. The audit and recovery plan is expected to be in place by (more…)
