Wednesday, June 24, 2015

Proper Disposal of PHI

What’s the proper way to dispose of PHI?

Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

·         For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
·         Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
·         For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).

Tuesday, June 23, 2015

Disclosing PHI to Law Enforcement

Disclosures to Law Enforcement
A law enforcement officer may come into your office and request that you give him information on one of your patients.  He may have some legal documents with him to prove his request is valid, or he may just want to know if the patient is on the premises. What do you do?  It can be confusing if you do not know the HIPAA Privacy Rule governing releasing PHI to law enforcement. Following are the basic guidelines your staff should know.
The Privacy Rule established procedures and safeguards to restrict the circumstances under which you may give such information to law enforcement officers.  If the law enforcement officer does not have a warrant and has not made any prior process, you are limited in the information you may disclose.  The Privacy Rule specifically prohibits disclosure of DNA.  Similarly, under most circumstances, the Privacy Rule requires you to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement.  Some other federal or state law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws.  However, if the disclosure is required by some other law, HHS has said that you should use your professional judgment to decide whether to disclose information, reflecting your own policies and ethical principles.  In other words, HHS is allowing healthcare providers to continue to follow their own policies to protect privacy in such instances. 
Disclosures Allowed Without an Authorization
The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue.  The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized below:
  • Court-Ordered Warrant or Subpoena
  • To comply with a court order or court-ordered warrant, a subpoena, or summons issued by a judicial officer or a grand jury subpoena – The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information.
  • Administrative Request or Subpoena
  • To respond to an administrative request such as an administrative subpoena or investigative demand or other written request from a law enforcement official – Because an administrative request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used.
  • Applicable Law and Ethical Standard
  • To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public; or to identify or apprehend an individual who appears to have escaped from lawful custody.
  • Averting a Serious Threat to Health and Safety
  • If you believe that your practice, a workforce member, a patient, or the public is in danger of a threat to health and safety, your disclosure of PHI for that purpose is protected under HIPAA.  You may, consistent with law and ethical conduct, use or disclose PHI if you believe in good faith that:
  • It is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public;
  • It is reported to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat
  • It is necessary for law enforcement authorities to identify and apprehend an individual:
  • Because of a statement by an individual admitting participation in a violent crime that you reasonably believe may have caused serious physical harm to the victim;
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody. 
Identifying an Individual
To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but you must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics.  Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request.
This same limited information may be reported to law enforcement:
  • About a suspected perpetrator of a crime when the report is made by the victim who is a member of your workforce;
  • To identify or apprehend an individual who has admitted participation in a violent crime that you reasonably believe may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act. 
Victim of a Crime
To respond to a request for PHI about a victim of a crime, and the victim agrees – If, because of an emergency or the person ‘s incapacity, the individual cannot agree, you may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and you believe in your professional judgment that doing so is in the best interests of the individual whose information is requested.

Monday, June 22, 2015

Changing Trends in Hiring Healthcare Talent

Trends in Healthcare Talent Acquisition
It’s hard to keep up with all the changes happening in health care, especially as they relate to talent acquisition and the evolving roles of the health care workforce. To help health care recruiters and HR professionals stay current with the latest trends, has released a comprehensive report using resources from the American Hospital Association and other trusted sources.
Here are three insights from the 2015 Healthcare Talent Acquisition Environmental Scan:
        The age range of health care workers spans more than forty years, creating distinctive challenges and opportunities for both employers and employees, such as:
        Organizational hierarchies may be restructured as Gen Xers and Millennials rise to leadership roles. As Gen Xers and Millennials become leaders, health care organizations may need to consider flattening their structure and removing departmental and management hierarchies. Gen Xers and Millennials, the bulk of the workforce, consider organizational hierarchies as barriers to creativity and innovation.
        Health care organizations may need to modify job requirements to cater to new and emerging roles. This includes adjusting competencies so that the workforce aligns with new population health needs. For example, some jobs will need to be redesigned as technology advances. As jobs are redefined, the workforce may transition and redeploy to different settings, roles and organizational structures.
        With changing demographics, communities are becoming increasingly diverse. The unique diversity of a community should be reflected in the leadership and staff of its hospitals and health care systems. However, gaps in diversity still exist, made evident by the following statistics:
        Minorities represented 31% of patients nationally in 2013, up from 29% in 2011. However, minorities comprise only 14% of hospital board members, 12% of executive leadership positions, and 17% of first- and mid-level management positions.
        Diversity efforts in hospital recruitment and retention are lacking. Just under half of respondents (48%) said their hospital has a documented plan to recruit and retain a diverse workforce that reflects the organization’s patient population. Only 22% of hospital hiring managers have a diversity goal in their performance expectations.
        The rate at which physicians are employed directly by hospitals continues to increase. In fact, physician employment by hospitals has risen by more than 54% since 2000. Other statistics gathered in regards to the physician employment market include:
        More than 244,000 physicians have found positions in hospitals, due to a variety of reasons: changes in lifestyle, decreased interest in owning a business, levels of regulation, and more. Meanwhile, hospitals are seeking out physicians as a way to increase coordination and manage costs.
        Only 10% of hospital senior leaders are physicians, according to most surveyed CEOs. This is due in part to the fact that most medical schools don’t include formal business training on running a practice, much less a multimillion-dollar health system. With more than half of new physicians entering the field as salaried employees, the potential pool of physician leaders has grown exponentially larger. Soon, having physician leaders will not only will be important, but a mandate.
(HealthcareSource website)

Thursday, June 18, 2015

Safety in the Laboratory

Laboratory OSHA Safety Culture
The safety culture varies greatly from laboratory to laboratory. Most lab employees these days know that eating food or drinking in the lab is against most, if not all, lab regulatory agency rules and guidelines. However, it is surprising that many do not seem to understand that gum chewing or using hard candy or throat lozenges is also not permitted in a laboratory setting.
OSHA’s Bloodborne Pathogen Standard specifically states “Eating, drinking, smoking, applying cosmetics or lip balm, and handling contact lenses are prohibited in work areas where there is a reasonable likelihood of occupational exposure.” Obviously, the goal of this regulation is to prevent employees from obtaining infection via ingestion. A secondary goal is to limit hand to mouth contact while working in the laboratory. So far there has been no mention of gum or cough drops in the standards.
In the National Research Council’s Prudent Practices in the Laboratory (1995), it states “Eating, drinking, smoking, gum chewing, applying cosmetics, and taking medicine in laboratories where hazardous chemicals are used should be strictly prohibited.” In the Clinical and Laboratory Standards Institute’s document Clinical Laboratory Safety (GP-17 A3, 2012), it states “Food, drink and substances that provide potential hand-to-mouth contact (including chewing gum and lip balm) are prohibited in technical work areas.”
Most inspectors of the laboratory will cite the lab for gum chewing or the like. An employee may respond that the gum was placed into their mouth outside the lab, but proving that would be difficult at best. It is an inappropriate and unsafe practice, and it should not be allowed.
Again, limit hand-to-mouth or hand-to-face contact in the laboratory. What about telephone use? There are speaker options for phones that can help, but some labs are too noisy for that type of use. Disinfect phones often if that is the case.

As with any other safety regulation, if you explain it to staff, and if you make it easy to comply, your safety culture will improve. Educate your staff about these guidelines and standards and why they exist. Unfortunately, many workers fell victim to harmful infectious diseases before these regulations were developed. Don’t let your staff become another part of those unfortunate lab safety statistics.

Wednesday, June 17, 2015

Are You Confident About Passing a HIPAA Audit?

Survey Reveals Over-confidence in HIPAA Compliance

With regulators gearing up to begin the next phase of HIPAA compliance audits, many covered entities appear to be over-confident about passing that scrutiny, according to the results of Information Security Media Group’s latest Healthcare Information Security Today survey.

Nearly 80 percent of healthcare organizations that participated in the 2015 survey said they were confident or somewhat confident that they’d “pass” a HIPAA compliance audit by the Department of Health and Human Service’s Office for Civil Rights with only minimal non-compliance issues.

But despite the strong confidence levels of most respondents when it comes to their organizations’ compliance efforts, a closer look at other survey results shows that many covered entities are still falling short in applying key technologies and practices to protect patient data against many current and emerging cyber threats, including measures called for by the HIPAA Security Rule.

For instance, the survey found:
     Only 75 percent of respondents say their organizations conducted a security risk assessment last year. The failure to conduct a thorough and timely risk assessment is the most common non-compliance issue that has been cited by OCR during HIPAA breach investigations and also in the agency’s pilot HIPAA compliance audit program.
     Despite lost or stolen unencrypted devices being the biggest cause of major health data breaches reported to OCR since 2009, only 60 percent of surveyed organizations are requiring encryption on portable devices and media.
     Although OCR looks for documented evidence of HIPAA compliance efforts, less than 60 percent of surveyed organizations have a documented security strategy.  Most of the other organizations say they are working on one.

Although confidence levels about HIPAA compliance appear to be high among the survey respondents, they, nevertheless, said their top information security priority for 2015 was improving regulatory compliance. That was followed by improving security awareness and training and preventing and detecting breaches. Those were also the top priorities in the two previous Healthcare Information Security Today surveys.
The online 2015 Healthcare Information Security Today survey was conducted in December 2014 and January 2015. Respondents included about 200 CISOs, CIOs, directors of IT and other senior leaders at hospitals, integrated delivery systems, physician group practices, insurers and other healthcare organizations.

(ISMG website)

Tuesday, June 16, 2015

The Fight Against Medicare Fraud and Abuse

Fighting Medicare Fraud and Abuse 

The health care reform legislation contains several provisions that affect fraud investigations and over-payments. One change that you will want to really keep an eye on is the change that permits HHS to suspend payments to you while an investigation is taking place if the investigation results from a “credible allegation of fraud.” The bill does not contain any definitions of what constitutes a “credible allegation of fraud” or how this new authority will be implemented. The HHS Secretary will have the authority to promulgate regulations covering all of these types of details.

Depending on how this authority is implemented, this could have really significant impacts on your practice. It means that reimbursement will be terminated during the entire course of the investigation. This will put tremendous pressure on a practice and in many cases will be enough to put them out of business. The bill currently does not give us any detail on implementation.
We will keep you aware of the regulatory developments in this area. This is a “punishment before proven guilty” type provision.

You can also expect to see litigation over the legality of this provision of the bill.

In order to avoid fraud and abuse in your practice, you may utilize our “RAC” materials posted on our web site at  You may sign on to the web site with your ID codes, select the “Updates/News” link on the left side of the page and scroll down to the “Medicare section to locate the RAC materials.

Stark Law Exceptions Reminder

Professional courtesy, when extended to a physician or entity who refers "designated health services" can implicate the Stark Law. The Stark Law is a strict liability statute and the penalties for violating the statute can include denial of payment, refund demands, civil monetary penalties, and exclusion from the Medicare program. The Stark ban on physician self-referral generally makes it unlawful for a physician to refer Medicare patients for radiology tests, clinical laboratory tests, physical or occupational therapy, home health care, or other such "designated health services" to an entity with which the physician has a "financial relationship".

A financial relationship can be an ownership or a compensation arrangement with an entity. A compensation arrangement is defined to include any arrangement involving any remuneration between a physician and an entity, including remuneration that is "in cash or kind". The provision of free or discounted services to a provider of "designated health services" or the provider's family would be such prohibited remuneration. There is, however, an exception to the Stark regulations to allow for certain extension of professional courtesy. In order to fall within the Stark exception, all of the following elements must be met:

·        The professional courtesy must be extended to all members of the entity's medical staff in the case of a hospital, or all members of the local community or service area, in the case of a physician practice
·        The healthcare items and services are a type routinely provided by the entity or practice
·        The professional courtesy policy must be set forth in writing and approved in advance by the entity's governing board(s)
·        The professional courtesy must not be extended to Medicare or other federal health program beneficiaries unless there is a showing of financial need, and
·        The arrangement cannot violate the anti-kickback statue or any state law

Monday, June 15, 2015

Are Beverages at Nurse's Stations Regulated by OSHA?

Beverages at your Nurse’s Station

We have had some questions asking whether it is against OSHA regulations to keep a covered beverage at a nurse's station.

OSHA does not have a general prohibition against the consumption of beverages at nursing stations. However, OSHA's bloodborne pathogens standard prohibits the consumption of food and drink in areas in which work involving exposure or potential exposure to blood or other potentially infectious material takes place, or where the potential for contamination of work surfaces exists [29 CFR 1910.1030(d)(2)(ix)]. Also, under 29 CFR 1910.141(g)(2), employees shall not be allowed to consume food or beverages in any area exposed to a toxic material. While you may want to have beverages at the nursing station that have a lid or cover, the container may also become contaminated, resulting in unsuspected contamination of the hands.

You must evaluate your workplace to determine in which locations food or beverages may potentially become contaminated and must prohibit your employees from eating or drinking in those areas. You may determine that a particular nurse's station or other location is separated from work areas subject to contamination and therefore is so situated that it is not reasonable under the circumstances to anticipate that occupational exposure through the contamination of food and beverages or their containers is likely. You may allow employees to consume food and beverages in that area, although no OSHA standard specifically requires that you permit this. OSHA standards set minimum safety and health requirements and do not prohibit you from adopting more stringent requirements. 

Thursday, June 11, 2015

Phase 2 HIPAA Audits Launched by OCR

OCR Launches Phase 2 HIPAA Audit Program

The U.S. Department of Health and Human Services Office for Civil Rights has sent pre-audit screening surveys to covered entities (CE) and their business associates (BA) that could be selected to participate in Phase 2 of the HIPAA audit program, OCR has confirmed.

In an emailed statement, OCR said it has started verifying contact information for covered entities. “Additional information about the audit program is forthcoming,” the statement said. “Check our website for updates.”

The HITECH Act of 2009 first called on OCR to conduct periodic HIPAA audits to ensure CEs and BAs were following Privacy, Security, and Breach Notification Rules, amid a regulatory push for greater use of health IT and national standards for security and privacy. It was a recognition that new technologies can also pose increased risk to consumer privacy.

OCR conducted and evaluated the HIPAA pilot audits between 2011 and 2013, measuring the efforts of 115 CEs at complying with HIPAA standards. The process to finalize procedures for Phase 2 of the audits dragged on due to various delays until a pre-audit survey was approved by the Office of Management and Budget on March 13, 2015 for distribution to 500 CEs and 200 BAs.

The survey was then mailed out in mid-May. The intent of the pre-audit survey is to collect information to help OCR identify a broad range of organizations that are suitable for HIPAA audits. It looks at such things as size, complexity, operations, use of EHR, revenue, and how BAs handle PHI. A smaller sample of the survey group will then be selected for the audits that were originally slated to begin in the fall of 2014.

This past March, OCR Director Jocelyn Samuels confirmed the audit procedures were still being finalized, but would begin soon, presumably sometime in 2015. Audits for BAs should begin after CE audits are underway.

Questions still remain on the actual protocol or criteria OCR will use for the Phase 2 audit. The agency hasn’t shed any light yet on whether this protocol will be different than in the pilot audit. However, one difference in the process is that OCR expects to use desk-based assessments, meaning the agency will not conduct on-site audits unless resources are available.

Even though there are no firm dates yet, CEs and BAs should begin preparing for a possible audit. Visit the OCR audit program website for official updates.

(HCPro website, FierceMarkets website)

Tuesday, June 9, 2015

Classification of Employees

Classifying Your Employees

Federal and State laws generally do not define the terms of full-time, part-time or temporary employees.  This leaves the employer with the flexibility to categorize their employees. Most often, these classifications are based on the number of hours worked and the duties performed.  Typically the classification determines eligibility for benefits.

Basis for Classification

Employees usually fall into three major categories:

·         Full-time
·         Part-time
·         Temporary

You may want to use the eligibility requirements under your insurance benefit plans (many health care plans exclude part-time employees who work less than a specific number of hours per week)

However, the definition chosen will not affect the employee’s eligibility for legally mandated benefits, such as worker’ compensation, unemployment compensation, unpaid family and medical leave and military leave.

Also note that the Fair Labor Standards Act (FLSA) further classifies employees as eligible or ineligible for overtime pay and refers to them as being either exempt or non-exempt from the Act’s provisions.

Full-time Employees

A full-time employee is generally defined as one who works a normal workweek for an indefinite period of time.  Since the FSLA sets 40 hours as the maximum number of hours worked before employers must pay overtime to non-exempt employees, you may use that number as their normal work week.  (You can also use 37 ½ hours or even 35 hours, depending on business hours and meal schedules.) Full-time employment could also be defined according to part-time employment hours.  For example, if part-time employment is defined as 30 hours a week, then someone who works more than 30 hours per week could be classified as full-time.

Part-time Employees

Part-time employees work fewer hours than the normal full-time schedule, but are employed on an ongoing basis and typically receive some benefits.  Part-time employment may mean irregular hours or workdays.  A common definition or part-time employment is an employee who works less than 30 hours per week.

Employers may choose to provide their part-time employees with a pro-rata share of benefits such as sick leave, vacation and other paid absences based on the number of hours worked.

Temporary Employees

Temporary employees may work full or part-time hours.  What makes the employee status “temporary” is that the worker is hired for a particular project or for a finite period of time.  Because of the short-term nature of employment, temporary employees generally do not receive any benefits other than those required by law.

Some practices use temporary workers as a way to screen potential full-time candidates.  Because some temporary employees may have an increased expectation of advancing to regular employment and eligibility for benefits, employers should make it clear that temporary workers are being hired for a limited period of time and are not eligible for benefits.

Employers should explain the temporary nature of the job in a letter or other written document stating an approximate limit for the period that a worker is expected to be employed and give the option for the employer to extend as needed.

In addition, employers should monitor the status of temporary employees so that if a limited duration of their employees change, the employee can be reclassified and correctly offered benefits they may entitled to.  Failure to do so may conclude with a misunderstanding and potential legal claims.

Friday, June 5, 2015

Fired Over HIPAA Violations

Violating HIPAA Can Get You Fired
The University of Iowa fired a student health center employee earlier this year for violating the privacy of a pregnant female student and her boyfriend, a well-known student-athlete, when the employee carelessly discussed the results of the student’s pregnancy test with a female coworker. That employee was also disciplined for the HIPAA violation.
Details of the incident were finally revealed in May when records of the investigation were turned over to various news agencies. The entire incident appeared to stem from the careless words and actions of a veteran lab worker who should have known better.
Over 14 years, Kathryn Trump received extensive training and instruction on how to protect students’ PHI, but that didn’t stop her from revealing out loud to at least one nearby coworker that she hoped the young couple was happy with the positive results of the pregnancy test.
Trump even went so far as to point out the athlete to the clerk after she noticed he was in a waiting room. She also inappropriately accessed the patient’s medical chart at least twice, opening records of past visits and medications.
After speaking with Trump, the clerk then went and spoke with two medical assistants who treated the female student and asked them for more details. The clerk asked if the male student was present when the patient received the news and how the couple reacted. The medical assistants then reported the inquiry to a manager as a possible privacy violation.
This all occurred in the wake of three health center workers being fired and two others suspended in 2011 for inappropriately accessing medical records of 13 football players who were injured in an intense off-season workout. Following that incident, the university stepped up its training on HIPAA privacy laws.
Trump was fired in January, following an investigation by the school, and the clerk was disciplined. Trump admitted her actions during testimony in an April 26 unemployment hearing and expressed sympathy for the young couple. She claimed, however, she was talking aloud to herself about the test results and didn’t intentionally look up the patient’s chart.
Administrative Law Judge Julie Elder called Trump’s testimony “not persuasive” and sided with the university in denying unemployment benefits and ordering Trump to repay the $4,670 she’d already received. Trump has filed a grievance, which has not yet been resolved.

(The Gazette website)

Tuesday, June 2, 2015

HIPAA Security Basics

Security Rule Principles

It is advisable to periodically review the principles of the HIPAA Rules to remind ourselves of the importance of the regulations. Here we will review the principles of the Security Rule.

The Security Rule is based on three principles: comprehensiveness, scalability and technology neutrality.

·         Comprehensiveness
This refers to the fact that the Security Rule addresses all aspects of security.  This means that security measures address confidentiality, data integrity, and availability.

·         Scalability
This assures that the Security Rule can be effectively implemented by covered entities of all types and sizes.

·         Technology neutrality
This means the Security Rule does not define specific technology requirements, thereby allowing covered entities to make use of future technology advancements.

The Privacy Rule is pervasive and impacts virtually every aspect of operations.  The Security Rule is even more pervasive.  It must be understood and practiced by every person in the office. 

Privacy and Security are tightly linked.  The following chart shows the similarities between the Privacy and Security standards.

Privacy Standard                                               Complementary Security Standard

Minimum Necessary                                              Information Access Management Access Controls

Verification of Identity and Authority                Person or Entity Authentication

Sanction Policy                                                        Sanction Policy

Training                                                                    Training

Business Associate Contracts                               Business Associate Contracts

Policies and Procedures                                        Policies and Procedures

Privacy Compliance Officer                                 Security Compliance Officer

Uses and Disclosures                                             Information System Activity Review

Complaints to the Covered Entity                       Evaluation, Incident Procedures

Safeguards                                                                Facility Access Controls
                                                                                    Workstation Security
                                                                                    Device and Media Controls

The Security Rule is not just about technical controls; it is about people doing what they are supposed to do.  It is focused on PHI when it is maintained in your computer systems and as it is transmitted throughout an internal or external network or in any other “electronic media”.  The Security Rule standards safeguard ePHI (electronic PHI) from unauthorized access, alteration, deletion, and transmission.

You should be able to fit the Security Rule to your needs – whether you have a small office or a large clinic.  The Security Rule emphasizes being reasonable and appropriate.

Reasonable and Appropriate
The Security Rule specifically provides factors to be considered when determining which security measures to be used.  These measures are:

·         Size, complexity, and capabilities
·         Technical infrastructure, hardware, and software security capabilities
·         Costs of security measures
·         Probability of potential risks to ePHI

The Security Rule cautions that the cost is not meant to free covered entities from the adequate security measures responsibility.

Risk Analysis and Risk Management
The Security Rule specifies that you must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI your practice holds and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.

Technology Neutral
The concept of technology neutrality is based on the fact that information technology changes very rapidly.  A technology neutral standard allows the Security Rule to be stable, yet flexible enough to take advantage of the newest technologies available.

Monday, June 1, 2015

Recent LEIE Database Updates

LEIE Database Updated
The “Updated LEIE” database file reflects all OIG exclusion and reinstatement actions up to, and including, those taken in April 2015. This new “Updated LEIE” (List of Excluded Individuals and Entities) is a complete database file containing all exclusions currently in effect. Individuals and entities that have been reinstated to the federal healthcare programs are not included in this file.
The new file is meant to REPLACE the “Updated LEIE” file made available for download last month. The new file is complete and need NOT be used in conjunction with the monthly exclusion and reinstatement supplements. Alternatively you may wish to download either the April Exclusions or Reinstatements databases only which are posted as the “Current Monthly Supplements.” All the updated files are posted here.
All of these downloadable files are zipped, self-extracting .dbf files, meaning that they will not open automatically when you click on the links. After you have downloaded the files to your computer and inflated them, the files must be opened into either a spreadsheet program such as Excel, or a database program such as Access. Basic download instructions and an instructional video are provided on the page where the updated files are posted.
Finally, it should be added, the full LEIE database - complete with all the monthly updates – is included in the OIG “Online Searchable Database” which is very user-friendly and may be accessed here.

(OIG website)