Health Information Compliance Alert

Published on Thu Apr 17, 2014 PDF

Plus: Get ready now for the next series of HIPAA audits.

Do you need help conducting your security risk assessment? The HHS Office of the National Coordinator for Health Information Technology (ONC) and HHS Office for Civil Rights (OCR) have just the tool for you.

On March 28, the ONC and OCR announced their joint release of a new security risk assessment tool, designed for small to medium sized providers. The downloadable tool is available for use on Windows 7 or an iPad and helps practices conduct and document a risk assessment. The application even produces a report that you can provide to auditors.

“In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011,” notes Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems, LLC in Charlotte, VT. “It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis.”

Beware: But Sheldon-Dean also cautions that if you use the tool well, it could help — but use it poorly, and “it could provide a false sense of security.”

Link: You can access the tool, user guide, and related videos at www.healthit.gov/providers-professionals/security-risk-assessment. 

Prepare Yourself: 2nd Round Of HIPAA Audits Begin Oct. 1

Batten down the proverbial hatches, because HIPAA compliance audits are on their way. Be ready for these audits to avoid hefty enforcement fines and penalties.

On March 14, the HHS Office for Civil Rights (OCR) announced that it will begin its second round of HIPAA audits on Oct. 1. The 2014 audits will investigate providers’ use of data encryption and conducting the underlying risk analysis to determine whether encryption is necessary, according to a March 28 Nixon Peabody LLP HIPAA Law Alert blog posting.

“The 2014 audits will primarily focus on whether covered entities and business associates have conducted timely and thorough security risk assessments,” Nixon Peabody stated. “This means that organizations must have updated their processes for privacy and security of protected health information because HIPAA requirements and standards have changed since Sept. 23, 2013.”

Beware that the 2014 HIPAA audit process will change in accordance to the HIPAA Omnibus Final Rule’s revisions that went into effect in September 2013, Nixon Peabody reminded. Also, OCR will assess “more civil penalties during the 2014 audit series because it has approval to collect penalties that will be used for upcoming auditing and breach analysis.”

Watch The Long Arm Of HIPAA Grab County Governments, Too

For the first time, the HHS Office for Civil Rights (OCR) has handed down a settlement for a county government’s alleged HIPAA violations. And OCR is using this case to send a message that local and county governments, both big and small, are not immune to HIPAA compliance enforcement.

On March 7, OCR announced a $215,000 settlement agreement with Skagit County, WA’s Public Health Department. The settlement arose from a 2011 incident involving the county’s unauthorized disclosure of 1,500 individuals’ electronic protected health information (ePHI), reported partner Thomas Range in a March 13 Health Law Rx Blog posting for the law firm Akerman, LLP.

“The settlement also covered what HHS deemed to be the county’s ‘general and widespread non-compliance’ with HIPAA,” Range said. After an investigation, OCR found that the county had violated the HIPAA Privacy, Security, and Data Breach Notification Rules.

In addition to the monetary settlement, the county will implement an extensive corrective action plan (CAP).

“County, city and local governments should view the Skagit County HIPAA settlement as a warning to review and implement appropriate hybrid entity status and to implement appropriate policies and procedures and employee training regarding PHI,” wrote attorneys Linn Foster Freedman and Kathryn Sylvia in a March 12 Nixon Peabody LLP HIPAA Law Alert blog posting.

ICD-10 Delayed Again — But Don’t Stop Preparing

The entire healthcare community has been abuzz this month about the Protecting Access to Medicare Act of 2014. In a move designed to avert the 24-percent pay cut your practice was due to face on April 1, Congress introduced this bill. 

The resulting temporary fix included another change buried in the text that has a major impact on your practice. Mentioned about one-third of the way into the 121-page bill is a short paragraph that states, “The Secretary of Health and Human Services may not, prior to October 1, 2015, adopt ICD–10 code sets as the standard for code sets.” 

This means that since the bill has been signed into law, ICD-10 will be delayed for at least another year beyond the scheduled Oct. 1, 2014 implementation date.

Remember: This is the second time ICD-10 implementation has been delayed. The original compliance date of Oct. 1, 2013 was officially pushed back a year on Sept. 5, 2012 by the Centers for Medicare & Medicaid Services (CMS). According to CMS, this additional one-year delay of ICD-10 will likely cost the industry an additional $1 to $6.6 billion on top of the costs already incurred from the previous one-year delay.

While many feel this new law and resulting ICD-10 implementation delay is not good for practices, there may be a small silver lining. “I think it is a bad thing because it affects our momentum to crossing the finish line,” explains Laureen Jandroep, CPC, CPC-I, CMSCS, CHCI, senior instructor at CodingCertification.org in Oceanville, N.J. “However, we can use the extra time to prepare even more thoroughly so we can make the best of it. For those that have made the investment getting ready it is frustrating to see their investment loose traction.”

Despite the delay in implementation, experts warn that practices must continue their efforts to prepare for ICD-10 use. “Part of the reason we’re in this situation is not enough people have prepared and petitioned for more time,” Jandroep says. “It is not fair to those that did prepare and are ready or were going to be by the 10/1/2014 date. The changes are in the implementation date, not that it is not coming at all, so prepare on!”

Link: To read the complete text of the Protecting Access to Medicare Act of 2014, visit http://docs.house.gov/billsthisweek/20140324/BILLS-113hrSGR-sus.pdf.