HITRUST CSF Certification validates PHI disclosure management firm is committed to protecting sensitive information and meeting key regulations, industry expectations
On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:
Global Data Privacy Rule (GDPR)
The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.
Substance Abuse and Mental Health Services Administration (SAMHSA)
SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”
Disclosures for Emergency Preparedness
Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.
Cybersecurity and Ransomware
Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:
- Risk analyses and gap analyses
- Ongoing end-user training
- Appropriate and up to date patching
- Utilization of advanced security protection tool
To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.
Texting in Healthcare
Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:
- Access to PHI must be limited to authorized users who require the information to do their jobs
- A system must be implemented to monitor the activity of authorized users when accessing PHI
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
- Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
- Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit
Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:
- Restitution back to victims who were harmed by a violation of HIPAA
- Consideration to remove NPP signature forms
- Good faith disclosures (related to Opioid crisis)
- Potential changes in the requirement related to accounting of disclosures
Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.
Receive a copy of the part 2 webinar recording and a PDF of the slides
Using AHIOS’s CRIS test to evaluate Release of Information competencies of their staff is a best practice that every healthcare provider organization should consider to protect patient privacy and mitigate risk. Mariela Twiggs, MS, RHIA, CHP, FAHIMA, Director of Motivation and Development for MRO, and Education Chair for AHIOS, discusses the importance of using this powerful tool.
In an HFMA blog, MRO’s Don Hardwick, Vice President of Client Relations and Account Management, describes business office PHI disclosure workflow options, which lead to greater efficiency, improved billing processes and decreased denials.
In an HCCA Compliance Today article, MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, discusses privacy dashboards and best practices for HIPAA compliant PHI disclosure management.
Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.
Centralize Release of Information to Improve Privacy Compliance
Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.
Use Privacy Dashboards to Track Patterns and Trends
Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.
The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.
Examples of corrective action include:
- Revising compliance policies and procedures
- Providing additional staff training on hospital policy and HIPAA regulations
- Assessing and improving PHI disclosure management processes
- Ensuring encryption of all devices used by staff
As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.
Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.