On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:
Global Data Privacy Rule (GDPR)
The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.
Substance Abuse and Mental Health Services Administration (SAMHSA)
SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”
Disclosures for Emergency Preparedness
Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.
Cybersecurity and Ransomware
Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:
- Risk analyses and gap analyses
- Ongoing end-user training
- Appropriate and up to date patching
- Utilization of advanced security protection tool
To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.
Texting in Healthcare
Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:
- Access to PHI must be limited to authorized users who require the information to do their jobs
- A system must be implemented to monitor the activity of authorized users when accessing PHI
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
- Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
- Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit
Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:
- Restitution back to victims who were harmed by a violation of HIPAA
- Consideration to remove NPP signature forms
- Good faith disclosures (related to Opioid crisis)
- Potential changes in the requirement related to accounting of disclosures
Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.