JUser: :_load: Unable to load user with ID: 944

Mnet Health News delivers the latest news and information articles for the world of healthcare.

A+ A A-

HIPAA Unhealthy: Are You at Risk?

By Katie Hebeisen, Communications Specialist

Hospitals and their vendor partners can learn valuable lessons from the underlying facts in Health Insurance Portability and Accountability Act (HIPAA) enforcement actions over the past couple of years. The actions underscore that anybody in a company's workforce, no matter their role, can subject the organization to significant fines and penalties if they do not have a "healthy" understanding of HIPAA. Small errors in judgment - like leaving a laptop in a car or failing to log and respond to patients' requests for information - can subject a covered entity or business associate to significant fines and penalties. The enforcement actions taken against covered entities and business associates alike who erred in HIPAA compliance can teach others what not to do and how they can be more careful with their own patient information.

In ACA International's 2012 Spring Forum session, HIPAA Unhealthy: Gambling on What the 2011 Upsurge in HIPAA Compliance Problems Means, Leslie Bender, president of Bender & Radcliffe, P.A. in Timonium, Md., spoke about HIPAA enforcement actions and the potential privacy and security risks that come with new technology.

Significant HIPAA Enforcement Violations
"If we read between the lines in what has happened in various HIPAA violation cases, we see that the Department of Health and Human Services [HHS] has plunged into a new era," Bender said. "The HHS expects us all to have documented compliance programs, as well as ongoing and meaningful training programs, for all members of our workforce."

Since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, state attorneys general now also have authority to enforce HIPAA regulations. HHS has run extensive training programs for attorneys general to provide instruction on the details of HIPAA enforcement.

"Attorneys general are zealous consumer advocates and may not be as permissive as the HHS' Office of Civil Rights," Bender said. "As a consequence, we have already seen huge enforcement actions initiated by attorneys general."

The first action taken by a state attorney general involving violations of HIPAA was by the Connecticut attorney general, who brought an enforcement action against a large managed care organization alleging HIPAA privacy and security violations. The attorney general grew skeptical of the practices of the health plan company after the organization misplaced a portable computer disk drive containing significant protected health information (PHI). The attorney general sued the company for failing to secure private patient medical records and financial information and failing to promptly notify endangered consumers about the security breach.

Although there is no evidence that any patients or consumers were victimized by fraud or identity theft, or suffered any loss as a result of misplacing this device, the action required the company to adhere to a corrective action plan and resulted in over $7 million worth of costs to the organization.

In another well-publicized enforcement action, the Minnesota attorney general filed a suit against a business associate alleging the company violated both HIPAA and state law. The action stemmed from a laptop stolen from an employee's vehicle that contained information relating to the patients of the business associate's hospital clients.

"These situations are eye openers," Bender said. "Even if it's a trusted employee, accidents can happen."

Bender explained that the HITECH Act requires everyone involved in the health care arena to comply with every standard and specification whether they are the hospital or a business associate.

"It's very damaging to a company's reputation when every patient in a hospital system is alarmed by receiving notification that their personal information may be at risk," Bender said. "We're not talking about sophisticated hackers or dishonest people conducting espionage; we're talking about human beings making simple mistakes that can end up costing businesses money and reputational damage while increasing the anxiety of affected patients."

Technology Risks
The rising use and reliance on portable technology devices raise further concerns with HIPAA and patient privacy. Portable technology devices attract consumers because they are convenient, affordable and efficient. People want information available at their fingertips, and the Internet is available 24/7.

"The convenience of using these tools may present an enormous opportunity for corruption and cyber risk; therefore, we need to be very careful about training staff on what they're doing and how they're using these tools," Bender said. "Ground rules need to be set now because if employees unknowingly engage in harmful activity and we fail to set expectations in the work force, we are at risk."

One of the latest, most popular trends with the Internet is the use of social media. Social media uses web and mobile-based technology to turn communication into interactive dialogue between parties.

"Many of my health care clients are moving to social media as an easy way to train and attract patients," Bender said. "Patients want to blog about their symptoms and find out from other people how to treat their conditions or how to receive financial assistance."

Social media platforms present a whole new avenue for potential viruses and phishing scams to enter into electronic networks, especially when the platforms consist of chat and instant messenger tools. While some social media applications are safe and harmless, others may provide a tunnel for harmful software to enter computer systems, resulting in damage that the user may not even know has occurred.

According to Bender, traditional security parameter controls are supposed to keep harmful things from coming in, but what if the "bad guys" are already "in" and are trying to send data out? "We need to focus some of our security energy on stopping data theft from leaving our corporate gateways from the inside out; not necessarily from the outside in," Bender said. "More resources are available for people to sell private data today, so we need to keep it inside our private networks."

Bender also noted that the industry is starting to see companies warn their employees against certain types of Internet use, especially when it comes to personal electronic devices.

"When you allow people to bring their own devices to work, you need to think about what the operational challenges are and if they're exposing you to future risks," Bender said. "You can restrict your employees' access on company computers, but they can still access anything they want on their smartphones."

Bender predicts changes may be made to the HITECH Act yet this year to include regulations for security and technology.

"We don't have a crystal ball to understand the implications of the technology we use and like to take advantage of," Bender said. "Technology makes us more efficient, but it also makes the information most sensitive to us vulnerable to risks we cannot necessarily foresee."

Published by Pulse


Health Care Law Delivers Free Preventative Services

The Centers for Medicare & Medicaid Services (CMS) announced on June 11, 2012, that the Affordable Care Act helped 14.3 million people within original Medicare get at least one preventive service at no cost to them during the first five months of 2012. This includes 1.1 million who have taken advantage of the Annual Wellness Visit provided by the Affordable Care Act. In 2011, 32.5 million people in Medicare received one or more preventive benefits free of charge.

Prior to 2011, people with Medicare faced cost-sharing for many preventive benefits such as cancer screenings. Under the Affordable Care Act, preventive benefits are offered free of charge to beneficiaries, with no deductible or co-pay. The law also added an important new service for people with Medicare - an Annual Wellness Visit with the doctor of their choice - at no cost to beneficiaries.

Written by Pulse


U.S. Supreme Court Upholds Affordable Care Act

On June 28, 2012, the U.S. Supreme Court primarily upheld the Affordable Care Act. In a 5-4 ruling, the Court found the Act's individual health insurance mandate, which requires most Americans to obtain health insurance by 2014, is within Congress' constitutional taxing power.

The ruling initially holds that under the Commerce Clause (a Constitutional provision enabling the federal government to regulate interstate commerce), Congress does not have the power to force people to engage in commerce by requiring the purchase of health insurance.

Despite the Court's finding that the Commerce Clause does not authorize the mandate, however, the Court ruled the individual mandate can stand, finding that the penalty the law would impose on people who fail to purchase insurance is essentially a tax. The opinion holds, "it is reasonable to construe what Congress has done as increasing taxes on those who have a certain amount of income, but [who] choose to go without health insurance. Such legislation is within Congress's power to tax."

The Court objected to one provision of the law related to Medicaid expansion. The Court found that the federal government cannot withdraw existing Medicaid funding from states that decide not to participate in an expansion of Medicaid eligibility that the law would require. Chief Justice John Roberts wrote, "[a]s for the Medicaid expansion, that portion of the Affordable Care Act violates the Constitution by threatening existing Medicaid funding. Congress has no authority to order the States to regulate according to its instructions. Congress may offer the States grants and require the States to comply with accompanying conditions, but the States must have a genuine choice whether to accept the offer."

Justices Kennedy, Scalia, Thomas, and Alito issued a dissent, in which they characterized the majority's opinion as a "vast judicial overreaching" and one that "makes enactment of sensible healthcare regulation more difficult, since Congress cannot start afresh but must take as its point of departure a jumble of now senseless provisions, provisions that certain interests favored under the Court's new design will struggle to retain."

Written by Pulse


Department of Treasury Proposes Limitations on Patient Debt Collections

On June 22, 2012, the U.S. Department of Treasury released proposed regulations on a provision in the Affordable Care Act that addresses the collection of unpaid hospital debt. The proposed rules require non-profit hospitals, as a condition of receiving a tax-exemption, to establish billing and collections procedures for patients eligible for financial assistance. It also requires non-profit hospitals to provide patients with the information needed to apply for such assistance.

According to the proposed rule, nonprofit hospitals must:

- Provide patients with a plain language summary of the financial assistance policy before discharge and with the first three bills;

- Give patients at least 120 days following the first bill to submit an application for financial assistance before commencing certain collection actions;

- Give the patient an additional 120 days (for 240 days total) to submit a complete application;

- If a patient is determined eligible for financial assistance during these 240 days, refund any excess payments made before applying for aid and seek to reverse any collections actions already commenced.

The proposed rule also outlines requirements for providing financial assistance, seeks to limit charges and mandates a non-discriminatory emergency medical care policy.

According to the American Hospital Association, approximately 2,900 out of all 5,750 U.S. hospitals are classified as nonprofit institutions.

ACA International will prepare comments in advance of the comment period deadline on Sept. 24, 2012.

Written by Pulse


New Federal Agency to Examine Collections Process

On January 2, 2013 the Consumer Financial Protection Bureau (CFPB) will begin its oversight of debt collection in the United States. In connection with the Dodd-Frank Wall Street Reform and Consumer Protection Act, under the Larger Market Participant (LMP) rule released by the CFPB on October 23, 2012, the final rule defines "consumer debt collection" markets and exclusions, explains how to determine if you are an LMP and offers an examination manual.

Subscribe to this RSS feed