Yesterday I had the experience of going into an outpatient surgery center for a procedure. I was presented with a form to sign indicating that I had seen the Notice of Privacy Practices (NPP), but when I asked to see it they had to go searching. When I was presented with the document 15 minutes later, I was saddened to see that it was dated 2003. The notice indicated that it was posted on the wall of the office (it was not) and that it was distributed to each patient on admission (obviously, it was not). I was distressed to see how little energy even an organization the size of an outpatient surgery center has given to implementing HIPAA. I certainly fear for the security and privacy of my data.
A couple of weeks ago, I posted about the amount of time providers have spent implementing the new HIPAA Omnibus Rule that goes into effect on Monday, September 23, 2013. The Notice of Privacy Practices is the most time consuming part of this implementation.
On September 16, 2013, the Office of the National Coordinator (ONC) and HHS Office of Civil Rights released sample NPPs that you can customize and use in your own organization. Please note that these models are templates that are meant for you to edit. Please DO NOT just print them out as they are. You can also use them as models for an NPP that you create from scratch.
You should also know that HHS OCR maintains detailed background information about HIPAA NPPs, implementation of HIPAA, and anything else you can think of related to it. If you have never visited this web site, you should be sure to do so.
Please tell us where you are in implementing the HIPAA Omnibus Rule. Have you updated your NPP? Do you have BAAs with all your business partners who might have access to your PHI? What have you done to include the changes in your procedures and educate your staff? Please share your comments below.
CMS has announced deadline dates for use of the new CMS-1500 form that will be ICD-10 compatible. CMS will begin accepting the new paper form (for those who have a special exemption to send paper Medicare claims) on January 6, 2014. Starting April 1, 2014, Medicare will accept only the new form. The information and links below are from an email notification we received on September 5, 2013.
CMS-1500 Claim Form Updates: Medicare to Accept Revised Form Starting January 2014
The CMS-1500 Claim Form has been recently revised with changes including those to more adequately support the use of the ICD-10 diagnosis code set. The revised CMS-1500 form (version 02/12) will replace version 08/05. The revised form will give providers the ability to indicate whether they are using ICD-9 or ICD-10 diagnosis codes, which is important as the October 1, 2014, transition approaches. ICD-9 codes must be used for services provided before October 1, 2014, while ICD-10 codes should be used for services provided on or after October 1, 2014. The revised form also allows for additional diagnosis codes, expanding from 4 possible codes to 12.
Only providers who qualify for exemptions from electronic submission may submit the CMS-1500 Claim Form to Medicare. For those providers who use service vendors, CMS encourages them to check with their service vendors to determine when they will switch to the new form.
Medicare will begin accepting the revised form on January 6, 2014. Starting April 1, 2014, Medicare will accept only the revised version of the form.
As you know, other insurers will follow CMS’ lead on use of the new form; you will need to find out from them when they will require the new form. SOS, like most other software vendors, will provide the new format for customers with current support agreements. But you will need to purchase the forms and use them…unless you have wisely moved to electronic claim filing!
FierceHealthIT, one of the newsletters I monitor, just reported that the department of Health and Human Services Office for Civil Rights estimates that all healthcare organizations in total will spend 32.8 million hours implementing the new aspects of the HIPAA omnibus rule.
The bulk of that time–30.65 million hours–involves the dissemination and acknowledgement of privacy practices at provider offices, a notice published in the Federal Register reveals.
I recently went into a physicians office and needed to sign an acknowledgement that I had received their notice. Of course, I had not. I looked around to see if one was posted, as some offices do to make it a bit easier. When I did not spot one, I asked to see a copy. After a bit of rummaging in a desk drawer, I was graciously provided with a copy. It was a very nice, plain language policy that could easily have been framed and hung on the wall, or copied and included in the packet of materials I needed to sign. But it was not. I had to ask for it. In my humble opinion, that is not a dissemination of the privacy practices.
How does your organization handle this sharing of privacy practices? Do you provide a copy for every new patient when they arrive at your offices and complete your intake paperwork? Do your staff know exactly where it is located and just what it means in case they are asked? Have you forgotten all about this requirement that HIPAA places upon your organization?
I think this is especially important in behavioral health organizations where people are seen for sensitive reasons. Please share your strategies for disseminating your privacy practices. I would love to know how you handle this. Just enter your comments below.
This week I received an email from the Florida Department of Revenue about classification of workers for tax purposes. With Labor Day upon us, I find myself wondering how your organizations make the decision about whether to treat their workers as W-2 employees or as 1099 independent contractors.
In behavioral health organizations there is often a mix of kinds of workers including licensed professionals, salaried and hourly workers. I am often confused when I hear a customer say that they have 14 counselors and two back office staff, and that they are all independent contractors. That does not fit with my understanding of what an employee and an independent contractor is.
I was surprised to learn that Florida (and many other states) have their own definitions of employee and contractor that are separate from the IRS definitions (additional IRS articles). There appear to be significant overlaps, but the email I received indicated that businesses should review their employment practices to make this determination. If someone believes they were your employee and files for Unemployment Compensation (Reemployment Assistance here in Florida) after you let them go, and you have not been paying those taxes because you have them classified as an independent contractor, you may find yourself with some explaining to do.
How does your behavioral health organization handle the employee vs independent contractor issue? Please share your comments below.
Remember that CBS Evening News report back in 2010 that got everyone panicked about patient data that might be stored on the hard drives of copy machines and other multipurpose machines like combination printer/fax/copy machines?
Well, it turns out there is good reason that any health-related practice that uses such a machine (one that has a hard drive) should panic; in fact there are 1,215,780 such reasons. That is the amount Affinity Health Plan was fined by OCR this month for the potential breach of PHI that was reported in this incident.
I know, this could never happen to you. But are you sure of that? Does your organization own or lease a copy machine? Do you have one or multiple printers that are also copy and fax machines as well as a scanner? What is your organization’s policy for the hard drives in those machines? What about the hard drive in that computer you are using to read this? What is your policy for removing any PHI that might be on it?
If you do not know the answers to these questions, you may not have been properly trained in your organization’s HIPAA policies and procedures. Or you may not even have such policies and procedures. Or the practice you work for did all this before you were hired and you have never been informed. These excuses do not fly when it comes to OCR enforcement.
The Federal Trade Commission (FTC) has guidance on handling copier data. NIST, the National Institute of Standards and Technology, has recommendations on how to sanitize electronic media. And Medscape, among others, offers lots of training on HIPAA security. (You might need to register for Medscape before you can access their materials.)
When was your organization’s last HIPAA training? What did you learn? Please share how you address these issues.
FierceHealthPayer reported that the U.S. Department of Health and Human Services (HHS) has announced the opening of the health insurance marketplace mandated by the Affordable Care Act (ACA). The Exchange enrollment process has begun for individuals and for small businesses who want to try out the new site.
The ACA requires states to set up exchanges or marketplaces where consumers and businesses can shop for reasonably priced health insurance plans that meet the minimum requirements of the law. So far, only sixteen (16) states have taken on that responsibility. The other thirty-four (34) states’ exchanges will be included in the site being developed by HHS.
Take a look when you get a chance. There will not be actual insurance plans up for offer until October 1, 2013, but in the meantime, you can visit the site and read some of the available information and enroll if you like. If you work for an employer who does not provide health insurance and live in one of those 34 states with no exchanges of their own, this is where you will go to shop for coverage. If you are an employer with fewer than fifty (50) employees who is not required by ACA to provide health insurance, there is a section here for you as well. The site is far from complete, but there is already lots of useful information.
Do you already have affordable health insurance? Will you be using the Exchanges to locate coverage for yourself or your business? I certainly will be comparing plans, their coverage and their cost, with our current insurance once the exchange is open!
Several years ago, I sat next to a colleague at a conference. She was CEO of a much-larger-than-SOS behavioral health software company. We were listening to a presentation on costs and duplication of services to chronically mentally ill Medicaid recipients, and the efforts of community mental health organizations to provide needed services with limited Medicaid dollars. We looked at one another and agreed that the only way all of us, including the most vulnerable populations, are ever going to get reasonably priced high-quality healthcare services is when we have a single payer system.
Many of you know that I have spent the past eight years as primary caregiver for my elderly mother. A result of that process is significant experience with the Medicare system. My mother used traditional Medicare: doctors billed for services provided. Medicare and a Medigap policy paid for all covered services. Medicare Part D paid about 60% of medication costs. Our experience with the Medicare system was nothing but positive. Mom paid her extremely reasonable Medicare, Medigap and Part D premiums and she received all the care she needed from caring, outstanding providers.
This morning, I read my issue of FierceHealthPayer. They reported that a new study from Physicians for a National Health Program shows that we could save approximately $592 billion in healthcare expenditures next year if Medicare were extended to all. Gerald Friedman, Ph.D., a Professor in the Department of Economics at University of Massachusetts at Amherst details how these savings could be accomplished through a single payer system proposed in HR 676: The Expanded and Improved Medicare for All Act.
Dr. Friedman’s focus is on administrative costs. You know about those. They include your costs in meeting the requirements of myriad insurers in order to get paid for the services you render to your clients. Those costs include software, claim forms or clearinghouse fees, staff salaries and benefits, long distance charges for hours spent on hold with insurance carriers to verify coverage and object to claim rejections, to list only a few. These costs include insurer’s expenditures for their side of those same processes…and employers costs to shop for, administer, and pay for coverage.
Don’t think about other countries and their health care systems. Think about our 48 years with Medicare. Maybe Dr. Friedman and Rep. John Conyers, Jr. (D-Michigan), author of the bill, are onto something.
When most of us think of threat to the Protected Health Information (PHI) for which we are responsible, we think about breach by outside sources. After all, those of us who work in Behavioral Health and Substance Abuse are highly sensitized to the need to protect the privacy of our clients. Given that, we assure that our electronic systems are protected by adequate security….that the PHI is encrypted, that our firewall is effective, that no one is connecting remotely who should not have access. Right? We don’t as often think about what goes on inside our offices.
This morning, Seth sent the SOS staff an account reported by one of the HIPAA security blogs to which he subscribes. This event sounded very much like two that have happened to customers of SOS. Two staff members leave the practice taking patient information with them in order to feed a new practice/business. Most people immediately think about the theft of the patients by the departing provider. We think about the theft of the PHI and the breach report the practice may now be required to make.
Since the Office of Civil Rights (OCR) started real enforcement of HIPAA including fines, breaches have resulted in settlements averaging $1M each. Six out of nine of those breaches were the result of an insider’s actions, not those of an outsider. The fines mostly came about as the result of investigation by OCR of reports made by the health organization that experienced the breach.
Today I attended a webinar provided by IDExperts. They are one of my favorite sources of information about privacy and security of PHI. While their software may be beneficial to some of our larger customers, it is clear to me that our smaller practices and agencies are very much in need of information and education and could benefit from some of the resources available on their site.
If you think your PHI could ever be viewed by an inappropriate person based on employee mistakes, the loss of portable devices, or the theft of patient information by someone with whom you contract, you need to assure that you have protective policies and procedures in place, that your employees are adequately trained, and that you all follow the needed procedures. Hiring a consultant or buying software to write policies for you and then forgetting about them is a major mistake. You must develop a culture of compliance to assure the safety of PHI. The Ponemon Institute, in a study sponsored by IDExperts, found that only 52% of employers believe they have policies and procedures to prevent and detect unauthorized patient data access. Are you part of that 52% or of the 48% who do not have adequate policies and procedures to protect your PHI?
What does your organization do to protect PHI? What is your role in whatever your organization does? When was your last HIPAA Privacy/Security training? Do all staff attend including providers and executive staff? Do you have Business Associate Agreements with all the businesses who might have access to your PHI? If I were to come to you as a client, would I feel assured that my PHI is protected from preying eyes and secure from threat?
Please share your thoughts and comments below.
Since returning to the office regularly after my intermittent absences of the past year, I have had a difficult time renewing my weekly blogging schedule. In order to ease back in, I have decided to do very short blog posts that will provide information that has come across my desk recently. I am hopeful this will help me get back into a rhythm of regular posting and also get useful information to you. Once I have a regular pattern re-established, I will add in longer posts. Thanks for bearing with my changes and transitions.
As a resident of the state of Florida, I was very glad to see an article this week in FierceHealthIT reporting that several states, including ours, have begun working together to assure access to health information during a disaster. Hurricanes are a big concern for us here. Since my Mother was displaced from Louisiana to Florida by Katrina in 2005, we have seen precious little movement to assure that, eight years later, patients will continue to be treated properly when they do not have access to their own physicians and pharmacies.
The new collaboration described in this article will allow exchange of health records for persons displaced from their homes by widespread disaster. The states participating are Alabama, Georgia, Louisiana, Florida, South Carolina, North Carolina, Virginia, Michigan, Wisconsin and West Virginia. The plan is to have connection with at least one other state through a Health Information Exchange (HIE) to assure access to patient records. The Southeast Region HIT-HIE Collaboration (SERCH) Final Report published in July of 2012 explores the legal and technical details required of such a project.
A guidebook prepared by the Agency for Healthcare Research and Quality (AHRQ) provides information for providers on how to connect into a system that will allow sharing of information in case of emergencies like natural disasters. A Guide to Connecting Health Information Exchange in Primary Care was published by AHRQ in May of 2013.
These projects aimed at linking local records to regional systems to be shared in case of emergency may at some time help all of us. This is just a beginning step toward solidifying what electronic health records can do for us.
Please share your thoughts about this kind of healthcare information exchange in the comments below. Thanks for reading.
This post on ICD-10 preparation and implementation is offered by Manon Faucher, SOS’ Lead Support Tech.
“Is SOS ready for the implementation of the ICD-10 codes?”
SOS has received many calls and e-mails from our customers asking us this question. Actually we should be asking you, ‘Has your practice implemented a process for the adoption of the new ICD-10 codes?’ Have you researched and planned for training of your providers and staff? Once you have trained your staff who will be responsible for revising all your accounts and assigning the new ICD-10 codes? Will you have someone overseeing and reviewing the process to assure the proper codes are used? As you can see, most of the intensive labor will not be on SOS but will be on your practice.
There are many online documents that will provide transition planning guides, resources and training information. You need to start researching your options now. Various sites such as those offered by the Centers for Medicare and Medicaid Services (CMS), American Psychological Association (APA), and the Centers for Disease Control (CDC) are great sources of information; and right now, information is your friend. The more you and the staff of your organization can learn about the ICD-10 codes related to the ICD-9 codes you currently use, the better prepared you will be.
It is important that you remember that there will NOT be a one-to-one code conversion utility or methodology to translate an ICD-9 code to an ICD-10 code. There are tools available to help you know which codes to use, but if you enter one ICD-9 code these tools will return multiple possible ICD-10 choices. Your clinicians must choose among the options…or provide enough information for your coding specialist to do so intelligently. SOS will NOT have a utility built into the system to convert the ICD-9 codes, but we will make it easy for you to link to your favorite crosswalk site to do look-up as you have the need.
To answer the question above, SOS has the ability to include both ICD-9 and ICD-10 codes in our next generation of software. On October 1st, 2014 the program will start including ICD-10 codes on your claims by default. If some insurance companies are not ready on October 2014 to receive the ICD-10 codes, you can set these insurance carriers to include ICD-9 instead. This can be done on a payer by payer basis.
As a note, ONLY the 5010 ANSI format will allow for the ICD-10 codes. If you are using any of SOS Electronic Claims Modules (this does NOT include the ‘Export CMS 1500 form for 3rd party products’), you do not need to worry. If you are using different Electronic Claim software you need to verify that by October 2014 they will have the ability to send in the 5010 ANSI format.
Has your organization begun preparations? What are you doing to get ready? Please share your experience in the Comments below.
As many of you know, I have spent much of the past year taking care of my elderly mother. While she had lived with us since Katrina flooded her home in New Orleans in 2005, this past year has required the greatest amount of hands-on caregiving. Mom died on May 6, and I find myself thinking a great deal about her personal experience of the process of dying…and how we treat the elderly in this country. This is a huge area worthy of many a dissertation; this will certainly not be an exhaustive take on this topic and may be very subjective.
First, I should state pretty clearly my basic assumption: I believe we have not done ourselves any favors by extending human life for as long as we have without providing the elderly with a meaningful and satisfying place within our communities and our homes. Secondly, in this article, I am talking about the very elderly and those in significant decline. Even those who have stayed healthy and active well into their eighties are frequently shunted into custodial care and isolated from their families and their communities when they approach death. I think this is an unconscionable shortcoming of U.S. culture. Life without a meaningful role is not worth much; life in poverty and isolated from others for no reason but ‘being old’ is a crime. Below are a few thoughts about five areas I consider important.
Places to live
In Florida where I live, and in many other places with a large senior population, older adults have isolated themselves in communities for active, over-55 residents. These communities have the reputation of feeling like a resort…at least, until debilitating illness strikes or infirmity makes continued independent living difficult. Then these retirement communities have the same problems as any other neighborhood in which a person might choose to live. Doctors’ offices are a drive away and transportation and drivers are limited. Houses are built with no thought to canes and walkers and wheelchairs; doorways are too narrow, stairs are too frequent, bathtubs are impossible to step into or get out of, counters and appliances are too high. And in many communities there is often an additional problem; the elderly residents are far away from their children or other closely connected people who are able and willing to assist them. In 2011, almost half (47%) of women over 75 lived alone. In 2009, 14.3% of adults 85 or older lived in an institutional setting rather than in their own home. A small percentage live in some other kind of community-based residence ranging from communal farms to Continuing Care Retirement Communities (CCRC’s). Even so, there are not yet enough good choices.
Activities/jobs/functions that maintain involvement and contribute to the community well-being
One of the biggest problems we encountered when Mom moved into our home was that she had been displaced and no longer had a community of her own. Most of her dear friends and family were still loving somewhere in Louisiana. She was in shock because of the loss of her home and her community and was unwilling and unable to undertake the work needed to develop friendships here. At 85, the effort to build a new community was outside her capabilities. I would venture a guess the same might be true for many people at that age.
Doctors in Florida believe they are the best at taking care of the elderly. They have lots of experience at it and often do a very good job. Our overwhelming experience was of very good care; my experience was that the amount of and complexity of care was overwhelming. Without me or someone equally knowledgeable as an advocate, it is my hunch that Mom would have floundered when faced with the choices with which she was presented.
The right to receive and to refuse treatment
Even given the high quality of the care she received, the tendency of physicians and the system is to provide a great deal of care…many medicines, recommendations for procedures and surgeries, frequent visits. Part of my job was to support her in her decisions about her care, especially when she decided “no” to something. Even given her leaning toward little care, the number of medications prescribed for her was high. The pressure to accept treatment is significant. Early on in her stay with us, one doctor told me that declining an endarterectomy (a high risk procedure with little upside for an 86 year old) was irresponsible; we were certainly inviting stroke. We did not return to that physician.
To their credit, physicians are charged with curing/helping/fixing their patients…even if their patient is over 85; but is this what we really want? And how is a compliant patient who is used to doing what her doctor recommends supposed to turn down what is offered and even expected? How much do we actually have a right to refuse treatment?
The right to die at home with excellent care
And then we get to the biggest, final question…how does one arrange to be taken care of and to die at home while also having excellent care? Fortunately, there is an answer to that question…hospice care. When cure is no longer the focus, when an elderly person has begun a significant decline and is failing to thrive, hospice care may be the kindest, most satisfying way to be comfortable, to be cared about, and to be cared for respectfully. One of the largest benefits to the person dying is the support provided to the primary caregiver, making it possible for them to continue providing care and to remain loving during the process. It certainly was one of the most helpful things Mom and I experienced in the last three months of her life. Warm, cheerful, supportive caregiving assistants taught me how to lovingly allow her to die.
Many of you have privately shared some of your own caregiving experiences. I hope you and others will weigh in here. I am sure you have thoughts we can all benefit from. Just enter your comments below.
NOTE: Trish Merchant, our SOS Business Development Manager, stepped up to my request for guest bloggers. Hope you find her information useful.
Recently, we’ve had a few customer support calls asking about PQRS. I thought it would be a good subject to share on the SOS blog.
PQRS or Physician Quality Reporting System is a voluntary reporting program that uses a combination of incentive payments and payment adjustments to promote reporting of quality measures for services in the covered Physician Fee Schedule (PFS) by eligible professionals. While the program is considered voluntary, starting in 2015, eligible professionals who do not satisfactorily submit data on quality measures will see a payment adjustment in their Medicare claims.
According to the CMS website, the PQRS program provides an incentive payment to practices with eligible professionals who provide and report on certain services. Eligible professionals are identified on the claim by their NPI or Tax ID number. SOS customer organizations with eligible professionals can choose to report data via their Medicare Part B claims. Other ways to report include using a registry; reporting directly to CMS via qualified EHR system; or using a qualified PQR data submission vendor.
Participating in this program where eligible professionals satisfactorily submit quality measures data, via one of the above mentioned reporting vehicles, will qualify a provider to earn a PQR incentive payment. The percentage of the payment is based on Medicare Part B Physician Fee Schedule and is an estimate of allowed charges for a covered professional service that was rendered during the same reporting period. Percentages and documents for this incentive vary from year to year so it is important to verify the correct documents are reviewed.
To learn more about this program and how to get started, please visit the CMS website. For questions on how to set up SOS Office Manager for these services, SOS customers with current support agreements can contact the SOS Support Desk.
Several times in the past few of years, I have mentioned that I am the primary caregiver for my almost 93 year old mother. Last week, she took a fall that has left her in terrible pain and needing a great deal more assistance.
In addition to getting help from others, I am trying to implement some of the suggestions that I have read about. While resources are available, many of us do not find them in time to be of real assistance to us.
One decision I have made is that it is time to set priorities and to follow through on them. I will be going to the medical equipment store today to look at hospital beds. On Thursday, we will get an order from the doctor for home health care assistance. Hopefully, on Friday I will be able to get input about sitters and the like.
In the meantime, I will need to put this blog on hiatus. If I can get some of my co-workers to do a post, there will be something here. If I get inspired and have some found time, I will do a post. Otherwise, I will leave you until things quiet down on the home front.
Thanks for reading. Hope to talk to you again soon.
I know you thought that all your HIPAA policies and procedures were in place and that you were finished with learning about how this law affects you. I am sorry to say that you were wrong.
The HIPAA Omnibus Rule has finally been released. According to FierceHealthIT, HHS released the Omnibus Rule to simplify compliance actions that must be taken by affected entities.
The four rules that combine to create the omnibus final rule include:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
- A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
Read more: HHS unveils final HIPAA omnibus rule - FierceHealthIThttp://www.fiercehealthit.com/story/hhs-unveils-final-hipaa-omnibus-rule/2013-01-17#ixzz2JZe5a824
Ascertaining the impact of this Omnibus rule could be a while in the making, but HIPAA commentators have begun their assessments. I will be attending a webinar hosted by IDExperts on February 6 in an attempt to start to understand just what has been changed and to try to get an idea about how that affects us and our customers.
On January 30, FierceHealthIT indicated that providers must attend to at least four areas:
Monetary penalties aside, four areas of the rule that will have a significant impact on providers are:
- A change that makes business associates and their subcontractors liable for breaches of personal health information
- An enhanced right for patients to obtain electronic copies of their records
- An enhanced right for individuals to request restrictions regarding disclosure of their PHI
- A change to the breach notification rule in which any disclosure of PHI is presumed to be a breach
Read more: Handling HIPAA: 4 new provisions providers must know - FierceHealthIT http://www.fiercehealthit.com/special-reports/handling-hipaa-4-new-provisions-providers-must-know#ixzz2JZmdjFI7
That fourth area, the breach notification rule, is one that could affect anyone who handles PHI. Any disclosure of PHI is presumed to be a breach.
When the Interim Final Rule was released in 2009, the notion of assessing whether any significant “harm” had occurred to those whose data had been lost or viewed inappropriately was introduced. David Harlow, author of HealthBlawg discussed the current change in FierceHealthIT. The bottom line for Mr. Harlow is this:
… the default assumption is that any irregular release of PHI is a breach, with no subjective standard of harm getting in the way. The covered entity or business associate unfortunate enough to have suffered this breach may either (a) immediately acknowledge that it is, in fact, a breach, and rev up the notification machinery (notice to data subjects, the federales–possibly for posting on the Wall of Shame–and the press, as appropriate, based on the size of the breach) or (b) decide that a risk assessment is necessary, and begin its assessment of at least the four factors highlighted in the regulation.
Read more: Uncertainties surround new HIPAA breach notification rule – FierceHealthIThttp://www.fiercehealthit.com/story/guest-commentary-uncertainties-surround-new-hipaa-breach-notification-rule/2013-01-29#ixzz2JZiJrwSa
What impact will this have on you and your organization? If you allow PHI to be released contrary to your policies and to the law, how will you proceed? Do you know? Who is your Privacy Officer? Do they know?
Time to wake up the HIPAA education machinery again! …or for the first time if you do not have such machinery in place.
Last week when I wrote about violence in our lives, I mentioned my concern that the immediate focus after mass shootings is so often the mental health of the shooter. I also mentioned that the mentally ill are no more likely than the public at large to commit acts of violence.
This morning, my partner Seth mentioned his concern that the focus on the possible mental health issues of individuals who want to own and carry guns potentially presents a whole raft of HIPAA concerns. After all, how do we define mental illness? And who has a right to know what diagnoses have been applied to which people? How do background checks access this information?
Also this morning, a feminist therapist friend shared a link that I had to pass on to you. The speech to which this link will direct you is written by Paula J. Caplan, Ph.D. Dr. Caplan is an articulate and often entertaining psychologist who frequently points her sharp and well-focused eye on the inequities of our culture. She too has concern about how we utilize the issue of so-called mental illness to divert ourselves from the issues of violence in our culture.
Please take a look at her speech on stopping gun violence given yesterday. I would love to hear your comments.
Several ideas have been swirling around in my head for this week’s blog post. The one that emerged today wins, hands down. I am a believer in Carl G. Jung’s concept of synchronicity. When three or four separate but related items come across my desk or inbox at one time, I believe they are connected in some fashion and should be addressed.
This morning I received an email from the Office of Civil Rights listserv on HIPAA Privacy and Security. It contained a link and reference to a letter of clarification written by Leon Rodriguez, Director of OCR.
In light of recent tragic and horrific events in our nation, including the mass shootings in Newtown, CT, and Aurora, CO, I wanted to take this opportunity to ensure that you are aware that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not prevent your ability to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when you believe the patient presents a serious danger to himself or other people.
The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.
Given all the discussion about mental health interventions related to the perpetrators of the recent violence, Director Rodriguez clearly felt it was necessary to remind healthcare providers of all stripes that the law does not prevent them from involving the authorities when they believe an individual is potentially dangerous.
I was educated in the Tarasoff era. It was controversial, but clear, that mental health providers have a clear duty to protect the intended victim of a violent action to be committed by one of their patients. That protection may well include the duty to warn the potential victim. Given the occurrence of mass killings in recent years, it is easy to wonder if we all ought to behave as if we have at least a moral responsibility to notice and to notify the authorities about the potentially dangerous behavior of others.
As a former mental health provider, I worry about the tendency of our country to blame violent behavior on mental illness. As research in the area indicates, the relationships among mental illness, drug abuse and violent behavior are complicated, at best. Social factors such as ‘poverty, family history, personal adversity, and stress’ also feed into this complex equation.
On January 15, 2013, President Obama presented proposals to control the sale of certain kinds of guns and the ammunition they use. He also proposed a whole raft of other actions that will hopefully make our awareness and ability to intervene before violence occurs an easier job.
The knee jerk reaction of the NRA and other defenders of the ‘right to bear arms’ has been loud, and people seem to quickly line up in one camp or the other. That is why I was so struck by the post of a Friend of a Friend on Facebook that I shared his statement on our SOS page. You may not be able to get to it unless you are a registered user of Facebook, but if you are, please take a look. This is a well thought out, rational, and personal reaction to some of the responses to the President’s proposals.
One of those proposals is that teachers and others who interact with young people need to learn more about the mental health issues that might help them identify youngsters who are in need of assistance. Linda Rosenberg, President and CEO of The National Council for Community Behavioral Health shared her take on President Obama’s proposals.
As part of his recommendations to protect our communities from gun violence, President Obama today rightly called for Mental Health First Aid training to help teachers and staff recognize the signs of mental health disorders in young people and find them appropriate care.
The youth version of Mental Health First Aid is an evidence-based training program to help citizens identify mental health problems in young people, connect youth with care, and safely deescalate crisis situations if needed. The program, focusing on youth ages 12 to 25, provides an ideal forum to engage communities in discussing the signs and symptoms of mental illness, the prevalence of mental health disorders, the effectiveness of treatment and how to engage troubled young people in services.
Mental Health First Aid has become a major push for The National Council. Information and resources are readily available.
After all is said and done, we get to the bottom line. What should people do if they find themselves in an active shooting situation? This is not a thought most of us want to entertain, but first-responder agencies have always believed that being prepared for an emergency greatly increases a person’s chances of surviving a dangerous situation. With a grant from the Department of Homeland Security, the Houston Police Department has prepared an excellent video about surviving an active shooter event.
Events like the Sandy Hook School shootings stir up primal reactions for most of us. It is important that we not shut those reactions down. Instead, we need to open ourselves to many possibilities of how we and our communities need to intervene to assure that we and our children are as safe as is reasonably possible.
Please share your comments, experiences, concerns below.
Several years ago, I stopped making New Year’s resolutions. I had always been pretty good at accomplishing goals I set, but I was starting to find it harder and harder to follow through on something like those annual resolutions. I was also finding it hard to locate particular words when I was looking for them; and I long ago decided that if something is not written down, it does not exist…at least not for me and my overburdened memory.
My proposed solution to the challenges facing my aging brain is something Seth and I named ‘Google Brain’. It is the chip that will be implanted into our brains to be augmented by Google’s outrageous computers and search capabilities. While I have no advance knowledge of Google working on such a project, I have hope that they are doing so…and that it will be available while I can still benefit from it. They are even welcome to the name I have chosen for their project!
Several things have popped into my awareness lately to make me hope my fantasy will one day be a reality.
At the beginning of January, some psychology colleagues on a technology listserv of which I am a member mentioned an episode of 60 Minutes in which a young man successfully participated in a stair-climbing event in a 103-story Chicago building. This man has a prosthetic leg that he controls by his thoughts.
Another colleague responded indicating that there are many projects in the works that extend that same technology. Neuroscience has become the ‘hot’ research field related to mental health and behavior. It has many practical applications, but can seem so complicated as to be off-putting to some. That is why a video explaining some of the technology and research tools being used is so delightful. This is a clear and visually appealing explanation of semantic mapping in the brain, something that has fascinated me since the very early brain research demonstrated the storing of memories in particular regions of the brain, and their recall through electrical stimulation during brain surgery. The use of fMRI to advance this purpose is very exciting. These are important arenas for behavioral health providers to be informed about. It might well be the future of this field.
We certainly are approaching what many of us thought might be the distant future. Verizon together with cellphone producer HTC has started to communicate the image of humans enhanced by technology with their Droid DNA phone and ads. Google released their new Google Glasses in 2012. These are glasses enhanced with computer, camera, and internet connectivity. When I wrote about two books that used these glasses and fMRI in 2011, I knew the technology was available somewhere but did not know it would soon be here for the rest of us to start to access.
I love finding out about technologies like this that may be available to all of us in my lifetime. Maybe I will even be able to make and carry out New Year’s resolutions again with the help of some of these tools-in-the-making. Are there things in your world that provide the same kind of excitement and hope for you? New tools, new toys, new ideas? Please share your comments below.
The horrible shootings in Newtown, CT this past week have again reminded us of how fragile human life is. Others have more eloquently addressed this tragic loss than I am able to do.
Often in a circumstance like this, it becomes clear that the perpetrator experienced mental health issues that were inadequately addressed. The behavioral health community jumps to the defense of the mentally ill immediately citing the very low incidence of violence caused by the mentally ill. Rather than become defensive, I think we need to be open to hearing and acting upon other perspectives on such tragedies.
My niece is an educator. Yesterday, in her blog, she posted a take on these events that we should all consider. Please take a look at her post, One Educator’s Response to the Sandy Hook School Shooting.
Please feel free to share your comments here and at Kami’s blog.
Do you use a laptop that contains patient information? Do you have a list of your patients with their telephone numbers, email addresses and appointment schedule in your smart phone? Are those devices encrypted?
The number of mobile devices we utilize to conduct our businesses has expanded beyond belief. What can we do to make sure that our patient data is not at risk if we utilize these devices to access their information? As providers of behavioral healthcare services, we have special responsibility to protect the sensitive information related to the care of our clients.
The U.S. Department of Health and Human Services is very concerned about the spread of these devices and their innate insecurity. They have developed a special section of their healthit.gov web site to focus on these privacy and security needs.
The HHS video on the topic focuses on five issues:
- Lost mobile device
- Stolen mobile device
- Downloaded virus or malware
- Shared mobile device
- Unsecured Wi-Fi network
Take a look when you get a chance and learn more about how to protect PHI when using mobile devices. And don’t forget, encryption gives you ‘safe harbor’ under HIPAA, even if you were to experience a data breach.
Does your organization have policies about using mobile devices to access PHI? How do you manage your experience with mobility? Please share your comments below.
I live in Florida. As I read the newspaper today, I was appalled to see that Florida Tea Party members were testifying before the state legislature encouraging them…no insisting…that they flaunt the Federal Affordable Care Act insisting that it is illegal in spite of the Supreme Court decision to the contrary.
Then I read a new issue of FierceHealthPayer, an industry newsletter for Healthcare Plan Executives. This issue had two separate articles and a commentary that made me wonder how we will possibly get to affordable healthcare in this country.
The first article reported that the American Medical Association (AMA) has reviewed health plans across the country and opined that 70% of commercial insurance markets are anti-competitive. This means that in 70% of the locales in this country, the vast majority of the health insurance is provided by one company. One of the primary arguments of the insurance industry and their Congressional supporters against a single payer national health plan is that competition is necessary in order to achieve quality and control costs. If that is so, we will not get to affordable care or adequate quality given this current anti-competitive situation.
The second article discusses the trend toward self-insurance on the part of large employers. There has been a steady increase since 2006 in the number of large employers who are managing administrative costs and avoiding variable state laws by self-insuring. In 2011, approximately 60% of workers were covered in a self-insurance program run by an employer. Small employers generally do not have this option. The risk of self-insuring for a small group is much greater than the outrageous cost of group coverage through one of the major insurance companies. Self-insurance often tries to control costs by limiting benefits.
The final item that grabbed my attention is a commentary in this same newsletter. The editor reported on the confused state of smoking cessation coverage among private insurers. She pointed out the requirement in the Affordable Care Act for such coverage and the indications by surveyed insurers that they do include smoking cessation coverage.
Yet when Georgetown researchers studied 39 health plans, they found that none of them took all of these vitally important steps: clearly stated that tobacco cessation treatment is covered; provided coverage for individual, group and phone counseling and tobacco cessation medication; provided treatments with no cost-sharing for members; and provided access to treatment without members having to meet prerequisites.
Read more: Why wouldn’t insurers cover smoking cessation? – FierceHealthPayer
These are the factors that are most likely to result in successfully quitting the use of tobacco products. You would think that insurers would want to have this particular benefit in their plans and that it be used. After all, the direct medical costs and productivity losses caused by smoking-related illnesses each year is almost $200 million.
The juxtaposition of these four items today reminds me of my personal conclusion…we need a single-payer national healthcare system if we are ever going to get our costs under control and provide quality healthcare services to most U.S. residents. Just by removing the 22% growth in earnings posted by the five major insurers in 2010, we might get a start on controlling some of the costs involved. Standard benefits across the country would make the system easier and more consistent for employers with workers in multiple states. And real implementation of preventive measures like smoking cessation would make all of us healthier.
And now I will wait for the comments….