Business Associate To-Do List

What are Business Associates Required to Do to Meet HIPAA Requirements? With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation. If you are a business associate, your “To-Do” list looks similar to the list the…

READ MORE

5010/D.0 Effective Date Tuesday, March 17, 2009; Compliance Date January 1, 2012

The version modification to the HIPAA Administrative Simplification transaction standards becomes effective Tuesday, March 17, 2009. Here are several critical things to know, drawn directly from the final rule published in the Federal Register on January 16, 2009. The final rule is available for download on the HIPAA.com site. Effective Date: The effective date [March 17, 2009] is the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted. [74 Federal Register 3302] Compliance Date: On January 1, 2012, all covered entities will have reached Level 2 compliance, and must be fully compliant in using Versions 5010 and D.0…

READ MORE

New Director of Office of Recovery Act Coordination

Dennis Williams has been selected to be HHS’ Deputy Assistant Secretary for Recovery Act Coordination. Mr. Williams most recently served as Health Resources and Services Administration’s (HRSA) Deputy Administrator, a post he held from 2002-2009. Prior to joining HRSA, Williams served as acting Assistant Secretary in HHS’ Office of the Assistant Secretary for Management and Budget (OASMB, currently ASRT) from 2001 to 2002. From 1985-2001 he served as Deputy Assistant Secretary for Budget in OASMB. The Office of Recovery Act Coordination, which reports to the Assistant Secretary for Resources and Technology (ASRT), will ensure that the Act’s requirements and OMB’s guidance are followed, including: » Making sure that reporting due…

READ MORE

One Week from Today: 5010/D.0 Final Rule Effective Date

They’re coming: the Ides of March (the 14th); NCAA Basketball Tournament Announcement (the 15th); St. Patrick’s Day (the 17th); and 5010/D.0 Final Rule Effective Date (the 17th). If you are a covered entity, Level 1 testing begins Tuesday, March 17, 2009. Here are five things you need to do to start. Conduct a Gap Analysis. What do I need to do to become compliant on January 1, 2012? That date sounds far off, but it will be here before you know it. Unlike previous transaction contingency periods for covered entities and their trading partners, HHS has indicated that there will be no tolerance for those not ready. Read the final…

READ MORE

Medicare Incentives for Physicians

Amounts shown are per physician. To participate in the incentives, you must be a meaningful user. Incentive Year Adopted 2011 2012 2013 2014 2015+ 2011 $18,000 — — — — 2012 $12,000 $18,000 — — — 2013 $8,000 $12,000 $15,000 — — 2014 $4,000 $8,000 $12,000 $12,000 __ 2015 $2,000 $4,000 $8,000 $8,000 0 2016 0 $2,000 $4,000 $4,000 0 2017 0 0 0 0 0 Total $44,000 $44,000 $39,000 $24,000 0 Health Shortage Area + 10%$48,400 + 10%$48,400 +10%$42,900 +10%$26,400 As defined by the HITECH Act, a physician meaningful user is one using software that supports computerized provider order entry, uses ePrescribing, submits information to HHS on clinical quality…

READ MORE

CMS Confirms 5010 and ICD-10 Rules’ Effective Dates

In notification to the U.S. House and Senate on Thursday, March 5, 2009, Don Johnson, Acting Director, Office of Legislation of the Centers for Medicare & Medicaid Services (CMS), notified the Congress that “[i]n accordance with the White House Chief of Staff’s memorandum of January 20, 2009 entitled ‘Regulatory Review,’ a determination has been made that the effective date will not be extended and the comment period will not be reopened for either of these rules.” The effective date for each of the rules is March 17, 2009. The memorandum CMS sent to Congress follows. Beginning next Monday, March 9, HIPAA.com will have a posting daily through March 17, 2009,…

READ MORE

Security Incident Procedures Response and Reporting: What to Do and How to Do It

This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. This is its one implementation specification, Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do This standard requires that the covered entity implement response and reporting policies to address security incidents. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system…

READ MORE

What should you expect from your HIPAA Security Official?

HIPAA’s Security Rule requires covered entities to designate one person to be responsible for the development and implementation of policies and procedures that safeguard electronic protected health information. Nearly all organizations implemented measures to manage privacy in oral, written, and electronic media. However, as healthcare organizations and their business associates, inspired by the HITECH Act (stimulus package) respond to forthcoming financial incentives to adopt electronic health record (EHR) software, the need to beef up your security measures. So what should you look for in your Security Official? For starters, you need someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via…

READ MORE

Is Your Covered Entity Preparing for 5010/D.0 Testing? Part 2: Level 2 Testing

On March 17, 2009, the Final Rules for Modifications to the Health Insurance Portability and Accountability Act (HIPAA) become effective. HIPAA.com has available for download the final rules for 5010/D.0 as published in the Federal Register on January 16, 2009 (pp.3295-3328). The effective date is “the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted.” [p.3302]. All covered entities are to be in compliance with 5010/D.0 on January 1, 2012. Testing can occur “from the date of the final rule until the compliance date for Versions 5010 and D.0.” [p. 3306] The Final Rules outline two levels of…

READ MORE

Security Incident Procedures: What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has one implementation specification:  Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. This safeguard standard and its implementation specification require covered entities to establish policies and procedures to respond to security incidents and to report them. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information…

READ MORE