Posted on December 27, 2012 by Elizabeth Litten

Countdown to 2013 and the HITECH "Mega Rule": Ten New Year's Resolutions to Protect Health Information

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

 

9.         I will read them.

 

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

 

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

 

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

 

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

 

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

 

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

 

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

 

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

 

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

Tags: , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on August 29, 2012 by Michael Kline

As We All Continue to Anticipate the HIPAA/HITECH "Mega Rule" from HHS, We Can Test Our Prognosticating Skills

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.

 

What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!

Tags: , , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link