What scares health pros about omnibus HIPAA rule
Jeannette Christopher turned herself in.
The IS team leader at Northwest Primary Care, a provider with 150 staff across 8 sites in and around Milwaukie, Oregon, accidentally sent an email containing protected health information (PHI) to the wrong person. Even though the recipient stripped the information out and alerted Christopher to the error, Christopher opted to play it safe and call the security cops on herself.
Christopher’s story illustrates fear sparked by substantive changes to the HIPAA Final Rule on Privacy and Security.
“The exposure is so much greater,” said Lee Barrett, executive director of EHNAC, the Electronic Healthcare Network Accreditation Commission.
Thus far, the change that has caused the most heartburn — and not just for Christopher — is data breach notification.
“Now, breach is assumed until the covered entity proves the data was not compromised,” said Mac McMillan, chairman and CEO of CynergisTek. “There are going to be more breaches reported when the rule goes into affect.”
During a HIMSS13 session on preparing OCR audits Mary Brandt, president of health information management at Scott and & White in Temple, Texas, pointed out that OCR is not the only governing body that can audit healthcare organizations. CMS and the joint commission can also conduct audits, Brandt said, though “OCR people are probably the scariest.”
While breaches and the audits that ensue constitute a genre of health IT horror stories, Debra Hopkinson, EHNAC’s vice president of operations said that as the industry starts to digest the final rule, the most terrifying aspect might be the actual work required to accomplish compliance.
Hopkinson added that one of the biggest questions thus far has focused on the last person hired and how to bring them up to speed on HIPAA.
Consultant Tom Walsh explained that there are three basic types of audits: those conducted in response to a complaint, the randomly selected, and any health entities accepting reimbursement incentives under meaningful use can be audited.
“I think there’s a large percentage of people who don’t know the implications yet,” EHNAC’s Barrett said. Which makes Brandt’s overarching message from the session all the more important: “Don’t wait for an OCR audit,” she urged. “There are plenty of pitfalls out there.”
As for Northwest Primary Care?
“Our goal,” IS team leader Christopher said, “is to implement a secure e-mail system.”
Related:
Pros and cons of the app economy
OIG: VA sending unencrypted patient data
