7- DATA, DATA,& MORE DATA IN HEALTHCARE by PHARMAGEEK

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry.

As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.

Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.

It’s been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.

Here are some simple common sense tips for keeping your practice on the right side of the law:

Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.

Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs — and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.

Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.

Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? You should prepare a specific response for scenarios like these because they do happen.

Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.

If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices.

But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan, assuming of course you have a HIPAA compliance plan currently in place.

To all the developers building applications in the cloud that need to comply with HIPAA privacy rules: You've just gained a big ally.    Internet behemoth Google recently announced its cloud platform will now be HIPAA-friendly and will support business associate agreements going forward.    Google started inking business associate agreements back in 2013 when the HIPAA Final Omnibus Rule went into effect, making BAs accountable for violating certain HIPAA privacy and security rules.
This February, the company went one step further.    "To serve developers who want to build these applications on Google's infrastructure, we're announcing support for business associates agreements for our customers," wrote Google Cloud Platform Product Manager Matthew O'Connor, in a Feb. 5 company post. "We’re looking forward to supporting customers who are subject to HIPAA regulations on Google Cloud Platform."   The HIPAA final omnibus rule took effect September 2013, and it made BAs directly liable for violations of HIPAA rules. The rule also expanded the definition of a BA to include health information organizations, e-prescribing gateways, PHR providers, patient safety organizations and subcontractors with access to protected health information. Moreover, subcontractors are now defined as business associates.    After the rule went into effect, many covered entities reported having difficulties getting BAs to actually sign business associate agreements.    Healthcare IT News spoke with BakerHostetler's Privacy and Security Attorney Ted Kobus back in August 2013, right before the HIPAA final rule took effect. He said that, overall, BAs have been less prepared.

"We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," Kobus said.
  Lynn Sessions, healthcare privacy attorney, also with BakerHostetler, works with many of the more sophisticated BAs on updating their agreements; she said the ones dragging their feet with HIPAA are the cloud providers.

Organizations "new to the party, like cloud providers who thought they were never business associates in the first place, are having to play catch up," said Sessions.
 

Cloud computing in healthcare is poised for explosive growth. By the end of 2013, analysts estimated the global market would hit nearly $4 billion, representing more than 21 percent growth from 2012, according to the findings of a September 2013 Kalorama report. In comparison, health IT spending over the year was only projected to increase by nearly 11 percent.

"EMR is driving this market," said Bruce Carlson, publisher of Kalorama Information, in a Sep. 19 press statement. "Hospitals are building great systems for gathering electronic records, but they need solutions to store all of that data, and it can't be a new server wing that might compete with needed space for care."