--Apple-Mail-33--40221063
Content-Type: text/plain;
charset=WINDOWS-1252;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 8bit
This will be a pain in the butt. If you have a copy of a file on the
computer, you can't track every time it's opened.
Return to Previous Page
Stimulus Package Includes New HIPAA Security Rules
Small Practices Face Greatest Financial Impact
By Sheri Porter
3/18/2009
The recently passed federal stimulus package includes changes to
federal health information privacy and security provisions under the
Health Insurance Portability and Accountability Act, or HIPAA, that
will affect physician practices. According to health care policy
experts, however, the extent of that impact remains to be seen.
The Health Information Technology for Economic and Clinical Health, or
HITECH, Act, which is intended to promote widespread adoption of
health IT, was incorporated into the American Recovery and
Reinvestment Act of 2009, (Page 144; 407-page PDF; About PDFs) which
was signed into law on Feb. 17.
According to provisions in the legislation, physicians now will be
required to track any disclosure of a patient's medical information.
Previous regulations allowed physicians to disclose patient
information for the purpose of treatment, payment or health care
operations, but they were not required to track when that information
was disclosed.
However, the new legislation requires physicians who use an electronic
health record, or EHR, to "have the ability to track every time
(patient) information has been disclosed," said Robert Tennant, a
senior policy advisor for the Colorado-based Medical Group Management
Association, or MGMA.
Although the provision doesn't kick in for current EHR users until
Jan. 1, 2014, patients will be able to request an accounting of
disclosures of their electronic personal health information three
years from the date of the request, potentially dating back to 2011.
In addition, the legislation requires practices to post information
about security breaches if a breach affects 10 or more patients. If a
security breach affects 500 or more patients, practices must notify
all of their patients, a local media outlet, and the HHS secretary.
"It's very similar to what is occurring in a lot of states that have
laws against identity theft," said Mike Fleischman, a principal of
Gates, Moore and Co., an Atlanta-based health care consulting and
accounting firm.
Even a small family medicine practice could have thousands of patient
records in its database, said Tennant. A stolen laptop computer or
misplaced PDA could potentially compromise large amounts of patient
data.
The new legislation also calls for beefed up enforcement rules and a
new aggressiveness in assigning fines. Fines for security breaches
start at $100 and can go as high as $1.5 million.
In addition, the legislation empowers state attorneys general to
enforce some HIPAA elements and gives them the authority to bring
class action suits, said Fleischman.
IMPACT ON PHYSICIANS
David C. Kibbe, M.D., is senior adviser to the AAFP's Center for
Health IT and chair of ASTM International's technical committee on
health care informatics. He called the new security provisions "a
mixed blessing."
The upside is that the regulations will give consumers more control
over their personal health information, said Kibbe. "But the
regulations will also likely increase the uncertainty, complexity,
cost and risk for anyone or any organization who collects, stores,
manages or transmits personal health information."
He noted that provisions of the HITECH Act were long debated and
"reflect a compromise that most people on Capitol Hill like."
Tennant said he's focusing on how the provisions apply to family
medicine practices and how they will affect physicians' ability to
treat patients. Overall, he sees the provisions as adding a "new layer
of confusion that can't do anything positive to patient care."
He also pointed out that there is no stimulus money provided to help
physicians shore up their privacy policies and procedures. "This is
all money that comes off (physicians') bottom line," said Tennant.
Fleischman countered that although there was no immediate cause for
alarm, physicians should be aware of the rules that pertain to them.
He called the new legislation "a tweaking" of the HIPAA regulations
from 1996.
The biggest change affects physicians' business associates, said
Fleischman. They now will be required to fully comply with HIPAA
privacy and security rules. That means clearinghouses, accountants,
lawyers and others who support physicians and have access to protected
health information will have more culpability in terms of privacy
violations.
WHAT TO DO
Family physicians should consult their EHR vendors about the security
of their patient data. "Ask what would happen to patients' data if a
laptop were stolen, and consider safeguards like encryption and secure
passwords -- all of the things that, frankly, physicians should be
doing anyway," said Tennant.
He also suggested that physicians go back and review HIPAA policy in
general, paying particular attention to new staff members who may not
be up to snuff on privacy policies and procedures.
"There's a new sheriff in town and what used to be a minor infraction
… could very well lead to a substantial fine," said Tennant. "What you
don't want is for the practice to make a mistake simply because staff
weren't trained or weren't aware."
Tennant and Fleischman agreed that physicians should keep a close eye
on pertinent government appointments because even though some of the
new regulations take effect almost immediately, much of the content in
the HITECH Act will be fleshed out during the coming months.
"We're waiting to see what the new HHS secretary and CMS administrator
will do in terms of crafting regulations to support and further define
the legislation," said Tennant.
CONCERNS ABOUT UNINTENDED CONSEQUENCES
Kibbe said large practices would be able to deflect some of the
anticipated cost by outsourcing health information management
functions. Practices also may decide to share implementation costs
with other physicians and practices "sort of like the cost of
electricity is shared as utility," he said. The downside is that
practices would give up some autonomy and independence in the process.
Small practices have fewer financial resources and, therefore, have
fewer options, said Kibbe. "Put very bluntly, the small medical
practice is going to face additional costs for health IT
implementation as a result of the HITECH Act's amendments to HIPAA."
Kibbe also is wary of possible unintended consequences from the audit
reports that will be necessary to account for disclosures of patient
information. He called them "technically challenging and operationally
burdensome," and he didn't think any of the EHRs currently marketed
for ambulatory care could provide the reports.
Physicians contemplating an EHR purchase -- an action the feds
desperately want physicians to take -- might further delay their
purchases "until they know the products have this feature and that it
works," cautioned Kibbe.
Steven Waldren, M.D., director of the AAFP's Center for Health IT,
said the Academy soon would be making additional educational resources
available to help members further understand and comply with the
government's latest privacy and security regulations.
Copyright © 2009 American Academy of Family Physicians
Home | Privacy Policy | Contact Us | My Academy
Members | Residents | Students | Patients | Media Center
RSS | Podcasts
Malcolm Sickels MD
210 Little Lake Drive, Suite 10
Ann Arbor, MI 48103
http://drsickels.com
734-332-9936
--Apple-Mail-33--40221063
Content-Type: text/html;
charset=WINDOWS-1252
Content-Transfer-Encoding: 8bit
<html><head><base href="http://www.aafp.org/online/en/home/publications/news/news-now/government-medicine/20090318hipaa-security-rules.printerview.html">
<link media="all" type="text/css" href="/online/css/printstyles.css" rel="stylesheet">
</head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><base href="http://www.aafp.org/online/en/home/publications/news/news-now/government-medicine/20090318hipaa-security-rules.printerview.html"><div style="font-family: Helvetica; font-size: 12px; color: black; text-align: left; ">This will be a pain in the butt. If you have a copy of a file on the computer, you can't track every time it's opened.</div><div style="font-family: Helvetica; font-size: 12px; color: black; text-align: left; "><br></div><div style="font-family: Helvetica; font-size: 12px; color: black; text-align: left; "><br></div>
<!--WEBSIDESTORY CODE HBX2.0 (Universal)-->
<!--COPYRIGHT 1997-2005 WEBSIDESTORY,INC. ALL RIGHTS RESERVED. U.S.PATENT No. 6,393,479B1. MORE INFO:http://websidestory.com/privacy-->
<script language="javascript">
var _hbEC=0,_hbE=new Array;function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0200u";hbx.gn="wt.aafp.org";
//BEGIN EDITABLE SECTION
//CONFIGURATION VARIABLES
hbx.acct="DM570502I0DE;DM570502C4ZW";//ACCOUNT NUMBER(S)
//hbx.pn="title";//PAGE NAME(S)
hbx.pn="PUT+PAGE+NAME+HERE";//PAGE NAME(S)
hbx.mlc="CONTENT+CATEGORY";//MULTI-LEVEL CONTENT CATEGORY
hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="content";//DEFAULT PAGE NAME
hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";//FORM VALIDATION MINIMUM ELEMENTS OR SUBMIT FUNCTION NAME
hbx.lt="auto";//LINK TRACKING
hbx.dlf="n";//DOWNLOAD FILTER
hbx.dft="n";//DOWNLOAD FILE NAMING
hbx.elf="n";//EXIT LINK FILTER
//SEGMENTS AND FUNNELS
hbx.seg="";//VISITOR SEGMENTATION
hbx.fnl="";//FUNNELS
//CAMPAIGNS
hbx.cmp="";//CAMPAIGN ID
hbx.cmpn="";//CAMPAIGN ID IN QUERY
hbx.dcmp="";//DYNAMIC CAMPAIGN ID
hbx.dcmpn="";//DYNAMIC CAMPAIGN ID IN QUERY
hbx.dcmpe="";//DYNAMIC CAMPAIGN EXPIRATION
hbx.dcmpre="";//DYNAMIC CAMPAIGN RESPONSE EXPIRATION
hbx.hra="";//RESPONSE ATTRIBUTE
hbx.hqsr="";//RESPONSE ATTRIBUTE IN REFERRAL QUERY
hbx.hqsp="";//RESPONSE ATTRIBUTE IN QUERY
hbx.hlt="";//LEAD TRACKING
hbx.hla="";//LEAD ATTRIBUTE
hbx.gp="";//CAMPAIGN GOAL
hbx.gpn="";//CAMPAIGN GOAL IN QUERY
hbx.hcn="";//CONVERSION ATTRIBUTE
hbx.hcv="";//CONVERSION VALUE
hbx.cp="null";//LEGACY CAMPAIGN
hbx.cpd="";//CAMPAIGN DOMAIN
//CUSTOM VARIABLES
hbx.ci="";//CUSTOMER ID
hbx.hc1="";//CUSTOM 1
hbx.hc2="";//CUSTOM 2
hbx.hc3="";//CUSTOM 3
hbx.hc4="";//CUSTOM 4
hbx.hrf="";//CUSTOM REFERRER
hbx.pec="";//ERROR CODES
//INSERT CUSTOM EVENTS
//END EDITABLE SECTION
//REQUIRED SECTION. CHANGE "YOURSERVER" TO VALID LOCATION ON YOUR WEB SERVER (HTTPS IF FROM SECURE SERVER)
</script><script language="javascript1.1" src="/hbx.js"></script>
<!--END WEBSIDESTORY CODE-->
<div class="credits">
<a href="/online/en/home/publications/news/news-now/government-medicine/20090318hipaa-security-rules.html?null">Return to Previous Page</a>
</div>
<div class="guts">
<div class="level1">
<div class="level2">
<div class="mid">
<div class="main">
<br>
<a href="/online/en/home/publications/news/news-now.html"><img src="/online/etc/medialib/aafp_org/images/news_folder/aafp_news_now/annlogo.Par.0001.Image.gif" alt="AAFP News Now: The Family Physician's Trusted Source for News" style="border: none;" class="logo"></a>
<h1>Stimulus Package Includes New HIPAA Security Rules </h1>
<h2 style="margin-top:-18px"><i>Small Practices Face Greatest Financial Impact</i></h2>
<p>
<b>By <a href="mailto:spor-@aafp.org">Sheri Porter</a></b>
<br>3/18/2009
</p>
<p>
</p>
<p>
</p><div id="NewsArticleParsys93730">
</div>
<div class="text">The recently passed federal stimulus package includes changes to federal health information privacy and security provisions under the Health Insurance Portability and Accountability Act, or HIPAA, that will affect physician practices. According to health care policy experts, however, the extent of that impact remains to be seen.</div>
<div id="NewsArticleParsys88576">
</div>
<div class="picwoborderr" style="width: 250px;">
<img src="/online/etc/medialib/aafp_org/images/news_folder/aafp_news_now/2009-3/kibbe-hipaa-pq.Par.0001.Image.250.gif" alt="Put very bluntly, the small medical practice is going to face additional costs for health IT implementation as a result of the HITECH Act's amendments to HIPAA. -- David C. Kibbe, M.D., Senior adviser, AAFP Center for Health IT">
</div>
<div class="text">The Health Information Technology for Economic and Clinical Health, or HITECH, Act, which is intended to promote widespread adoption of health IT, was incorporated into the<a class="link" href="http://fdsys.gpo.gov/fdsys/pkg/BILLS-111hr1ENR/pdf/BILLS-111hr1ENR.pdf" title="ARRA Legislation"> American Recovery and Reinvestment Act of 2009</a>, (Page 144; 407-page PDF; <a href="/online/en/home/aboutus/theaafp/about/helpcenter/pdf.html" title="About PDFs" class="link">About PDFs</a>) which was signed into law on Feb. 17. <br><br>According to provisions in the legislation, physicians now will be required to track any disclosure of a patient's medical information. Previous regulations allowed physicians to disclose patient information for the purpose of treatment, payment or health care operations, but they were not required to track when that information was disclosed. <br><br>However, the new legislation requires physicians who use an electronic health record, or EHR, to "have the ability to track every time (patient) information has been disclosed," said Robert Tennant, a senior policy advisor for the Colorado-based Medical Group Management Association, or MGMA.<br><br>Although the provision doesn't kick in for current EHR users until Jan. 1, 2014, patients will be able to request an accounting of disclosures of their electronic personal health information three years from the date of the request, potentially dating back to 2011. <br><br>In addition, the legislation requires practices to post information about security breaches if a breach affects 10 or more patients. If a security breach affects 500 or more patients, practices must notify all of their patients, a local media outlet, and the HHS secretary. <br><br>"It's very similar to what is occurring in a lot of states that have laws against identity theft," said Mike Fleischman, a principal of Gates, Moore and Co., an Atlanta-based health care consulting and accounting firm. <br><br>Even a small family medicine practice could have thousands of patient records in its database, said Tennant. A stolen laptop computer or misplaced PDA could potentially compromise large amounts of patient data. <br><br>The new legislation also calls for beefed up enforcement rules and a new aggressiveness in assigning fines. Fines for security breaches start at $100 and can go as high as $1.5 million. <br><br>In addition, the legislation empowers state attorneys general to enforce some HIPAA elements and gives them the authority to bring class action suits, said Fleischman.</div>
<div id="NewsArticleParsys86518">
</div>
<div style="float: none">
<h3>Impact on Physicians</h3>
</div>
<div class="text">David C. Kibbe, M.D., is senior adviser to the AAFP's <a class="link" href="http://www.centerforhit.org/online/chit/home.html" title="Center for Health IT">Center for Health IT</a> and chair of ASTM International's technical committee on health care informatics. He called the new security provisions "a mixed blessing." <br><br>The upside is that the regulations will give consumers more control over their personal health information, said Kibbe. "But the regulations will also likely increase the uncertainty, complexity, cost and risk for anyone or any organization who collects, stores, manages or transmits personal health information." <br><br>He noted that provisions of the HITECH Act were long debated and "reflect a compromise that most people on Capitol Hill like."<br><br>Tennant said he's focusing on how the provisions apply to family medicine practices and how they will affect physicians' ability to treat patients. Overall, he sees the provisions as adding a "new layer of confusion that can't do anything positive to patient care." <br><br>He also pointed out that there is no stimulus money provided to help physicians shore up their privacy policies and procedures. "This is all money that comes off (physicians') bottom line," said Tennant.<br><br>Fleischman countered that although there was no immediate cause for alarm, physicians should be aware of the rules that pertain to them. He called the new legislation "a tweaking" of the HIPAA regulations from 1996.<br><br>The biggest change affects physicians' business associates, said Fleischman. They now will be required to fully comply with HIPAA privacy and security rules. That means clearinghouses, accountants, lawyers and others who support physicians and have access to protected health information will have more culpability in terms of privacy violations.</div>
<div id="NewsArticleParsys27872">
</div>
<div style="float: none">
<h3>What to Do</h3>
</div>
<div class="text">Family physicians should consult their EHR vendors about the security of their patient data. "Ask what would happen to patients' data if a laptop were stolen, and consider safeguards like encryption and secure passwords -- all of the things that, frankly, physicians should be doing anyway," said Tennant. <br><br>He also suggested that physicians go back and review HIPAA policy in general, paying particular attention to new staff members who may not be up to snuff on privacy policies and procedures. <br><br>"There's a new sheriff in town and what used to be a minor infraction … could very well lead to a substantial fine," said Tennant. "What you don't want is for the practice to make a mistake simply because staff weren't trained or weren't aware." <br><br>Tennant and Fleischman agreed that physicians should keep a close eye on pertinent government appointments because even though some of the new regulations take effect almost immediately, much of the content in the HITECH Act will be fleshed out during the coming months. <br><br>"We're waiting to see what the new HHS secretary and CMS administrator will do in terms of crafting regulations to support and further define the legislation," said Tennant. <br></div>
<div id="NewsArticleParsys90860">
</div>
<div style="float: none">
<h3>Concerns About Unintended Consequences</h3>
</div>
<div class="text">Kibbe said large practices would be able to deflect some of the anticipated cost by outsourcing health information management functions. Practices also may decide to share implementation costs with other physicians and practices "sort of like the cost of electricity is shared as utility," he said. The downside is that practices would give up some autonomy and independence in the process. <br><br>Small practices have fewer financial resources and, therefore, have fewer options, said Kibbe. "Put very bluntly, the small medical practice is going to face additional costs for health IT implementation as a result of the HITECH Act's amendments to HIPAA." <br><br>Kibbe also is wary of possible unintended consequences from the audit reports that will be necessary to account for disclosures of patient information. He called them "technically challenging and operationally burdensome," and he didn't think any of the EHRs currently marketed for ambulatory care could provide the reports. <br><br>Physicians contemplating an EHR purchase -- an action the feds desperately want physicians to take -- might further delay their purchases "until they know the products have this feature and that it works," cautioned Kibbe. <br><br>Steven Waldren, M.D., director of the AAFP's Center for Health IT, said the Academy soon would be making additional educational resources available to help members further understand and comply with the government's latest privacy and security regulations. <br></div>
<p></p>
<div class="nofloat">
</div>
<div class="bottom">
<div class="shiftbottom">
<div class="center">
<p class="credits">
<a href="/online/en/home/aboutus/theaafp/about/permissions.html" title="Copyrights and Permissions" class="link">Copyright © 2009 American Academy of Family Physicians</a><br><a href="/online/en/home.html" title="Home" class="link">Home</a> | <a href="/online/en/home/aboutus/theaafp/about/privacy.html" title="Privacy" class="link">Privacy Policy</a> | <a href="/online/en/home/aboutus/theaafp/contact.html" title="Contact" class="link">Contact Us</a> | <a class="link" href="http://www.aafp.org/myacademy" title="MyAcademy">My Academy</a><br><a href="/online/en/home/membership/resources.html" title="Member Resources" class="link">Members</a> | <a href="/online/en/home/residents.html" title="Residents" class="link">Residents</a> | <a class="link" href="http://fmignet.aafp.org/" title="Virtual Family Medicine Interest Group">Students</a> | <a class="link" href="http://www.familydoctor.org/" title="http://www.familydoctor.org/">Patients</a> | <a href="/online/en/home/media.html" title="Media Center" class="link">Media Center</a><br>
<a href="http://www.aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/rss.html"><img width="19" height="12" style="margin-bottom: -1px;" src="/online/etc/medialib/aafp_org/images/global_images/tiny-rss.Par.0001.Image.gif" alt="RSS" id="/etc/medialib/aafp_org/images/global_images/tiny-rss#Par.0001.Image http://www#aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/rss.html"></a> <a href="http://www.aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/rss.html">RSS</a> | <a href="http://www.aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/aboutpodcasts.html"><img width="19" height="12" style="margin-bottom: -1px;" src="/online/etc/medialib/aafp_org/images/global_images/tiny-pod.Par.0001.Image.gif" alt="POD" id="/etc/medialib/aafp_org/images/global_images/tiny-pod#Par.0001.Image http://www#aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/aboutpodcasts.html"></a> <a href="http://www.aafp.org/online/en/home/aboutus/theaafp/about/helpcenter/aboutpodcasts.html">Podcasts</a>
</p>
</div>
</div>
</div>
<!-- end bottom -->
</div>
</div>
</div>
</div>
</div>
<div style="font-family: Helvetica; font-size: 12px; color: black; text-align: left; "><br class="webkit-block-placeholder"></div><br><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br class="Apple-interchange-newline">Malcolm Sickels MD</div><div>210 Little Lake Drive, Suite 10</div><div>Ann Arbor, MI 48103</div><div><a href="http://drsickels.com">http://drsickels.com</a></div><div>734-332-9936</div></div><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline"> </div><br></body></html>
--Apple-Mail-33--40221063--
|
|
 |
|
Malcolm Sickels
