The general rules for security, risk analysis, and risk management implementation specifications, and evaluation standards are key directives for ongoing compliance assurance. Although risk analysis concepts guidance appears in the Security Rule, many organizations use it for auditing Privacy Rule processes as well.
Handling requests for information from law enforcement can throw staff for a loop. Most staff are aware of their organization’s policies and the basic HIPAA requirements for disclosing patient information to family members, friends, and other individuals such as legal guardians. But handling requests from law enforcement officials can be a different matter.
Patient care continues to move from the inpatient setting to outpatient. With this change, the challenge of securing comprehensive documentation that articulates the services rendered and the patient care provided now needs to extend across the care continuum.
Q: It is my understanding that we can make PHI disclosures using our EHR for payment/treatment/healthcare operations without a consent and that we do not need to track these requests for an accounting of disclosures. Has this changed?
Too often, organizations fall for common HIPAA myths and erroneously incorporate them into otherwise sound, good-faith compliance efforts. That can lead to wasted time and resources, duplicative work, or even outright noncompliance.
Physicians may be angry at the increased documentation, coding, and billing workflow and compliance activities they must perform to be successful in new reimbursement models. However, to avoid accustations of fraud and upcoding, they must develop their own OIG-recommended compliance plan and be open to rigorous feedback and advice.
