At this point, there are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA). However, that doesn't mean there are no good assessment tools out there to gauge information security and regulatory compliance. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges.
Case managers rejoice. CMS recently sounded what is being called the death knell of the 2-midnight rule certification in a final rule published in the November 10, 2014, Federal Register.
In September 2014, CMS and the Office for the National Coordinator (ONC) released a final rule that offers enhanced flexibility for eligible professionals, eligible hospitals, and critical access hospitals using certified EHR technology (CEHRT) and working toward meaningful use attestation (https://s3.amazonaws.com/public-inspection.federalregister.gov/2014-21021.pdf). The final rule regulations became effective October 1, 2014.
Q: I was recently hired for a position at a long-term care facility. Upon getting acclimated, I learned that the facility has completed handwritten logs for every fax that was sent out since 2003. This document is referred to as the HIPAA fax log and contains the date the fax was sent, to whom it was sent, by whom it was sent, the number of pages, and whether a cover sheet with confidentiality statement was included. I would like to do away with this form since fax machines can generate their own logs. However, if this is a necessary process then I would like to follow official guidelines and update the facility's policies and procedures accordingly. Does the HIPAA Privacy or Security Rule require these logs? If so, what information must we include?
