In September 2014, CMS and the Office for the National Coordinator (ONC) released a final rule that offers enhanced flexibility for eligible professionals, eligible hospitals, and critical access hospitals using certified EHR technology (CEHRT) and working toward meaningful use attestation (https://s3.amazonaws.com/public-inspection.federalregister.gov/2014-21021.pdf). The final rule regulations became effective October 1, 2014.
Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility's CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients' names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is a BOH editorial advisory board member.
RC.01.01.01, Content of the Medical Record, did not top the list of the survey findings for hospitals in the first half of 2014, according to the September 2014 issue of Joint Commission Perspectives. Nor was it on the list for critical access hospitals at all! However, 49% of hospitals surveyed received a requirement for improvement for this standard, primarily in the EPs related to timing and dating entries. This indicates hospitals are still using a lot of paper records. That said, the downward swing is encouraging as more and more hospitals fully implement the EMR.
As the new year kicks off, many opt to make resolutions for the months ahead. BOH asked some privacy and security professionals to share their best tips for a productive 2015. What advice would they offer others in the industry to ensure the year ahead is a success?
