HIPAA

Q. Is it a HIPAA violation if a hospital receives a faxed Healthcare Effectiveness Data and Information Set (HEDIS) request and the hospital cannot ­identify the patient by full name, last name, or date of birth? These requests contain name, date of birth, provider, and the HEDIS Measure (Chlamydia screening, cervical cancer screening, cholesterol management, etc.) and last date of service of the patient. Typically, these faxed requests are from business associates of the patient's health insurance, but occasionally they come directly from the insurance company.

Reliable data backup is critical. If a backup is not in place and your system crashes, you not only have a HIPAA compliance problem, but you may not be able to support your critical operations. ­IDrive® is a secure backup service that provides "ready when you need it" backup restoration and meets the National Institute of Standards and Techno­logy safe harbor encryption standard.

Also known as the "mega rules," the omnibus final rules are clarifications and finalizations of the HIPAA rules of 2003, the HITECH rules of 2008, and the incorporation of the Genetic Information Nondiscrimination Act (GINA) rules into the Privacy and ­Security rules. These are not sweeping changes, as many ­describe, but clarifications. In most cases, what are now final rules are best practices that organizations should already be following.

The HIPAA omnibus rule has changed the game when it comes to business associates (BA).

As an HIM director, you are responsible for the ­integrity of your patients' records-even when your hospital shuts down certain wings of the facility or closes its doors entirely.

Editor's note: The following is adapted from the HCPro book The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates, by Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, Mass. To learn more about the book, go to www.hcmarketplace.com.

There is some common ground in the corrective action plans (CAP) that OCR has imposed on healthcare organizations it has investigated for HIPAA privacy and security deficiencies.

The release of the HIPAA Omnibus Rule has left most HIPAA privacy and security officers with a long and likely overwhelming to-do list.

Proving encryption at time of breach, use of smartphones, and vendor agreements.

Who would have thought that buying gas with a credit card or wearing a pacemaker could leave a person's information exposed? Yet highly sophisticated credit card skimming devices at gas stations are stealing from ­consumers, and healthcare organizations are concerned about the potential for malicious tampering or the theft of PHI from wireless medical devices such as pacemakers. Hidden vulnerabilities lie in everyday activities like these, and some of those vulnerabilities can expose PHI and put healthcare organizations at risk.