370 likes | 468 Views
Class of 2011 Financial Profile. 30 of 39 have debt, or 80% The range is $25,000 to $200,000 The mean for those with debt is $96,967 For the Class of 2010, the mean was $86,877 To pay this amount in 5 years at 6.8% interest will cost $1,910 a month or $22,920 a year, for a total of $114,655 .
E N D
Class of 2011 Financial Profile • 30 of 39 have debt, or 80% • The range is $25,000 to $200,000 • The mean for those with debt is $96,967 • For the Class of 2010, the mean was $86,877 • To pay this amount in 5 years at 6.8% interest will cost $1,910 a month or $22,920 a year, for a total of $114,655
An Update on the Health Insurance Portability and Accountability Act
HIPAA was passed in 1996 to make health insurance “portable” so that workers would not lose their insurance when they changed jobs. The law also included provisions intended to increase the use of electronic transactions and established privacy protection for health care information. If additional legislation was not passed within 3 years, however, it was left to the Department of Health and Human Services (DHSS) to do so. Congress failed to pass the legislation.
DHSS has promulgated three types of regulations: standards for electronic transactions; standards designed to ensure the privacy of health care information; and certain security standards.A standardized electronic format has been proposed for 8 common health care transactions: claims payment and remittance advice; coordination of benefits; eligibility for a health plan; enrollment and disenrollment in a health plan; health care claim status; premium payments; and referral certification and authorization.
The HIPAA “privacy rules” (effective 2003) are extensive, but contain 3 basic requirements: • HIPAA creates restrictions on the use or disclosure of “individually identifiable health care information” • rights are established with respect to a person’s own “individually identifiable health care information” • health care providers are required to take certain administrative actions that are intended to protect the privacy of “individually identifiable health care information”
The HIPAA provisions apply to: • Health care providers • Health care plans • Managed care organizations • Health care “clearinghouses” (entities that standardize health information—e.g., a billing service that processes or facilitates the processing of data from one format into a standardized billing format) HIPAA now applies to for-profit business entities (i.e., “business associates”), but has no authority over them.
Any information created or received by a health care provider from a patient that identifies the patient is defined as “individually identifiable health care information” and thus subject to HIPAA.Violation of the rule is punishable by the Department of Health and Human Services ($100 to $250,000 fines, up to 10 years in prison).
The first HIPAA requirement involves restrictions on the use of health care information: health care providers “cannot use or disclose protected health information, except as permitted or required by the rules”.
There are 10 disclosure exceptions, the most important being: • without additional consent for treatment, payment, or health care operations (e.g., conducting quality assessment and improvement activities; developing clinical guidelines; performing case management; reviewing the competence or qualifications of health care professionals; providing education and training of students and practitioners; operating fraud and abuse programs; and transferring ownership of patient records. ) • with a specific authorization (if disclosure is sought for reasons other than treatment, payment, or general health care operations) • with a written contract for “business associates” (but optical laboratories are excluded)
In general, when using or providing protected health care information, reasonable efforts must be made to limit information to the minimum necessary to accomplish the use or disclosure.
The second HIPAA requirement establishes privacy rights: • every practitioner has to have a privacy notice for patients, the contents of which are established by HIPAA • patients are given the right to inspect and obtain copies of their medical and billing records • patients have the right to ask the practitioner to amend records • patients can request an account of all disclosures of personal health information by a provider within the preceding 6 years (except those for treatment, payment, or health care operations!)
The third HIPAA requirement establishes several administrative obligations to ensure compliance with the privacy rules: • a “privacy officer” must be appointed by the provider • employees must undergo training so they understand HIPAA • safeguards must be put in place to ensure that the privacy of personal health information is protected • a complaint process for patients must be established • sanctions must be imposed on employees who do not comply with HIPAA provisions • patients cannot be required to waive HIPAA rights as a condition for treatment nor can they be punished for exercising these rights • policies and procedures must be documented in writing
The AOA has published forms that can be used for the “Notice of Privacy Practices” (describing how patient information can be disclosed and how patients can get access to it) and “Patient Authorization” (allowing the release of information).
Applications of HIPAA to private practice are not as onerous as first believed: • daily sign-in sheets for patients are permitted and may be kept in plain view • reasonable safeguards must be taken to ensure that patients do not overhear discussions or telephone conversations in which personal health care information of other patients is discussed • patient schedules should be placed where they are not obviously conspicuous and available to view by patients • practitioners and assistants should be careful not to allow written materialsabout patient care, especially records, to be placed where other individuals can read or see them • there is no bar in HIPAA to sending recall cards or letters to patients
The HIPAA rules supersede only those state laws that are less stringent than HIPAA’s own; thus in many states the effects of HIPAA on the release of patient information is minimal.
In jurisdictions where there are no provisions or confidentiality requirements are less stringent than HIPAA, the federal law will control the protection and release of information: • written consent is not required to provide information to insurance providers for payment, to optical laboratories for ophthalmic materials, or to other practitioners for consultation or referral related to treatment, because the release of this information is provided for in HIPAA; also, the information released is not subject to the “minimum necessary” disclosure requirement • the privacy notice required by HIPAA must be on display and available on patient request
HIPAA requirements: • an authorization only needs to be signed by patients if information must be provided other than for payment, treatment, or health care operations (e.g., request for information by a third party) • patients (and their legal representatives) have the right to review and copy records; they also can request that information be changed if they feel it is incorrect; any denial of such a request must be in writing; if changes are made, the patient must be informed in writing that the record has been amended (and also any pertinent third parties)
Other HIPAA requirements: • the “minimum necessary” rule does not apply to disclosures that are required by law (for example, some states require reporting of physical abuse or visual acuity below the minimum requirements needed to operate a motor vehicle); such information as is required by law must be provided • disclosure of information about children to parents and to legal representatives (e.g., guardians) does not require the consent of the child or the person who is represented, the disclosure to the parents or legal representative being considered the same as disclosure to the child or represented person
One important application of HIPAA relates to the sale or other transfer of patient records to another practitioner. HIPAA permits an optometrist to sell or otherwise transfer records to a successor practitioner without having to inform individual patients of the transfer beforehand. This is because the transfer of records is a “health care operation” and is a disclosure exception that requires no additional permission. Patients should be informed of the sale or transfer appropriately (through announcements, mailings, handouts) or in accordance with state legal provisions.
Legal and ethical responsibilities to protect confidentiality are assumed wherever patient records are compiled by a practitioner, and can only be transferred when a successor practitioner agrees to assume them. The practitioner to whom records are transferred must be obligated to comply with HIPAA confidentiality requirements. This agreement to comply is best obtained in writing. If an ethical transfer is not made, the practitioner’s responsibility to protect confidentiality is not relieved, and a subsequent breach of confidentiality may subject the practitioner to legal sanction.
HIPAA mandates that records be retained for 6 years, or longer if required by state law. Therefore, state laws must be consulted, such as state laws or optometry board rules or regulations, the statute of limitations for tort or contract actions, or for actions brought by Medicare or other third party insurance programs; periods range from 1 to 15 years.Alabama Board Rule 630-X-12-.03 requires an optometristtomaintain, in his or her possession, all records pertaining to a patient for a period of not less than 7 years from the date of the last service provided to that patient.
HIPAA also regulates the destruction of records.Paper containing sensitive information should be shredded. Destruction can be performed in "distributed" fashion (e.g., by small shredders located near desks), or at a central location.Removable magnetic disks (floppy, ZIP disks) and magnetic tapes (reels, cartridges) can be "degaussed"."Fixed" internal magnetic storage (such as computer hard drives), can be cleansed by a re-writing process using software that over-writes the usable storage locations. Removable "solid state" storage devices ("flash drives”) can also be cleansed by overwriting.
The final HIPAA regulations, governing security, were released in 2003 and compliance was required by April 2005.The goals of the security rules are to ensure the confidentiality, integrity and availability of all electronic protected health information and to protect against anticipated disclosures and threats to the security of the information.
The security regulations are divided into "required" and "addressable" standards. Providers must assess how reasonable and appropriate implementation of the "addressable" standards would be, and are obligated to implement them where appropriate. Where an "addressable" standard would be inappropriate, a provider may instead adopt an alternate means to achieve the same purpose or possibly forego the proposal altogether. However, cost alone is not a sufficient basis for declining to adopt a standard.
While the privacy regulations involve all protected health information (PHI) no matter what the form, the security rules cover all providers who transmit electronic PHI.However, non-electronic PHI may require security protection under the privacy rules. As was the case with the privacy regulations, "business associates" and other entities may be expected to comply with security rules, and violations by a non-covered entity may result in discipline of the provider.
The security standards have 3 components: • Administrative safeguards • Physical safeguards • Technical safeguards
“Administrative safeguards” focus on workforce training and contingency planning. The cornerstones, however, are risk analysis and risk management—both “required”.Critical and thorough risk analysis must take place before an attempt at regulatory compliance is made. A practice’s identified vulnerabilities will of necessity become the focus for security policies implemented to reduce the detected risks.
A privacy and security “walkthrough” for a practice might entail the following: • Are patient sign up sheets with names and other information in sight? Are patient schedules in plain view? • Do confidential conversations take place in areas where they can be overheard? • Are computer screens with the PHI of other patients in plain view? • Do office staff members regularly change their passwords and safeguard access to their work areas? • Are medical records, lab reports, and faxed information easily accessible to those who have no "need-to-know?" • Are there safeguards for the transfer of PHI as paper medical records, orders, images, and lab specimens? • Are there documented policies and procedures when an employment is terminated, such as the return of all keys and cards, and the changing of codes and locks, as necessary? • If office equipment is taken from the premises, is there a documented procedure to safeguard PHI?
Additional "required" administrative safeguards include: • Sanctions must be imposed for noncompliance by staff members. • There must be tracking of security "incidents" and documentation of policies and procedures for dealing with incidents; any resulting harm must be mitigated. • A single security officer must be appointed—this person may serve as the privacy officer also. • Staff members must be allowed access to electronic PHI only where appropriate, and policies must be put in place to prevent unauthorized persons from gaining access.
Other “required” administrative safeguards: • Staff members must be trained on security issues, but training may be scaled to the size of the practice. Training must be performed in an ongoing fashion—a single session will not suffice. ("Business associates" must be aware of security policies, but providers are not obligated to train associates). • Contingency plans must be established for emergencies that damage systems with electronic PHI, including provisions for data back up, a recovery plan, and a means of ensuring the security of electronic PHI during emergency operations. • Periodic evaluations of security preparedness must be conducted.
"Physical safeguards" are concerned with access to the physical structures of a practice and its electronic equipment. Electronic PHI and the computer system in which it is maintained must be protected from unauthorized access, in accordance with defined policies and procedures. Some of these requirements can be accomplished through the use of electronic security systems.
"Required" physical safeguards include: • Establishing policies for the attributes of, appropriate use of, and security for workstations that access electronic PHI. • Establishing policies for the addition, disposal, or reuse of hardware or electronic media that contains electronic PHI.
"Technical safeguards" may be the most difficult part of the security regulations to comprehend and implement, because they require technical knowledge of computer systems.
"Required" technical safeguards include: • Policies must be established limiting software program access to only those so authorized. Unique log-ins, either numeric or by name, are required—automatic log-offs are not. Procedures for obtaining necessary electronic PHI during an emergency are also required. • Activity logs ("audit logs") must be maintained for all systems that contain electronic PHI. • Policies must be established to protect electronic PHI from alteration and destruction. • Procedures must be implemented as necessary to verify the identity of those seeking access to electronic PHI. • Transmission of electronic PHI over a network must be protected by technical security policies. Encryption is an "addressable" standard.
A security “walkthrough” for a private practice might include the following: • If PHI is stored electronically, are there system safeguards in place? • Do any e-mail communications contain PHI? If health care information is transmitted on the internet or via phone lines, are these secure transmissions? • Is there access to PHI on a practice web site? What safeguards are in place? • Is there remote access to any internal networks? If so, what kind? (e.g., dial-up modem, high speed access.) • What system of password maintenance is in use? Is there a formal policy that is documented? • What other types of computer security are in place? (Examples include: a firewall, SSL VPN, or encryption.)
Each of these security measures requires that policies and procedures be created, implemented, and documented. Compliance activities must be documented and retained for 6 years. Thus documentation is a major obligation of these rules.Policies may be amended as long as documentation is also updated. The security regulations require periodic review of policies, and appropriate responses to changes in the environmental security of electronic PHI, as is deemed reasonable for the practice.Further information on implementation of these rules is promised from DHHS.