Paul R. Hales, Attorney at Law, LLC
car accident lawyer personal injury personal injury accident personal injury malpractice will business trust St. Louis lawyer negligence 
Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 
 

Policy Forms -Assessment Tools 

Mr. Hales can help you assess your compliance with the HIPAA Privacy, Security and Breach Notification Rules using proprietary computer based technology that reviews each Standard and Implementation Specification.  He also will provide you with assistance regarding all required HIPAA Policy and Procedure forms and documentation.
Paul R. Hales, Esq.
3534 Washington Ave.
St. Louis, MO 63103
 
TEL: 314-534-3534
or
The HHS Office of Civil Rights enforces the HIPAA HITECH Privacy Rule and maintains a helpful website that is regularly updated.  Click on the HHS.gov logo below to go to that website.

 

Do you gather, maintain and transmit Protected Health Information? 

Are you developing procedures to convert from paper to Electronic Health Records?

HIPAA HITECH Privacy for Long Term Care Providers including Nursing Homes and Home Health Agencies
Mr. Hales provides legal consultation concerning specific HIPAA and HITECH compliance issues. 
Document
What is a HIPAA Business Associate and Why Do I Need A Business Associate Agreement?

HIPAA - HITECH Privacy Requirements

Please scroll down to see information about a number of issues including Business Associate Agreements, converting to Electronic Health Records (EHR)  and Long Term Care Facility HIPAA compliance.

HITECH Mandates Major Changes in HIPAA Compliance Policies

The Health Information Technology and Clinical Health Act (HITECH) which officially took effect on February 18, 2010 significantly increased HIPAA privacy safeguards and compliance requirements for Covered Entities and broadened the scope of HIPAA compliance to include Business Associates of Covered Entities.  While the increased complexities of the HITECH law may be addressed efficiently in time by Electronic Health Record (EHR) software, ongoing development HIPAA HITECH compliant software is a complex, expensive process. Covered Entities must be very careful in selecting EHR and IT software.  A Department of Health and Human Services Policy Committee  Privacy and Security Tiger Team meets regularly to address the issues regarding HIPAA HITECH compliant software and procedures.  


Despite the difficulty and expense of converting to EHR, the requirements for paper based health records are identical to those for electronic records and apply to Covered Entities now (except paper records must be kept three years longer).  
 

HIPAA HITECH Privacy and Security Compliance Policies

In Mr. Hales' opinion, the HITECH statute, Titles XIII and IV, Pub. L. 111-5, 123 Stat. 226 (February 17, 2009) and regulations published in the Federal Register (which may be downloaded by clicking below) provide substantial guidance on which to base HIPAA HITECH compliance policy.  Future changes are likely to be incremental and readily incorporated in a Covered Entity's HIPAA Privacy Compliance Policy.  Therefore, Covered Entities are encouraged to work with their counsel and operations personnel to develop and implement compliance policies now.  The HIPAA HITECH Compliance Policy may be modified as necessary based on new regulations or better practices developed during implementation. 

 


How to Prepare Effective HIPAA HITECH Compliance Policies
Effective Compliance Policies must be clear and easy to implement.  Mr. Hales recommends that each policy contain procedures including forms when appropriate.  Standardized policies with specific procedural guidelines help to ensure consistent implementation throughout the organization and reduce the risk that a legal issue may become a legal problem.


HIIPAA HITECH policies should be developed by a team that includes legal counsel, management and operational staff.  Together this team can develop useful policies and procedures from the complex laws and regulations.  Above all, avoid the use of legal jargon or the simple restatement of published regulations.  Laws and regulations are written by and for lawyers.  They must be translated into policies and procedures that can be understood and used by staff all day every day.  Boilerplate policies are available on the Internet.  They are useful, at best, only as a guide for your team to develop policies that are right for your facility.  


Note that a well written Compliance Manual with clear procedures is also an excellent training tool.
 

The HITECH statute and regulations published in the Federal Register on July 14, 2010 may be downloaded by clicking below.  They provide strong guidance for the development of compliance policies but they are complex and densely written.  Each Covered Entity must work with legal counsel and operations staff to translate the law into useful, standardized, clear policies and procedures.
Document
Federal Register, July 14, 2010
Document
The HITECH Statute

HHS Breach Notification Rule Update - July 28, 2010

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. 

At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations.

This is a complex issue and the Administration is committed to ensuring that individual's health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

Long Term Care Facilities - Home Health Agencies

Long Term Care Facilities and Home Health Agencies are usually defined as HIPAA Covered Entities because they maintain and transmit Protected Health Information (PHI) and must comply with the HITECH modification.  Consistent with the recommendation above, since future developments in HIPAA HITECH regulations are likely to be incremental, Long Term Care Facilities and Home Health Agencies are encouraged to work with their counsel and operations personnel to develop and implement compliance policies now.  The HIPAA HITECH Compliance Policy may be modified as necessary based on new regulations or better practices developed during implementation.   

 

Hybrid Entities

Many Covered Entities including Long Term Care Facilities and Home Health Agencies are part of a larger corporate organiation which is defined as a "Hybrid Entity".  A Hybrid Entity is one whose business activities include both covered and non-covered functions as defined by HIPAA.  A Hybrid Entity may provide services to a person that do not involve PHI and then may begin to provide additional services involving PHI.  Accordingly. Hybrid Entities must be particularly vigilant to ensure policies and procedures are in effect to account for such a possibility. 

Business Associate Agreements

The privacy requirements for Business Associates of Covered Entities are changed and made much more stringent by HITECH Act.  Consequently, Covered Entities must modify their Business Associate Agreements to be in compliance.  You may download a brief paper describing why a Covered Entity needs a Business Associate Agreement and how a Covered Entity may identify a Business Associate by clicking on the ,pdf link to the left.
Current HIPAA HITECH Privacy Rule Issues

HITECH anticipates the rapid conversion to Electronic Health Records (EHR).  This entails both technological and procedural developments that are not yet available to ensure full compliance with the Privacy Rule.  Covered Entities must establish Privacy Rule Checklists to use in evaluating and selecting EHR software.

 

Legal  and Practical Issues in making required HIPAA HITECH Modifications to Compliance Policies 

Many Covered Entities rely heavily on paper records and increasingly on electronic formats to maintain and transmit PHI.  They must:

 

  1. Define procedures concerning PHI and access to PHI which are applicable for both paper and electronic records.
  2. Identify records that now exist on paper, electronically and/or both and a process to accomplish the identification efficiently and effectively.
  3. Train staff to address issues such as a request for disclosure that PHI may exist both in paper and electronic format to  ensure appropriate compliance.
  4. Define the records that are part of the "Designated Record Set" and those that are not PHI.
  5. Establish procedures for protection of information about a client if a Hybrid Entity begins to provide servies to an existing client that require it to receive, maintain or transmit PHI.
  6. Determine procedures for conversion (scanning) and/or retention/destruction of paper records (Paper records - 6 years, electronic - 3 years).
  7. Determine when printing can/should occur, who may print, etc.
  8. Establishing procedures for disclosure of PHI in both electronic and paper format.
  9. Clarify needs for EHR Security and specific requirements for evaluating EHR software including but not limited to firewalls, passwords, logging/tracking, reporting to patient/resident, etc. - compliant with HIPAA as modified by HITECH.

© 2011, Paul R. Hales, Attorney at Law, LLC