HIPAA and EHRs: How to Comply with the New Regulations and What to Ask of your Vendor

Why Should You Attend:

Many of the new changes to HIPAA focus directly on a number of aspects of the use of electronic records, such as the accounting of disclosures and tracking of accesses of records of all kinds, even for treatment, payment, and healthcare operations, and the provision of records in electronic formats when requested. These proposed rules have a tremendous impact on not only EHRs, but also any electronic systems that hold protected health information in the designated record set.

In this 90-minute webinar we will review the new and expected regulations and discuss their effects on the use of EHRs. We will show what policies need to be changed and how, discuss how disclosures must be tracked in an EHR, review the various ways patient records can be supplied electronically, discuss the requirements for meeting the mandatory Privacy and Security Objective in the Meaningful Use regulations (including requirements for a HIPAA Security Risk Analysis), and show what policies and evidence you need to produce if you are audited by the HHS Office of Civil Rights. The new enforcement penalty structure and the new program for random audits by HHS OCR will also be described.

Agenda:

• What is an EHR under the regulations?
• New proposed rules for access of electronic records and EHRs
• New proposed rules for accounting of disclosures and EHRs
• Proposed new restrictions on disclosures and their impacts
• Meaningful Use, HIPAA, and EHRs: Risk Analysis Required
• Expanded HIPAA Enforcement and Penalties and the new HIPAA Audit Program
• Q&A session

Areas Covered in the Seminar:

• The new regulations change the way individuals have access to their records, and how much they can find out about who has accessed their records.
• Individuals can request an accounting of disclosures of their health information including those made for purposes of treatment, payment, or healthcare operations, from an electronic health record, going back three years.
• Individuals will be able to request an access report of all uses and disclosures of PHI from any records in the Designated Record Set – clearly defining that set is now a priority.
• Individuals have the right to obtain electronic copies of their health information that is stored electronically, from any electronic system in the HIPAA designated record set.
• Individuals can now request certain restrictions on disclosures that you must honor, and that may be difficult to implement.
• Meaningful Use requirements for EHR funding call for a HIPAA Information Security Risk Analysis and implementation of risk mitigation measures.
• New audit and penalty requirements increase the need to make sure you are in compliance before HHS OCR knocks on the door.
• The new penalty structure and plans for audits mean that you are more likely to be audited for HIPAA compliance, and you may be facing significantly higher penalties for non-compliance than ever before.

Who Will Benefit:

• Information Security Officers
• Risk Managers
• Compliance Officers
• Privacy Officers
• Health Information Managers
• Information Technology Managers
• Medical Office Managers
• Chief Financial Officers
• Systems Managers
• Legal Counsel
• Operations Directors
• Medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc.)

Instructor Profile:

Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a variety of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans, and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the 2011 WEDI Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national and regional conventions and WEDI national conferences, and before regional HFMA chapter meetings and state hospital associations.

Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Topic Background:

Recent and upcoming changes to HIPAA that expand the regulation’s reach and increase enforcement, along with market pressures and Federal incentives to adopt electronic health records, have created compliance difficulties for the protection of the privacy and security of protected health information (PHI) and EHRs. Many of the new changes to HIPAA focus directly on a number of aspects of the use of electronic records, such as the accounting of disclosures and tracking of accesses of records of all kinds, even for treatment, payment, and healthcare operations, and the provision of records in electronic formats when requested. These proposed rules have a tremendous impact on not only EHRs, but also any electronic systems that hold protected health information in the designated record set.

To meet many of the requirements, it will be necessary to carefully define the Designated Record Set to which the regulations apply, which may not have been done previously. To qualify for incentive funding, providers must perform HIPAA Security compliance activities that may have been avoided in the past, such as risk analysis and complete policy adoption, but no longer can be due to new, higher penalties, including mandatory penalties starting in the tens of thousands of dollars for willful neglect of compliance. Risk analysis is now clearly required, both for HIPAA and for EHR funding, but many organizations have not yet performed one and find the task overwhelming.

The proposed requirement to provide a list of all accesses of an individual records is based on an ability to track accesses that not all systems can provide today. Using electronic records of any kind could mean big headaches for compliance with HIPAA accounting of disclosures requirements.

Providers will need to change how they do business to meet the new requirements as they move to newer electronic records systems, and qualifying for the funding will require the kind of attention to privacy and security that health information has always deserved, but not always received.

Follow us :