It’s important for you to know that HIPAA compliance covers the cybersecurity measures necessary for EVV. That information is straight from an email issued by ANCOR, which cites the EVV legislation as its source, along with Tim Hill, the Director of CMCS.
Last year, as a service to our members, OPRA partnered with MyHIPAA Guide to spearhead the development of a HIPAA compliance program for the residential sector. This is the only program of its kind available for residential providers.
The program includes all the materials you need for compliance, plus an option for unlimited phone and email consultation to help you through the process of protecting of private health information.
With EVV right around the corner, we are offering a $100 discount off the price of an annual subscription with the coupon code: OPRA2018.
Go to hipaa.opra.org to subscribe.
At the recent annual conference of the Association of Professional Developmental Disability Administrators (APDDA), we had the pleasure of hearing from administrators from facilities in Corpus Christi and San Antonio, Texas and Miami, Florida who spoke about their experiences preparing for and recovering from Hurricane Harvey and Hurricane Irma last fall. Part of building an emergency preparedness plan includes making provisions to meet the needs of residents with disabilities in the event of an evacuation.
But! Even in an emergency preparedness plan, a resident’s health information is still protected by the HIPAA Privacy Rule.
Check it out! The Department of Health and Human Services offers a great interactive tool, The HIPAA Privacy Decision Tool, that through a series of questions helps you determine how the HIPAA Privacy Rule would apply in specific emergency situations (it’s available as a flowchart, too!). Other emergency preparedness resources are also available through the HHS site.
Since federal privacy rules require lots of documentation, a frequently asked question is: How long do we have to keep all the documents that accumulate as a result of compliance with the Health Insurance Portability and Accountability Act (HIPAA)?
The answer: Six years — and that means six years after the date of a document’s creation or it’s most recent effective date.
Keep in mind, all HIPAA-related activities must be documented. This includes privacy policies and procedures, privacy notices, resolution of complaints, staff training, business associate agreements and all else pertaining to privacy protections.
In one of the HIPAA cases most relevant to the I/DD-Residential sector, a county agency delivering health services to low-income people settled a potential breach by paying out $215,000 to the Feds. The agency serves a rural population of about 120,000 in Skagit County, Washington — where nearly 18 percent of the people live below the federal poverty line according to the most recent labor statistics.
As commonly happens, the Feds opened an investigation after receiving a complaint that appeared to result from the unintentional exposure of Private Health Information (PHI) involving only seven individuals. Looking further, the Feds discovered the absence of a HIPAA compliance program within the county agency in question.
The case is significant for the message it sends. And you don’t even have to read between lines, because the Feds say it explicitly:
You can be small and serving a vulnerable population, but you still need what the Feds call “a meaningful compliance program to ensure the privacy and security of patients’ information.”
The Skagit County settlement dates back to 2014, when the Feds were just beginning a proactive approach to HIPAA enforcement as mandated by Congressional legislation in 2013. Since then, the message of that case has been clearly validated.
In a review of nearly 400 potential privacy violations currently under investigation, you will see that small community providers, including those in the I/DD sector, are under investigation for occurrences often resulting from careless lapses with no ill intent.
In Skagit County, private health information held by one agency was inadvertently moved to a publicly accessible server. After that? Responding to a complaint, the Feds nosed around and found what they described as “general and widespread non-compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
In addition to the monetary settlement, a three-year corrective action period ensued for the Skagit County agency.
About the author: Diane Evans, Publisher of MyHIPAA Guide, leads a team of HIPAA trainers and consultants who boil privacy practices down to good business and human-centered processes. OPRA’s HR Committee helped guide the creation templates and training materials specially for the residential services sector, and available at hipaa.opra.org. Ms. Evans can be reach at firstname.lastname@example.org