The MedSafe Compliance Corner

With few exceptions, patients have the right to inspect and copy their medical information, but with the strict laws that govern protected health information (PHI), it is important for health care providers to understand proper procedures and rules that govern the release of medical records.

The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) protects patient health information, but allows release of medical records under certain circumstances, one of which is the safe harbor rule of de-identified information. But what exactly constitutes de-identified information?

With breaches of protected health care information reported nearly every day in the news, the one word that keeps popping up is “encryption.” The fact that a laptop or hard drive was lost or stolen isn’t the problem; the problem is that the data on these devices was not encrypted.

This week, In The Know, looks at the following news stories: Pioneer ACOs Selected;Government Recovers Record-Breaking Amounts in Whistleblower Fraud Cases;Nearly $300 Million Awarded to States for Enrolling Children in Health Coverage; Breaches of Health Care Information Reaches 18 Million and Counting.

With the compliance date of January 1 for HIPAA 5010 transactions just around the corner (see last week’s blog, Countdown to 5010 HIPAA Transactions), we offer a brief history of their origins and evolution.

As a follow up to my previous blog on whether hospital-based physicians need HIPAA programs (such as pathologists, anesthesiologists and radiologists), we are hearing about a major breach of medical records regarding a pathology billing company in the Boston area.

It’s an unpleasant thought, but unfortunately, natural disasters are becoming a way of life. Every day, there are news reports of flooding and landslides, wildfires, tornadoes, hurricanes, severe storms---even earthquakes, volcanic eruptions and tsunamis. The list goes on and on, and healthcare providers are on the front lines when these catastrophes hit.

A recent report issued to Congress by the Department of Health and Human Services (HHS) revealed some staggering figures: from September 23, 2009 through December 31, 2010 (less than 16 months) the protected health information (PHI) of 7.8 million individuals was compromised.

 For most physician groups, the fact that they need to establish HIPAA/HITECH programs for their organizations is an unquestioned fact of life, but there are other types of physician groups who may legitimately wonder if they must do this.

Another large data security breach involving 300,000 people in California recently occurred through an independent researcher, adding even more individuals to the growing number of people affected nationwide by medical information security lapses.