This page contains a Flash digital edition of a book.
“If OCR selects you for an audit, contact your legal counsel, and be prepared to cooperate as necessary during the onsite visit.”


dit, says Deborah Hiser, who also is with Brown McCarroll. “HIPAA is evolving in terms of en-


forcement. There is a definite move away from the complaint-driven agency we saw in the past to an agency that is feeling congressional pressure to impose civil penalties,” she said.


Martin Garza, MD, an Edinburg solo


pediatrician and a member of TMA’s Council on Practice Management Servic- es, says the Texas Medical Association’s Policies & Procedures: A Guide for Medical Practices is a useful HIPAA compliance tool that will help with any OCR audit. “The HIPAA and HITECH manuals in the guide are extremely detailed and provide sample forms we’ve modified to fit the practice. We update the informa- tion regularly, and the manuals are avail- able electronically so the whole staff can access them at any time,” he said. Ms. Hiser and Ms. Cowan wrote the


should grab physicians’ attention. (See


“Texas Raises the Privacy Stakes,” pages 36–37.) “Texas is progressive about patient privacy, and starting Sept. 1, physicians need to consider additional state require- ments. Failure to comply with state and federal law exposes physicians to addi- tional scrutiny and civil penalties. Now is the time to make sure physicians are in compliance with both federal and state privacy requirements. They need to take this seriously,” she said. The Office for Civil Rights (OCR) of


the U.S. Department of Health and Hu- man Services (HHS) hired the account- ing firm KPMG LLP to conduct the audits, authorized by the 2009 Health Informa- tion Technology for Economic and Clini- cal Health (HITECH) Act. The audits began in November and are scheduled to be completed by December. At press time, OCR was examining 20 covered entities, none of them in Texas. The gov- ernment has not said how it picks audit targets, saying only the selections are “designed to provide a broad assessment of a complex and diverse health care industry.”


Violating HIPAA rules can be costly. In April, an Arizona cardiology practice


34 TEXAS MEDICINE July 2012


paid $100,000 and agreed to a correc- tive action plan after HHS received a complaint the practice posted clinical and surgical patient appointments on a publicly accessible Internet-based cal- endar. HHS said the investigation found the practice had few policies and proce- dures to comply with HIPAA, had limited safeguards to protect patients’ electronic protected health information (PHI), did not document that it trained any em- ployees on HIPAA policies, and did not identify a security official or conduct a risk analysis.


When OCR selects a practice for an audit, investigators interview key prac- tice staff, inspect office privacy and se- curity protocols, and assess the practice’s compliance with federal regulations and policies. Post-audit reports include recommen- dations for correcting compliance prob- lems. While the audits can identify best practices and areas for improvement, KPMG will turn serious HIPAA violations over to OCR, which could then open a separate investigation and take enforce- ment action. That’s why it’s important for all phy- sicians to make sure they comply with the law and prepare for a possible au-


HIPAA and HITECH privacy and security manuals for the guide. The manuals in- clude updated details on Texas’ new EHR privacy law as well as template policies and forms for:


• Staff training on the HITECH Act requirements,


• Business associate agreements that incorporate the HITECH amendments,


• Breach risk assessments, and • Use of email with patients.


“TMA has worked with experts in crafting its policy and procedure guide. I feel more confident in my HIPAA com- pliance because I know the information comes from a trustworthy, reliable physi- cian advocate,” Dr. Garza said. A hard copy of the guide, including details on Texas’ new EHR privacy law, with customizable CD is $295 for mem- bers and $395 for nonmembers. The cus- tomizable CD alone is $255 for members and $355 for nonmembers. TMA also offers a downloadable update on Texas’ new EHR privacy law for physicians who previously purchased the policy and pro- cedure guide. To order the guide and to inquire about the update download, call the TMA Knowledge Center at (800) 880- 7955, or email knowledge@texmed.org.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68