This page contains a Flash digital edition of a book.
as network diagrams, including all hard- ware and software used to collect, store, process, or transmit the information. Fi- nally, she encourages practices to desig- nate staff members to take the lead in the event of an audit.


Ms. Cowan says violations that may warrant OCR opening a separate compli- ance review include:


• Willful and inappropriate sale of PHI; • Inappropriate disclosure of sensitive information, such as sexually trans- mitted diseases or mental health re- cords;


• Failure to safeguard electronic media containing large amounts of patient information;


• Consistent failure to implement HIPAA, such as not training person- nel or not having policies and proce- dures; and


• Failure to cooperate with OCR.


Ad Directory


American Physicians Insurance Co.....32 Athenahealth ................................................ 5 Capital Farm Credit ..................................38 Covenant Medical Group ....................... 30 Cyfluent.........................................................49 The Doctors Company ............................42 Humana .......................................................IBC Kindred ...........................................................41 Leichter Law................................................39 Menduni Martindill PLLC ........................35 Nova Medical Centers ................................9 Seton Healthcare Center ...................8, 32 Stillwater National Bank ...........................6 Texas DSHS – HIV ......................................49 Texas Diabetes Council ...........................26 Texas Health Steps......... 10, 17, 31, 40, 45 Texas Medical Association Hard Hats for Little Heads ...................8 Leadership College ...............................48 POEP ...................................after page 40 Practice Consulting ..........................3, 46


Texas Medical Association Insurance Trust ...........................................................BC


Texas Medical Liability Trust ............... IFC TEXPAC ........................................................ 46 West, Webb, Allbritton & Gentry, PC ..31


Ms. Hiser says OCR fined Cignet Health $4.3 million last year for not pro- viding medical records and not comply- ing with the agency’s requests for docu- mentation during an investigation. She says OCR enforcement typically requires practices to sign three-year corrective ac- tion plans, to send periodic updates to the agency, and to develop policies ap- proved by the agency. Increased penalties under the HI- TECH Act and enforcement actions by federal government and states’ attorneys general have serious implications for physicians who fail to comply with the rules. Ms. Hiser says it’s important that physicians comply with the encryption and destruction requirements under HI- TECH, audit electronic systems to detect security incidents and violations, and notify patients quickly in the event of a breach, especially identity theft. HHS defines a breach as “an imper- missible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information” and poses a signifi- cant risk of “financial, reputational, or other harm” to the patient.


Ms. Hiser says physicians would be smart not only to have a system to de- tect PHI breaches but also to encrypt all confidential patient information. The reason: Physicians and business associ- ates must provide the required notifica- tion only if the breach involves unse- cured PHI. HHS has information on ways to ren- der unsecured PHI unusable, unread- able, or indecipherable on its website, http://1.usa.gov/n0KNLH.


Civil penalties for unintentional


HIPAA violations range from $100 to $50,000 per violation. Criminal pen- alties for fraud include a minimum $100,000 fine and up to five years im- prisonment. Individuals who violate HIPAA with intent to sell, transfer, or use PHI for commercial advantage, per- sonal gain, or malicious harm face a maximum $250,000 fine and 10 years imprisonment. (Read “Mum’s the Word,” August 2010 Texas Medicine, pages 49– 53, or visit www.texmed.org/Template .aspx?id=16452.) For more information about penal-


36 TEXAS MEDICINE July 2012


ties, consult Section 13410 of the HI- TECH Act, www.hhs.gov/ocr/privacy/ hipaa/understanding/coveredentities/ hitechact.pdf.


Texas raises the privacy stakes


Starting Sept. 1, Texas physicians and other covered entities using electronic health records (EHRs) must comply with a state privacy law that imposes require- ments more stringent than HIPAA. For example, while HIPAA has al-


ways required physicians to train their employees, the new state law mandates training specific to the staff members’ scope of employment, to occur within 60 days after they are hired. In addition, training must be provided at least once every two years, says Austin health care attorney Deborah Hiser. Another significant difference is the


Texas law directs physicians to notify patients their health information is sub- ject to electronic disclosure, says Austin health care attorney Ana Cowan. “Notice must be posted in the physi-


cian’s place of business. If the electronic disclosure is not related to certain activi- ties like treatment, payment, or health care operations, the physician must actu- ally obtain patient authorization in order to engage in the electronic disclosure.” Both attorneys urge physicians to begin updating their HIPAA manuals to include the additional requirements imposed by the state law. Under the law, the Texas attorney general may ask HHS to audit covered entities for compliance, and anyone who accesses, reads, scans, stores, or transfers protected health in- formation electronically and without au- thorization may face felony charges. Fort Worth emergency physician Matt


Murray, MD, vice chair of the Texas Med- ical Association Ad Hoc Committee on Health Information Technology, says it’s especially important for physicians to be- come well-versed in cyber liability risk and Texas’ new EHR privacy law.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68