Promoting Quality & Safety in Oncology Electronic Health Records
EHR Vendors to Meet new HIPAA Security Requirements
With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly for business associates, including EHR Vendors, requiring them to immediately comply directly with many of HIPAA's rules. These rules also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties, including a provision that allows individuals to receive financial compensation for the violation.
Most EHR Vendors involved in ASCO's EHR Lab have demonstrated they can quickly demonstrate compliance with these expanded rules. For those not involved in the EHR Lab, the business associate “To-Do” list looks similar to the list the oncologists as covered entities complied with in 2004. These tasks include:
• Appointing a Security Official
• Developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails),
• Training workforce on how to protect electronic protected health information (“EPHI”).
Also, effective immediately, all covered entities are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
• If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
• For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
• You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches.
Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.
Table 1 Penalties for ePHI Violations
Violation Penalty per violation Maximum per year
Per violation $100.00 Up to $25,000
Reasonable cause $1,000 Not provided
Willful neglect and corrected $25,000 $250,000
Willful neglect and not corrected $50,000 $1,500,000
Most EHR Vendors involved in ASCO's EHR Lab have demonstrated they can quickly demonstrate compliance with these expanded rules. For those not involved in the EHR Lab, the business associate “To-Do” list looks similar to the list the oncologists as covered entities complied with in 2004. These tasks include:
• Appointing a Security Official
• Developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails),
• Training workforce on how to protect electronic protected health information (“EPHI”).
Also, effective immediately, all covered entities are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
• If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
• For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
• You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches.
Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.
Table 1 Penalties for ePHI Violations
Violation Penalty per violation Maximum per year
Per violation $100.00 Up to $25,000
Reasonable cause $1,000 Not provided
Willful neglect and corrected $25,000 $250,000
Willful neglect and not corrected $50,000 $1,500,000
Comment
© 2010 Created by OncologyEHR Administrator
You need to be a member of Oncology EHR to add comments!
Join Oncology EHR