Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know<br />
...continued from page 65<br />
Confidential communications. Under the Privacy Rule, individuals have<br />
the right to request that communications of PHI be made by alternative<br />
means (e.g., by mail instead of by telephone) or at alternative locations<br />
(e.g., at work instead of at home). <strong>Health</strong> care providers are required to<br />
accommodate all reasonable requests. <strong>Health</strong> plans must accommodate<br />
reasonable requests only if the individual clearly states that the disclosure<br />
of PHI could endanger the individual.<br />
Is <strong>your</strong> rehabilitation program ready<br />
to face the auditor’s microscope<br />
Inpatient and outpatient rehab providers are<br />
experiencing increased scrutiny from their<br />
fiscal intermediaries and others. The 75%<br />
Rule, the Recovery Audit Contractor (RAC)<br />
project, and focused reviews for medical<br />
necessity have changed the way rehabilitation<br />
providers operate.<br />
Most rehab providers have not established<br />
effective mechanisms to assure the integrity<br />
of their operating and billing practices when<br />
viewed by a third party. The full consequences<br />
may only be apparent when it is too late.<br />
Noblis provides solutions-focused services<br />
across the post-acute care continuum and we<br />
can help solve the IRF compliance puzzle and<br />
help you face the future of rehab.<br />
Contact Noblis’ Center for <strong>Health</strong> Innovation<br />
Post-Acute Strategy experts (404.231.4422)<br />
to discuss customized solutions to <strong>your</strong><br />
compliance needs. We will help you to climb<br />
out from under the auditor’s microscope.<br />
www.noblis.org/healthcare • 404.231.4422<br />
Administrative requirements<br />
The Privacy Rule requires covered entities to implement certain administrative<br />
requirements. In effect, these requirements create an obligation for covered<br />
entities to establish a privacy compliance program. That is, many of the<br />
requirements are similar to the elements of a general health care compliance<br />
program. For example, covered entities must:<br />
n Designate a privacy officer.<br />
n Develop and implement privacy policies and procedures.<br />
n Provide training to all members of the workforce.<br />
n Have a process in place for individuals to make complaints regarding<br />
privacy issues, including issues related to the covered entity’s compliance<br />
<strong>with</strong> the Privacy Rule and its own privacy policies and procedures.<br />
n Have and apply appropriate sanctions against employees who violate<br />
the Privacy Rule and/or the covered entity’s privacy policies and procedures.<br />
n Refrain from intimidating or engaging in any retaliatory acts against<br />
individuals who exercise their rights under the Privacy Rule or who file<br />
a complaint against the covered entity.<br />
n Mitigate any harmful effect that results because of an act of noncompliance<br />
<strong>with</strong> the Privacy Rule or the covered entity’s privacy policies and<br />
procedures.<br />
n Implement appropriate administrative, technical, and physical safeguards<br />
to protect the privacy of PHI.<br />
n Maintain documentation as required by the Privacy Rule.<br />
Enforcement<br />
The HHS Office for Civil Rights (OCR) is responsible for enforcing the<br />
Privacy Rule. OCR has the authority to impose civil monetary penalties<br />
(CMPs) for violations of the Privacy Rule. CMPs are limited to $100 per<br />
violation <strong>with</strong> a maximum of $25,000 per year for each identical Privacy<br />
Rule requirement that is violated.<br />
The United States Department of Justice (DoJ) has the authority to impose<br />
criminal penalties for violations of the Privacy Rule. Specifically, if a person<br />
or entity knowingly obtains or discloses PHI in violation of the Privacy<br />
Rule, the person or entity may be liable for up to $50,000 and/or may be<br />
imprisoned for up to one year. If a person or entity obtains or discloses the<br />
October 2008<br />
66<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org