Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Tag: OCR

Storing Patient Records

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

Since most medical practices are going electronic, it may be time to free up some of that precious space in your office. Make sure when, how, and where you decided to store your data is secure.

Some practices move excess patient charts to a self storage unit. It’s cheap and if you have an patient chart inventory list you should be safe… right?
What happens if the facility burns down?
What if someone breaks in and it is not discovered for months?
What if you don’t have an inventory list of which records are in there?

  • Did you know that PHI is considered PHI until after a person has been deceased for 50 years! That means even if the person isn’t alive, it is still a reportable breach!
  • Did you know that if you can’t determine if ANY records or WHICH records were stolen, you would have to report all of them.

Self storage units may sound like a good deal. That good deal could cost you more in the end. If the unit burns or if it is vandalized, you could be charged for wilful neglect for NOT securing the records. Not to mention, you may be required to report this as a data breach and cost you nearly $350.00 per record! Are you willing to accept that risk? After all, the OCR doesn’t specifically state what is or is not HIPAA compliant. If you suffer a data breach, THEN they will determine if you had reasonable and appropriate safeguards in place.

Now I will ask you.. Wouldn’t it make sense to spend about the same amount of money and have a professional company store your records? That’s right; for about $50.00 per month you can store approximately 100 boxes of records! Of course pricing will depends on your location and how many you need to store. When organizing the records, we suggest by year and alphabetize them. This makes it much easier when the time comes to destroy them!

If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.

“Protecting Organizations through Partnership, Education, and Support”

OCR clarifies amount that can be charged for copies of PHI

Posted bySuze Shaffer

By Aris Medical Solutions

The Office for Civil Rights (OCR) announced the clarification in the Fact Sheet they released earlier this year. The maximum amount that can be charged for patients that request a copy of their Protected Health Information (PHI) under the right of access is not $6.50. Rather, charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating the actual or average costs for requests for electronic copies of PHI maintained electronically. Entities may choose the fee calculation method that is most appropriate for their circumstances, of course within the boundaries of what is permissible under the Privacy Rule.

The new FAQ may be found at: New Clarification – Up to $6.50 Flat Rate Option. Additional information regarding permissible fees and other aspects of the individual right of access may be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

Do you have your ALL of your Business Associate Agreements in place?

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

The Omnibus Rule that became effective March 26, 2013 was a game changer in many ways. One area was requiring Covered Entities to ensure that Business Associate Agreements (BAA) were in place with all of their business partners by September 23, 2013. If a Covered Entity had agreements already in place, Covered Entities had until September 22, 2014 to replace them with new ones that had all of the required elements of the new Omnibus Rule.

Did you know that if a Covered Entity (Medical Practice) releases Protected Health Information (PHI) to person or an entity and the practice does not have a signed BAA in place, the Covered Entity can be fined? In the eyes of HIPAA, you have disclosed PHI to an unauthorized user. Yes, this is TRUE!

Did you know that if a medical practice’s software vendor has a data breach and you as the Covered Entity do not have a BA agreement in place you could be fined as well? I know what you are thinking… it’s THEIR responsibility, not yours. True, but it is YOUR responsibility to have an agreement in place. Have you reviewed your BA agreements to ensure the documents have all of the required elements and it protects YOU the Covered Entity? These are very important documents and since it is the responsibility of the medical practice to protect patient data, the practice dictates when this information can be shared. The practice also has the responsibility to have assurances that the entity understands how to protect the data before it is released.

The Office for Civil Rights (OCR) recently imposed a $750K fine for such an offense. A Raleigh Orthopedic practice released 17,300 x-rays films to a Business Associate (BA) that promised to transfer the images in exchange for the silver in films. Unfortunately the practice forgot to have the entity sign a Business Associate Agreement.

Make sure you do not make the same mistake…

Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC