AMA Adopts Telemedicine Guidelines

On June 11, 2014, the American Medical Association (“AMA”) approved a list of guiding principles regarding the practice of telemedicine.  The AMA’s adoption of the telemedicine guiding principles follows the trend of position statements, guidelines, and other policy statements addressing the practice of telemedicine already adopted by other medical specialty societies and state medical associations, which follows the increased use of telemedicine in the delivery of health care services.

The guiding principles approved by the AMA stem from a report developed by the AMA’s Council on Medical Service.  In its report, the Council recommends a set of principles to ensure the appropriate coverage and payment for telemedicine services.  The principles are aimed at supporting future innovation in the use of telemedicine, while ensuring patient safety, quality of care and the privacy of patient information, as well as protecting the patient-physician relationship and promoting care coordination and communication.  The AMA’s announcement of its policy adoption can be found here; access to the Council’s report is included in the announcement.

The principles recommended in the Council’s report and adopted by the AMA include the following:

  • A valid patient-physician relationship must be established before telemedicine services are provided.  This relationship may be established through a face-to-face examination, a consultation with another physician who has an ongoing patient-physician relationship with the patient, or meeting other standards of establishing a patient-physician relationship as developed by major medical specialties.  Exceptions to the foregoing include on-call, cross coverage, emergency medical treatment, and other exceptions that become recognized as meeting or improving the standard of care, where establishing such a relationship may not be applicable or necessary.
  • Telemedicine providers must abide by state licensure laws and state medical practice laws and requirements in the state in which the patient receives services.
  • Telemedicine providers must be licensed in the state where the patient receives services, or be providing these services as otherwise authorized by that state’s medical board.
  • Patients seeking care delivered via telemedicine must be offered a choice of providers.  Patients must also have access to the licensure and board certification qualifications of the telemedicine providers in advance of their visit.
  • The delivery of telemedicine services must be consistent with state scope of practice laws.
  • The standard and scope of telemedicine services should be consistent with related in-person services.  The services must follow evidence-based practice guidelines, to the degree they are available, to ensure patient safety, quality of care, and positive health outcomes.
  • The patient’s medical history must be collected as part of the telemedicine service.  The telemedicine service provided must be properly documented and should include providing a summary of the visit to the patent.
  • The telemedicine services must include care coordination with the patient’s medical home and/or existing treating physicians.  At a minimum, this includes identifying the patient’s existing medical home and treating physician(s) and providing such physician(s) with a copy of the medical record.
  • The delivery of telemedicine services must abide by laws addressing the privacy and security of patients’ medical information.

In addition to the above standards, the AMA also adopted recommendations offered in the Council’s report supporting additional research, pilot programs, and demonstration projects regarding telemedicine.

For more information about telemedicine services, please contact Lee Kuo.

 

Violation of Privacy Rule Leads to $800,000 HIPAA Settlement

Indiana-based Parkview Health System (“Parkview”) has agreed to settle potential violations of the HIPAA Privacy Rule with the HHS Office for Civil Rights (“OCR”) by paying $800,000 and adopting a corrective action plan to address deficiencies in its HIPAA compliance program. The resolution agreement can be found here.

According to the HHS press release, the OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. It is unclear whether any of these medical records were actually viewed by anyone else.

In addition to the $800,000 payment, Parkview entered into a corrective action plan that requires them to:

  • Develop, maintain and revise, as necessary, written policies and procedures addressing requirements of the Privacy Rule and the corrective action plan (“Policies and Procedures”).  Specifically these Policies and Procedures must at a “minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.”
  • Provide Policies and Procedures to HHS within 30 days of Resolution Agreement’s Effective Date for HHS’s review and approval.
  • Distribute Policies and Procedures to all Parkview workforce members.
  • Periodically review the Policies and Procedures and update them to reflect changes in operations at Parkview, federal law, HHS guidance and/or any material compliance issues discovered by Parkview.
  • Notify HHS in writing within 30 days if Parkview determines that a workforce member has violated the Policies and Procedures (“Reportable Events”).
  • Provide general safeguards training to all workforce members who have access to PHI, as required by the Privacy Rule.
  • Provide training on its approved Policies and Procedures to all workforce members.
  • Submit to HHS a final report demonstrating Parkview’s compliance with the corrective action plan.

Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records. The OCR has provided helpful FAQs about HIPAA and the disposal of protected health information. For more information about complying with the HIPAA Privacy Rule, please contact Jefferson Lin or Elana Zana.

 

 

Rady HIPAA Breach – Access Controls & Training

Rady Children’s Hospital in San Diego announced this week that it has discovered two instances of impermissible disclosure of patient information – both disclosures arising from employees sending spreadsheets containing PHI to job applicants.  Surprisingly, Rady employees did not learn the lesson from their northern California neighbor, Stanford, which recently settled a lawsuit for $4 Million based on similar circumstances of a vendor releasing patient information to a job applicant.  In both the Rady situations (and at Stanford) identifiable patient information was sent to job applicants in order to evaluate those applicants’ skill sets.  The spreadsheets contained names, dates of birth, diagnoses, insurance carrier, claim information, and additional information.  Combined, the breach affected over 20,000 patients.

Rady has announced that it will take the following actions to prevent future events:

• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.

Though these steps are important, it is quite alarming that breaches such as these are still happening.  Why are job applicants receiving spreadsheets with patient information?  As Rady notes above, training exercises are commercially available.  Breaches, such as the one at Rady and at Stanford, reveal several flaws in HIPAA compliance – but two in particular rise to the surface.

1.  Access Controls.  The HIPAA Security Rule stresses the importance of access controls both internally and externally within a covered entity (and now business associates). Who gets access to the PHI, who gives that person access, and what access do they have?  The administrative, physical, and technical safeguard requirements all touch on whether access to PHI for workforce members is appropriate.  For example, a technical safeguard requirement specifically addressing access controls requires that covered entities, and business associates “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”  45 CFR 164.312.  Covered entities and business associates alike should evaluate who within their organizations actually need access to PHI to perform job functions.  Does the HR Department or an internal/external recruiter, arguably in charge of hiring new staff, need PHI in order to perform their job duties?  (Note, I do not opine here as to whether access to PHI was properly granted to the workforce members at Rady, as I lack sufficient information to make that judgment).  Determining if access to PHI is appropriate is both a requirement of the HIPAA Security Rule (though it is “addressable” you still need to address it!) and is a good mitigation tactic to avoid impermissible breaches, such as the one here.

2.  Training.  All covered entities and business associates are responsible for HIPAA Security training for all members of the workforce.  45 CFR 164.308.  Though training may vary depending on the workforce member’s use of PHI, all staff must be trained.  Training does not end following an initial session.  Periodic security updates are specifically identified in the Security Rule as an implementation specification.  These updates do not have to be limited to information about new virus protection software installed on the system. They can include valuable tidbits like case studies, HIPAA rule reminders, and HIPAA related headlines.  For some workforce members HIPAA may not be top of mind (specifically for those in business roles that may not deal with patients or patient information on a routine basis).  Providing periodic training updates and reminders, including examples of other HIPAA breaches (i.e. Stanford here) may be very useful in driving home how easy HIPAA breaches can be…and how expensive they are.

Avoidance of HIPAA breaches altogether is nearly impossible, but proper access controls and training can help mitigate against breaches such as the one that occurred here.

For more information about HIPAA Security contact Elana Zana.

 

CMS Proposed Revisions to Meaningful Use – A Welcome Delay

CMS has issued proposed revisions to meaningful use Stages 2 and 3 in response to numerous industry complaints that hospitals and provider groups will not be able to implement the 2014 certified EHR technology with enough time to meet meaningful use in 2014.  CMS, recognizing that EPs and hospitals are either using 2011 CEHRT, 2014 CEHRT, or a mixture of both, issued proposed rules addressing what each category must attest to in 2014.  In a substantial change from the Final Rules issued in September 2012, CMS has agreed to extend Stage 1 in 2014 for those EPs and hospitals that cannot successfully obtain or deploy 2014 CEHRT.  Further, CMS has proposed to delay Stage 3 meaningful use by one year. 

Medicaid Modification

The proposed rule modifies the AIU (adopt, implement and upgrade) exception for those EPs and hospitals attesting for the first time in 2014.  Hospitals and EPs attesting to AIU in 2014 must adopt, implement or upgrade to 2014 Edition CEHRT only, attesting to the 2011 Edition or a combination Edition will not satisfy the definition in 2014.

Meaningful Use Timeline

Originally, all Medicare EPs and hospitals were required to meet meaningful use using the 2014 Edition CEHRT for Stage 1 or Stage 2 in 2014.  This proposed rule delays this process as follows:

Table 2:  Proposed CEHRT Systems Available for Use in 2014

If you were scheduled to demonstrate: You would be able to attest for Meaningful Use:

Using 2011 Edition

CEHRT to do:

Using 2011 & 2014

Edition CEHRT to do:

Using 2014 Edition

CEHRT to do:

Stage 1 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives and measures*

-OR-

2014 Stage 1 objectives and measures*

2014 Stage 1 objectives and measures

Stage 2 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives

and measures*

-OR-

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures*

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures

 *Only providers that could not fully implement 2014 Edition CEHRT for the reporting period in 2014 due to delays in 2014 Edition CEHRT availability.  Note: Table 2 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

To take advantage of the delays, EPs and hospitals must attest that they were not able to upgrade or fully implement to the 2014 Edition CEHRT because of issues related to availability.  Providers that were planning on meeting Stage 2 in 2014 and are now going to attest to Stage 1 in 2014 will be required to begin Stage 2 in 2015.

Stage 3 Delay

CMS also proposed a delay in Stage 3 for a year.  This is welcome news considering that CMS has not yet built-out Stage 3 and is waiting for the results from Stage 2 to “inform [its] development of the criteria for Stage 3 meaningful use.”  Stage 3 will begin on January 1, 2017 for EPs and October 1, 2016 for hospitals and CAHs.  The proposed revised schedule is as follows:

TABLE 3–PROPOSED STAGE OF MEANINGFUL USE CRITERIA BY FIRST PAYMENT YEAR

 

First Payment Year

Stage of Meaningful Use

2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 1 or 2* 2 2 3 3 TBD TBD TBD
2012 1 1 1or 2* 2 2 3 3 TBD TBD TBD
2013 1 1* 2 2 3 3 TBD TBD TBD
2014 1* 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3

*3-month quarter EHR reporting period for Medicare and continuous 90-day EHR reporting period (or 3 months at State option) for Medicaid EPs.  All providers in their first year in 2014 use any continuous 90-day EHR reporting period.  Note: Table 3 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

Clinical Quality Measures

CMS has also relaxed the requirements related to reporting on clinical quality measure in 2014.  Specifically, the method of CQM submission to CMS will depend on the edition of CEHRT deployed by the provider (States will still have discretion for submission requirements).

 

2011 Edition CEHRT

2011 & 2014

Edition CEHRT

2013 Stage 1 objectives

Method of Reporting Attestation Attestation
EP Reporting Requirements 3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT
Hospital/CAH Reporting Requirements 15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT

For those providers using a combination of 2011 and 2014 Edition CEHRT to report on either the 2014 Stage 1 measures or Stage 2 measures or the 2014 Edition CEHRT they should report CQMs as originally indicated in the Stage 2 final rule (i.e submitting electronically) and subsequent rule making.

ONC Modifications

In order to support the CMS revisions, ONC has made modifications to its CEHRT definition to reflect the proposed new required start dates.  ONC’s proposed revisions would move the required start dates for the 2014 Edition of CEHRT to October 1, 2014 for hospitals and CAHs and January 1, 2015 for EPs.

For more information on the EHR Incentive Program and meeting meaningful use please contact Elana Zana.

$4.8 Million HIPAA Settlement – Patient Data on the Web

On May 7, 2014, HHS announced that New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date. The organizations settled charges that they potentially violated the HIPAA Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”).

NYP and CU operate a shared data network that links patient information systems containing ePHI. On September 27, 2010, the two entities submitted a joint breach report following the discovery that the ePHI of 6,800 individuals had been impermissibly disclosed due to a deactivated server, resulting in ePHI being accessible on internet search engines. The ePHI included patient statuses, vital signs, medications, and laboratory results.

HHS Office for Civil Rights’ (“OCR”) subsequent investigation determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan to address potential threats and hazards to ePHI security. Further, OCR found that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with internal policies on information access management.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In addition, both entities agreed to Corrective Action Plans that require each entity to:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise policies and procedures on information access management and device and media controls;
  • Develop an enhanced privacy and security awareness training program; and
  • Provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of ePHI it maintains.

This settlement again highlights the necessity for healthcare organizations and business associates to create and implement Security policies and procedures, and to engage in a security management process that ensures the security of patient data.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana or Jefferson Lin.

 

Providing Telemedicine Services? Pay Attention To State Licensing Requirements

Advancements in telemedicine offer exciting treatment possibilities for rural communities. Through audio-visual technology, patients in small communities now have the opportunity to access the expertise of specialists at large medical facilities in metropolitan areas.

However, along with all of the promise of telemedicine technologies, there are also some important legal issues that health care providers need to understand.  One of the most important issues is whether physicians who provide treatment advice to a patient through telemedicine must be licensed in the state where the patient is located.  For example, if a patient is located in Washington State, can a physician who is only licensed in Oregon provide telemedicine services to the patient?

The Federation of State Medical Boards (FSMB) has recently addressed the licensure issue in the Model Policy for the Appropriate Use of Telemedicine Technologies.  The Policy  makes it clear that a physician must be licensed by, or under the jurisdiction of, the medical boards of the state where the patient is located.

It is unclear whether state medical boards will follow the Model Policy from FSMB.  For example, Washington State law currently allows physicians licensed in another state to “practice medicine” in Washington so long as they do not open an office or appoint a place of meeting patients or receiving calls within Washington. (RCW 18.71.030). Of course, this provision could change in the future.

In order to avoid the unlawful practice of medicine when providing telemedicine services, physicians and healthcare facilities should take time to understand the licensing regulations in the state where the patient is located.

For more information on the legal issues related to telemedicine, please contact Casey Moriarty.

Stolen Laptops Lead to $2 Million in HIPAA Settlements

Last week HHS announced close to $2 Million dollars in HIPAA settlements with Concentra and QCA Health Plan due to the theft of unencrypted laptops.  However, the message from HHS is not just the importance of data encryption, rather its performance and follow through with security risk analysis and implementation of security policies and procedures.  Further, the close to $2 million in fines do not include the additional costs and time it will take both of these health care organizations to comply with the OCR corrective action plans.

Concentra

The larger settlement and corrective action plan involved Concentra Health Services, a subsidiary of Humana, Inc., which operates more than 300 medical clinics nationally, including urgent care, occupational and physical therapy, and wellness services.  Concentra agreed to a $1,725,220 settlement with HHS for potential violations resulting from the breach notification associated with a stolen unencrypted laptop.  Specifically, the Resolution Agreement identified the following two deficiencies:

(1) Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv)).

(2) Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)).

Interestingly, while the Security Rule allows for flexibility in implementation for certain measures, including data encryption under 45 CFR 164.312, this high settlement amount indicates that healthcare organizations (including now business associates) who choose not to implement encryption standards must be able to explain themselves.  HHS, in the Resolution Agreement, faults Concentra not only for failing to encrypt the data, but in light of a decision not to encrypt, Concentra was faulted for failing to implement an alternative to encryption (though unclear what a reasonable alternative to encryption would be).  Now, not only does Concentra have this large settlement payment due to HHS, but it has to comply with the corrective action plan, which includes the implementation of a security management plan (with a security risk analysis baked in), encryption obligations, security awareness training, and annual reports to HHS.  And if Concentra fails to comply, HHS has reserved its right to impose civil monetary penalties (which were significantly increased under the HITECH Act).

QCA Health Plan of Arkansas

The smaller settlement of $250,000 was with QCA Health Plan of Arkansas, a healthcare insurance provider.  The impetus for this settlement and corrective action plan was the theft of an unencrypted laptop from an employee’s car which contained PHI belonging to 148 individuals (note that this breach affected less than 500 individuals).  The Resolution Agreement determined that:

A.  QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule to June 18, 2012.

B. QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011.

C. QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

Unlike Concentra, QCA was not directly faulted for failing to encrypt its laptops, or failing to implement a reasonable alternative. Rather, this settlement focused instead on the lack of sufficient HIPAA Security policies and procedures, inadequacy in conducting a security risk assessment, and the failure to implement security measures, most specifically physical safeguards. The corrective action plan is also noticeably different, with a focus instead on workforce training and reporting of workforce non-compliance, rather than on encryption requirements (the press release notes that QCA encrypted its laptops following the breach).

Though like most breach cases the simple solution is to encrypt the data to avoid an actual breach, these settlements expose the depth of compliance obligations and monetary consequences associated with the failure to securely protect the PHI.  Concentra and QCA, like other health care organizations who have settled with HHS, will have years of compliance reporting obligations and security management requirements that will likely create significant cost burdens in addition to the monetary settlement obligations.  HHS has made it quite clear in its press releases and corrective action plans, healthcare organizations and business associates must create and implement Security policies and procedures, and must engage in a security management process that ensures the security of patient data post the initial implementation.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana.

HHS Security Risk Assessment Tool Webinar

The Office of the National Coordinator announced today that it will host a webinar to discuss its Security Risk Assessment Tool.

This webinar is designed to review the current state of the tool, discuss some of the known issues and ONC’s plan to address those identified issues, and answer questions from users across the country.

The webinar will be on April 29th at 2:00 PM Eastern (11:00 AM Pacific).  To register click here.

To learn more about the Security Risk Assessment Tool and using it for HIPAA and meaningful use compliance read our previous article here.

FDA Releases Report on Health IT Oversight

On April 3, 2014, the Food and Drug Administration (“FDA”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”), released a congressionally mandated report which proposes to clarify oversight of health information technology (“health IT”) based on a product’s function and the potential risk to patients who use it. The full draft report can be viewed here.

Similar to the FDA’s September 2013 guidance on how it would regulate mobile medical apps, this report proposes a strategy based on the premise that risk and corresponding controls should focus on health IT functionality– not the platform(s) on which such functionality resides.  As such, the FDA has identified three categories of health IT: (1) administrative health IT functions (2) health management health IT functions, and (3) medical device health IT functions.  The following table provides examples of the three categories and describes the FDA’s regulatory approach for each:

 

Health IT Category Examples (includes but not limited to) Level of Oversight
Administrative functionality Billing and claims processing, practice and inventory management,  scheduling, general purpose communications, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agency, quality measure reporting No additional oversight necessary
Health management functionality (sometimes referred to as “clinical software”) Health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, patient identification and matching Not focus of FDA oversight given proposed risk-based framework for health management  health IT
Medical device functionality Computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, robotic surgical planning and control Focus of FDA oversight

 

A significant portion of the FDA’s report focuses on the proposed framework for health management health IT functionalities.  Instead of recommending a new or additional area of FDA oversight, the report recommends a limited, narrowly-tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.  Four key priority areas for health management health IT include: (1) promote the use of quality management principles (2) identify, develop, and adopt standards and best practices (3) leverage conformity assessment tools and (4) create an environment of learning and continual improvement.

The framework also  includes a recommendation for ONC to create a public-private Health IT Safety Center, in collaboration with FDA, FCC, and Agency for Healthcare Research and Quality (“AHRQ”) and other health IT stakeholders. This Center would work on best practices and provide a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.

What do you think about the FDA’s health IT report?  The FDA is seeking public input on a number of specific questions related to the report’s recommendations– the report is open to public input/comment for 90 days.  For more information about the FDA report or health IT regulatory issues, please contact Jefferson Lin or David Schoolcraft.

 

 

Want to Make HIPAA More Interesting? Try Playing Web Games

Many healthcare providers understand the importance of HIPAA compliance, but are not interested in reading detailed regulations and agency commentary to understand the rules.  If this describes any of your staff members, the Office of National Coordinator (ONC) for Health Information Technology may have a solution: play an online game.

In an effort to make HIPAA compliance a bit more fun, ONC has developed web games for both the HIPAA Privacy and Security Rules.  Each game provides a number of real-life patient privacy scenarios and asks the player to choose the correct course of action.

Sample scenarios include an employee’s access to unencrypted PHI on a home laptop, the purpose of an entity’s “contingency plan” under the Security Rule, and the use of e-mail to send unencrypted PHI.

The games might be something to try if you have found it difficult to make HIPAA compliance engaging for staff members.  Although the games are simple and fun, the issues that they address have huge significance for all covered entities and business associates.

You can access the games here.  What is your highest score?

For more information about HIPAA compliance, contact Casey Moriarty.