It’s that time of year again! Parents are scrambling to get things ready for the kids to return to school. At the same time, many are savoring the idea of having the house to themselves for a few short hours in the day. For those of us who aren’t doing the back to school scramble, it’s the end of summer and a time to think about what’s next.

In celebration of the back to school season, MT Tools Online is offering a 25% discount on all E-Courses as well as the sample policies and procedures. Ready to get going toward your goal of being sure you understand all about HIPAA and are compliant? Take advantage of this savings to assist you in reaching this goal now! To take advantage of the special pricing, go to the HIPAA Training page, select which package you would like, sign up, and use the discount code “school” when you make your purchase.

Use the back to school time as a time to plan for YOUR future. There’s no better time to make the move toward what you need related to HIPAA and the HITECH Act!

I ran across an interesting report this week related to data breaches and their cost to an organization. The 2009 Ponemon Institute Benchmark Study was released and makes for some fascinating and scary information. The study covers many different industries where breaches occurred in 2009, with 45 participants, some of which are healthcare entities. I encourage you to read the entire report as I found it quite interesting.

With breach notification now required if an organization has a breach, it's important to take steps to protect yourself from this occurring. So what if this happens? What will it cost? Here are some interesting points from the study:

• The average cost of a breach is $204 per record involved. In the healthcare industry, however, this cost rises to $294 per record, second only to the pharmaceutical industry at $310.
• The average organizational cost in 2009 was $6.75 million. The most expensive cost was $31 million.
• The study looked at what percentage the cost of lost customers is due to a breach. This has risen to 3.7% and is listed as the main cost when you have a breach. It is interesting to note that, while the average is 3.7%, in health care that number actually increases to 6%, which is equal in the healthcare, communications, and pharmaceuticals industries.
• Another important thing to note is that 42% of breaches were listed as due to an external factor, such as using an outsourcing company to provide services. In the healthcare industry, this number rises to 60%.
• Of the breaches studied, 36% were related to lost or stolen laptop computers or mobile devices. Do you now see a value in being sure your jump drives and external hard drives are encrypted?
• Also reported was the average cost when the breach was related to a mobile device: $224 compared to $193.
• Do you have a compliance officer for your organization who manages the process? If not, it may be a good time to rethink your strategy. Those organizations who have one had an average cost per record of $156.73 versus a cost of $235.51 for those who do not.

While a mere $200 may not sound like a lot, remember this is per record breached. Just one breach that involves 500 patients would have a cost of around $102,000. Many of the 131 breaches reported on the HHS website have many more records than 500.

Be sure your compliance program is protecting you from breaches that could end up costing thousands, or millions, of dollars. It is not a place to skimp on in your organization.

Remember, if you are an independent contractor, this weekend is your last opportunity to get the HIPAA4MT sample policies and procedures at a significant discount!

As we have discussed with the recent rules that were published, independent contractors are now subject to the rules of a business associate, no matter whether they contract directly with the covered entity or not. That brings some challenges for everyone as those who are subcontractors try to do what they need to do to be compliant.

As someone who has been there as an IC and knows what the struggles can be, I've been thinking how to best address this in a way that would be helpful. There are a lot of products out there to select from, and the prices range from $200 to $4,000. I don't know too many independent contractors who could do that.

If you are a subcontractor, you should now have your own set of policies and procedures to show that you are compliant. In an effort to assist those of you who are independent contractors, we are now making the set of sample policies and procedures available to independent contractors, or those who are classified as a subcontractor, for a greatly reduced price. The policies, which normally are priced at $200, are now available to the independent contractor for a price of $60. This does not apply to a business owner who has a business with employees or subcontractors, and is some just for the sole proprietor who contracts from someone else. This does not include the training that is offered, only the set of policies.

You might ask, "but how you know?" Isn't it possible that business will take advantage of this? Sure it is. Still, I believe that people in general operate with honesty and integrity. It's the cornerstone to my businesses and I anticipate that others will do the same. For me, it's just that simple.

If you would like to order a set of these policies, please email me, put "IC Policies and Procedures" in the subject line, and I will send you the discount code to use. This offer will be available through August 15, 2010.

UPDATE: There is a problem with the links for the training page. You can find information on available HIPAA Training at the training page on the website.

The Office of Civil Rights has published the new Notice of Proposed Rule Making (NPRM) related to the changes in the HIPAA Privacy and Security rules impacted by the HITECH Act. You can read the proposed rule here:

OCR Proposes New Rule

The document is 234 pages so it takes awhile to read. On a cursory read of it, here are some of the things that appear to be coming with these changes:

Make the requirements under the privacy and security rules apply to business associates just as they presently apply to covered entities.

The definition of a business associate has been modified to include subcontractors. This will be a big impact for the medical transcription industry as it will now require independent contractors who work for medical transcription services to classify themselves as a business associate, with all of the responsibilities that go with that. It clearly defines that a subcontractor, or independent contractor, will be a business associate of the business associate. Under the proposed rule, patient safety organizations now are defined as business associates.

It will require business associates obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.

Requires notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.

Enable individuals to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.

Strengthen the right of individuals to obtain their electronic health records.

Cost of Implementation

With any proposed rule making, there is a requirement that there be a cost analysis. I find this fascinating as it requires a real understanding of the industry and a lot of "guesstimates" about what will be required. The biggest costs have been identified as covered entities making new Notices of Privacy Practices, which must be rewritten and distributed to patients, and the cost of amending business associate agreements and/or writing new agreements between a business associate and their subcontractors.

The cost of redoing the notice of privacy practices is estimated at $166.1 million. The report estimates that 71% of this cost will be in the private sector and the other 29% in the government or public sector. While that sounds extremely costly and impossible to grasp, the report goes on to break the cost down per covered entity, with an estimate of $168 per covered entity. When viewed individually, it does not seem unreasonable.

It's important to note that the OCR does not have information on the cost of redoing contracts for business associates as they do not have the supporting data. While there is an estimate of 1,500,000 total business associates, no one really knows how many subcontractors each may have. That makes providing a cost estimate on this portion of the change something they are seeking information on.

How Long Will Compliance Take?

The OCR has prepared an estimated annualized burden table, which indicates what portion of the rules is referenced, the type of respondent, the number of respondents, average number of responses per respondent, average burden hours per response, and total burden hours.

This report estimates that there are 1,500,000 business associates, and allocates one hour per business associate to cover legal review of their revised business associate contract. That accounts for 1,500,000 hours of time spent to get this done. The estimated number of hours for revision of the Notice of Privacy Practices is 233,833, for an estimated 701,500 respondents. The time estimated to disseminate the new Notice of Privacy Practices for 200,000,000 patients is one hour per 100 patients, adding up to 2,000,000 hours. That makes the total estimated time 3,733,833 hours! Just in case you're wondering, that equals 155,576 days, 31,115 weeks (based on a 5-day work week), or 598 years! Thankfully all of this isn't being done by one person!

The OCR is proposing that an additional 12 months be given for full compliance, in addition to the six months they are currently allowed to give. This would give a total of 18 months for compliance with portions of the proposed rule.

Here's my question. Does this change your plans for implementation? How do you foresee that these changes will impact your business?

The healthcare industry often uses portable devices for the storage and transmission of protected health information. I find it concerning to hear many of the people I speak with thinking that because they use a jump drive or an external hard drive to store patient information, they are compliant. It simply isn't true.

The HITECH Act now specifically says that information must be encrypted during transmission AND at rest. That means all of the patient information you are storing on any kind of portable device must also be encrypted. In the publication by OCR of breaches, you will find a good many of them are as the result of theft or loss of a laptop or jump drive.

In a recent conversation I had with a transcription service owner, who is a business associate and thus subject to these new laws, the response to the above information was "well, the customers don't care so I can't be responsible for it." If you read the laws, you realize this is not the case and that business associates are held to the same standards as the covered entity. In addition, you are responsible for the actions of your subcontractors. Simply "telling them to use an external drive for storage" doesn't relieve you of that responsibility.

Simply storing things on an external drive without encryption isn't good enough. Be sure you are not caught in this situation. If you are audited, it could mean monetary penalties and fines for you.