| |
quick links
____________________________________
space
____________________________________
space
____________________________________
space
____________________________________
space
____________________________________
space
|
xx
 |
| spacer |
H I P A A
NON-Compliance Penalties
Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions of section 1128A of the Act apply to actions taken to obtain civil monetary penalties under this section.
The Final Rule explains the penalty to be imposed "per violation on any person who fails to comply with a standard" and puts a cap on the amount imposed on any one person per standard, per year to be $25,000. Since a provider usually files more than one claim at a time, accumulating many violations with one single transmission would be common. Also, since the maximum is $25,000 per standard, the fines can really add up when organizations fail to comply with more multiple transaction standards. Also, Payers have a greater burden because they must be ready to comply with all transaction and code set standards, regardless of whether they are currently performing them electronically or via paper. For example, if a provider sends a batch of claims electronically directly to a payer but does not use the 837 formats, the penalties would be $100 for each of the claims in that batch. Assuming the provider sends 100 claims per day, the possible penalty would be $10,000 ($100 X 100 claims). In 3 days the provider would have accrued enough infractions to be penalized the maximum amount allowable by law.
Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include: A fine of not more than $50,000 and/or imprisonment of not more than 1 year. If the offense is "under false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than 5 years.
If the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.
|
| spacer |
ARTICLES
With HIPAA Police Pouncing, Hospitals
Panic and Increase
Security Investment
London, ON - May 10, 2005 – A study by leading IT research firm Info-Tech Research Group (www.infotech.com) finds that over 60% of small to medium sized hospitals will increase their IT security investment in 2005, with 13% dramatically increasing this investment. This isn't surprising given a report issued in April by the American Health Information Management Association that says as of January only 17.5% of hospitals and health systems were fully compliant with HIPAA (Health Insurance Portability and Accountability Act) security regulations.
Info-Tech's look into the state of hospital IT departments finds that 62% of hospitals will invest in security software and 57% in security hardware. The biggest growth is among the biggest hospitals – those with more than 2,000 employees. Info-Tech's study finds that 81% of larger hospitals are, at a minimum, planning incremental security hardware growth and 73% are planning security software increases.
"While one network that handles applications and telephone calls is an IT manager's dream, the speed with which VoIP is coming to the market might be an IT manager's nightmare," Goodall says. "Senior managers are demanding the cost savings associated with VoIP, vendors are scrambling to reinvent their offerings, and IT managers are scrambling to implement the technology."
"The final HIPAA security deadline for all but the smallest enterprises passed on April 20 and now officials at the Centers for Medicare and Medicaid Services (CMS) are going to be on the look out for those who haven't complied," says Frank Koelsch, Executive Vice President at Info-Tech Research Group. "IT managers know their security technology needs to be robust to deal with the demands of HIPAA and our study shows they're making the necessary investment."
"Of all the industries we surveyed, hospital IT departments were among the biggest spenders," says Koelsch. "62% of hospitals plan to increase overall IT spending this year, whereas only 51% of IT departments in other industries intend to do the same."
Other important findings by Info-Tech Research Group include:
80% of respondents plan to make core technology investments at current levels or higher.
Top investment areas include storage and telephony.
59% of IT decision makers plan to increase desktop hardware investments.
Over half of all hospitals with more than 500 employees are planning to implement VoIP.
The findings are part of Info-Tech Research Group's Hospitals: 2005 IT Budget & Staffing Report, released this week. Data in the independent, non-sponsored report is based on Info-Tech's January 2005 survey of more than 1,400 IT decision makers at mid-sized enterprises in Canada, the U.S. and U.K.
About Info-Tech Research Group
With a paid membership of over 25,000 worldwide, Info-Tech Research Group is the global leader in providing IT research and analysis to the mid-sized enterprise market. It is North America's fastest growing full-service IT analyst firm.
Media Contact:
Jennifer Meister
519 936-2658
jmeister@infotech.com |
|
|
Health Insurance Portability & Accountability Act (HIPAA)
Designed to standardize electronic data interchange and protect the confidentiality and security of health data.
Affected Entities
Any healthcare organization or related entities that transact patient information.
Pertinent Section to CAM Services
Security Rule: The Security Rule was published on February 20, 2003, to cover any health information stored or transmitted electronically. Specifically, it requires entities to have safeguards in place that ensure health information integrity, confidentiality and availability.
Contingency Plan: Must establish policies and procedures for responding to an emergency (such as system failure or fire) that can damage systems containing health information.
CAM Solution: The Security Rule requires a data backup plan, DR plan and plan for emergency mode operation. CAM gives you comprehensive backup and off-site protection of internal or remote servers. In a crisis situation, you will be covered whether you need a single file back or all data is lost. AmeriVault expert client support will also assist with recovery via MobileVault or tape media. Services such as HOTBOX, restartIT, Agility Quick-Ship or Agility Mobile Units further enhance compliance with solutions tailored to your risk.
Device and Media Controls: Policies and procedures should be in place to govern movement of media in and out of a facility.
CAM Solution: Centralized management control via the CentralControl interface offers specific backup policies and procedures that are pre-defined, automated and highly disciplined. Being an online service, there is no media outbound and no media “laying around” that can be mishandled by unauthorized personnel.
Access Control: Governs technical policies that define access rights by people or software programs.
CAM Solution: The AmeriVault backup software can restrict users via encryption password. The software also works transparently without needing an application open on a desktop. All software can be accessed via FTP from another location should there be an emergency. Additionally, processed data is always encrypted and only decrypted at client-side.
Audit Control: Must implement hardware and software that records and examines activity in systems that contain health information.
CAM Solution: The CentralControl software automatically creates a comprehensive audit trail of all your backups and retentions. Logs can be generated in multiple variations and retained according to your needs.
Data Integrity: Policies and procedures should be in place that protect from improper data alteration or destruction.
CAM Solution: Backup data is subject to a 3-level CRC check to ensure what is sent is what was received at the Mass Storage Vault. Also, once data is backed up with your defined retention schedule, it cannot be mistakenly overwritten or removed. Only written authorization submitted from a client listed as “approved” can start this process. CAM will then verify all requests.
Compliance Deadline: Security Rule Only
Deadline for compliance of the Security Rule is April 21, 2005, for smaller entities it is April 21, 2006. Vist: hipaataskforce.com
Sarbanes Oxley
Enacted on July 30, 2002 to bring accountability to corporate accounting and business practices surrounding the disclosure of financial information. Accounting fraud cases such as Enron and others are catalysts.
Affected Entities
Companies that are traded publicly, private firms with plans of going public and any private firms that may be acquired or otherwise merged with a public company.
Pertinent Section to AmeriVault Services
Section 404: Management Assessment of Internal Controls Requires entities to have controls in place for reliability, preparation, maintenance, accuracy and safeguard of financial information.
Safeguards
CAM Solution: For management of any company to certify the accuracy of their financial reports, they have to attest that they have security features in place that protect the integrity of the information they disclose. Clearly this includes disciplined backup procedures, off-site protection and a continuity plan should internal controls be compromised by system failure or disaster. CAM offers highly secure online backup and off-site storage. For continuity or recovery, CAM has a host of services available to mitigate your risks.
Access Controls
CAM Solution: The AmeriVault software can restrict users via encryption password. The software works transparently in the background without needing an application open on a desktop. Backup data is always encrypted and only decrypted on the client-side.
Reliability
CAM Solution: Upon completion of a backup, the AmeriVault software will generate a status e-mail to confirm success or failure of a backup. The data is subject to a 3-tier CRC check to make sure data pushed out is an exact copy of data that is received via our Mass Storage Vaults.
Compliance Deadline
Some sections are currently law. Section 404 was extended to June 15, 2004, for large corporations and April 15, 2005, for smaller companies.
Gramm Leach Bliley Act
Designed to protect customer records and information, specifically the confidentiality, the hazard threats against, and unauthorized use of customer information.
Affected Entities
Companies that are “significantly engaged” in financial activities such as lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death; providing financial investment or economic advisory services; underwriting or dealing with securities.
Pertinent Section to AmeriVault Services
Part 314 Standards for Safeguarding Customer Information: This section sets forth standards for developing, implementing and maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.
Security
CAM Solution: The CAM online backup solution uses a proprietary authentication process designed to receive only data pushed out by registered clients. The Mass Storage Vaults use tiered firewalls and intrusion detection systems to give you greater security than do-it-yourself solutions.
Confidentiality
CAM Solution: When you employ the CAM online backup solution confidentiality is maximized. Backup data is encrypted using your choice of the Blowfish, 3DES or AES algorithms. The service itself runs transparently so there are no tapes touching hands or applications open for unauthorized access.
Integrity
CAM Solution: Backup data is subject to a 3-level CRC check to ensure what is sent is what was received at the Mass Storage Vault. Also, once data is backed up with your defined retention schedule, it cannot be mistakenly overwritten or removed. Only written authorization submitted from a client listed as “approved” can start this process. AmeriVault will verify all requests.
Safeguards Administrative, Technical and Physical
CAM Solution: Traditional tape-based solutions require significant personal discipline to ensure data is backed up and protected off-site on a regular basis. Because there has to be manual intervention, you lose the administrative, technical and physical safeguards required by the GLB. The automated CAM solution makes administration highly disciplined. Technical safeguards are numerous and include backup and off-site protection in the same step. Physical safeguards consist of secure carrier-class data centers, access controls and alternate power supplies.
Compliance Deadline The Gramm Leach Bliley Act is law now
|
|
