Blog Author Archives: IOD Incorporated

• Is HIPAA Enough? Part 7

  on December 13th, 2012   by Amy Derlink | No Comments

  2. Assuring that the content of the release matches the authorization and ‘minimum necessary’ standards. The request governs the released content. In an electronic world, the authorized items are directly tied to data and document indices in the electronic record … Continue reading →

• Is HIPAA Enough? Part 6

  on December 6th, 2012   by Amy Derlink | No Comments

  Here’s how we believe document releases should be performed: 1. Authorizing the release. An electronic authorization must: 1) Verify the identity of the patient authorizing the release. 2) Inform the patient of the purpose of the requested disclosure and the … Continue reading →

• Is HIPAA Enough? Part 5

  on November 30th, 2012   by Amy Derlink | No Comments

  Release documents, not data, to most non-provider requesters For security, the majority of request-based releases should be provided as documents, not discrete data. Few requesters are in the business of providing care where discrete data would be useful for trending … Continue reading →

• Is HIPAA Enough? Part 4

  on November 20th, 2012   by Amy Derlink | No Comments

  This same principle could be applied to EMRs in general. Access to patient data in the EMR, other than at the point of care, rarely needs to disclose the identity of the patient. This is important from a patient privacy … Continue reading →

• Is HIPAA Enough? Part 3

  on November 9th, 2012   by Amy Derlink | No Comments

  As we talk about ensuring the privacy of patient information provided in response to a request, an obvious and overlooked fact is that the requester already knows the identity of the patient. The patient’s identity does not need to be … Continue reading →

• Is HIPAA Enough? Part 2

  on November 2nd, 2012   by Amy Derlink | No Comments

  A simple definition of the nature of PHI itself would mitigate much of the current risk. Can PHI be owned or not?  If so, do patients “own” their PHI? Does the facility “own” the patients’ PHI? Currently, PHI has much … Continue reading →

• Is HIPAA Enough? Part 1

  on October 23rd, 2012   by Amy Derlink | No Comments

  Ideally, we could rely on privacy regulations for protection; but sadly, we cannot. HIPAA Privacy and Security Rules do not fully encompass all aspects of release. For example, according to a recent paper from the American National Standards Institute (ANSI): … Continue reading →

• What is the Direct Project?

  on October 12th, 2012   by Amy Derlink | No Comments

  The Direct Project was launched in early 2011 to establish a secure way to exchange clinical information over the Internet between healthcare providers, patients and other trusted participants of the program. The concept for Direct is fairly simple, it’s much … Continue reading →

• MU Stage 2

  on September 27th, 2012   by Amy Derlink | No Comments

  In August 2012, the U.S. Department of Health & Human Services (HHS) released the final rules on Stage 2 of the Meaningful Use program. This is important news for healthcare providers who must demonstrate Meaningful Use of certified electronic health … Continue reading →

• Does a provider have the right to request the status of submitted medical records?

  on September 7th, 2012   by Amy Derlink | No Comments

  CMS requires that RACs make information about the status of medical records (i.e., outstanding, received, review underway, review complete, case closed) available to providers upon request. CMS is requiring that all RACS, by January 1, 2010, develop a Web-based application … Continue reading →