The HIPAA final rule includes changes designed to increase patient privacy and secure health information. The final rule became effective March 26, 2013, and had a compliance date of Sept. 23, 2013. Here’s a look at what’s different and how to address the changes in your practice.
Broader Definition, More Liability for BAs
Expanded Definition of BAs: Business associates (BAs) are organizations that create, receive, transmit or maintain protected health information (PHI). More organizations are considered BAs under the final rule. In addition, business associates’ subcontractors are now also considered BAs, so they need to agree to the same terms you’ve established with the BA.
Greater BA Liability: Business associates are now directly liable for uses and disclosures of PHI and must inform physician practices within 60 days of discovering a breach. BAs are required to implement safeguards, policies and procedures to protect PHI; they must also maintain documentation demonstrating compliance.
Updates to the Notice of Privacy Practices
Action item: Update Notice of Privacy Practices. Physicians were required to update their Notice of Privacy Practices by Sept. 23, 2013. The revised notice must include the following:
Patients have the right to restrict disclosures of PHI to health plans if they pay for services out of pocket in full
The patient’s authorization is required for use and disclosure of PHI for marketing purposes
The patient’s authorization is required for use and disclosure of PHI that would constitute a sale of PHI
Patients have the right to opt out of fundraising communications
Other uses and disclosures of PHI not described in the notice will be made only with authorization from the patient
Patients have the right to be notified if they are affected by a breach of unsecured PHI
Action item: Distribute updated Notice of Privacy Practices. View more information and templates. The revised privacy notice must be:
Posted in a prominent location in your practice like the patient waiting room
Posted on your website, if you have one
Given to new patients starting Sept. 23, 2013
Made available to existing patients on request
Patients May Request Records, Restrict PHI Disclosure
Patients may request EHR records: If you use electronic health records (EHRs) in your practice, patients must be able to obtain a copy of their medical records upon request. You can require that requests be made in writing, but fees cannot be greater than the practice’s labor costs in responding to the request. Requests must be completed within 30 days, with a one-time extension of up to 30 days.
Patients can restrict PHI disclosure. Patients have the right to restrict disclosures of PHI to their health plan if they pay out of pocket in full. Note that if state or other laws require providers to submit a claim and there’s no exception for those who pay out of pocket, you may disclose the PHI to the health plan.
Handling a Breach of Protected Health Information
Stricter standards: Under the HIPAA final rule, any disclosure of patient records is treated as a breach and must be reported unless the practice performs a risk assessment demonstrating a low probability that PHI was compromised. Get tips on safeguarding patients' protected health information.
Risk assessment process: Breach notification isn’t required if the physician or BA can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. If you determine the unauthorized disclosure wasn’t a breach, you should maintain documentation to support your stance. If you decide to notify patients about the disclosure, you’re not required to conduct the risk assessment.
Breach notification process: If a breach occurs, you must notify the Secretary of the Department of Health and Human Services (HHS) within 60 days of the end of the calendar year when the breach was found, if it affects fewer than 500 individuals. If the breach affects more than 500 patients, you must notify the HHS Secretary immediately.
Increased Penalties for Noncompliance
Penalties for HIPAA violations can be anywhere from $100 to $50,000 per violation; the annual limit is $1.5 million. Some health care experts believe the federal government is moving toward enforcing noncompliance more rigorously than in the past, so it’s more important than ever to take proactive steps to make sure your practice is complying with HIPAA requirements.