HIPAA Updates: Is your practice in compliance?

Part One: Patient Privacy, Training and IT Security 

This Quarterly Healthcare Advisory is a two-part update focused on HIPAA compliance.  With multiple recent changes, we wanted to bring the facts together in a cohesive way for your convenience. We encourage you to reach out to your Edelstein healthcare partner with any questions regarding this topic.  Stay tuned for the second part of this Advisory coming to you next week. Thank you.
As you know, the federal government has made sweeping changes to regulations under the Health Insurance Portability and Accountability Act (“HIPAA”), strengthening patient confidentiality and expanding who can be liable for privacy breaches. It is critical for medical practices to understand how they may need to update or alter their current practices to comply with the many, and often complex, regulatory requirements of HIPAA.
Officials are now enforcing new regulations, imposing fines as high as $1.5 million per violation. In April 2014, for example, regulators sent a strong signal that they will crack down on companies when Concentra Health Services, a subsidiary of Humana, was fined $1.7 million after discovering that one laptop stolen from its physical therapy office had unencrypted health information concerning 870 people. The recent cyber-attack of Anthem Inc., affecting 80 million of their customers, is another warning to the health care industry that patient privacy data is also vulnerable to hackers and creates enormous business and legal risks.
In this update, we provide a brief refresher of the changes in patient privacy, staff training, and IT security.
New Patient Privacy Requirements
The new regulations are designed to enhance patients’ privacy rights and set more limits on the release of medical records. 
  • What information can be sent to insurers?

    Medical practices can no longer simply send all medical information to insurers. For example, if patients pay for a medical visit out-of-pocket, they can forbid the provider from telling any insurers about the appointment. This can create logistical complications for medical practices, which will need to ensure that information is continually separated into what can and cannot be sent to insurers.

  • Reporting more privacy violations

    More privacy violations must now be reported to patients as well as the government.   If a medical practice improperly discloses any protected health information, it must now notify patients of a privacy breach – unless the practice can prove there is “a low probability” that the information was compromised.  This is a dramatic change from the previous rules, which declared that data breaches only had to be reported to patients if the information posed “a significant risk of financial, reputational, or other harm to the individual.” 

  • Avoid potential liability by encrypting data

    Medical practices can still avoid all these privacy breach issues if they simply encrypt all protected health information. No one can be fined if encrypted data is disclosed.  

  • Required revisions to privacy notices

    Medical practices need to revise their privacy notices, explaining the new rules. These new rule revisions should include, but are not limited to the following statements:

    • Patient authorizations are required when protected health information is used or disclosed for marketing or constitute a sale.

    • Psychotherapy notes typically require patient authorizations for most uses and disclosures.

    • Uses or disclosures of protected health information not identified in the practice's privacy notice would only be made with prior patient authorization.

    • Patients or individuals have the right to regulate disclosures of their protected health information when they choose to pay out-of-pocket in full for any healthcare related items or services.

    • In the event of any protected health information breaches, patients or affected individuals will be notified. [i]

      Medical practices no longer need to give all patients paper copies of these notices. Instead, you can provide e-mail copies or give patients the opportunity to review a laminated copy of the notice while at their appointment. However, if patients want to take home a paper copy, the practice must provide one. 

  • New time frame for sending requested medical records  

    New regulations also give patients the right to get their medical records relatively quickly. Medical practices now have a time limit -- 30 days -- to provide records, though they can get a one-time 30-day extension, if necessary. Medical practices should offer the records in electronic form. The law only allows paper copies of the documents to be printed if the patients and providers can’t agree on an electronic format.

Training Staff
Medical practices must make sure they educate staff members about HIPAA regulations annually and document the training sessions. Training sessions should cover practice privacy policies and procedures.  An effort should be made to train all new hires as soon as possible.
In addition, pursuant to the HIPAA Security Rule’s “contingency planning standard,” a medical practice must develop an emergency plan to address how employees are to respond to a loss of electronic information in the event of a disaster or emergency. Training should include what employees need to do if they are involved in an emergency situation and who they should contact to assess the seriousness of the situation.
Staff training is critical because under certain circumstances a practice could be held accountable for the HIPAA violation of a member of their “workforce.” Under HIPAA, “workforce” is defined as paid employees, trainees, supervisors and volunteers who are under direct control of the covered physician. 
IT Security
The Security Rule requires providers to maintain three types of safeguards in order to properly protect electronically saved health information.  The three types of safeguards include administrative, technical and physical aspects.  The main goals of these safeguards are to:
  • Secure the confidentiality, integrity, and availability of your practice's electronic protected health information

  • Recognize and protect against any reasonably anticipated electronic security threats

  • Ensure practice wide compliance and protect against reasonably anticipated unauthorized uses or disclosures [ii]

HIPAA Reviews Available
To ensure that your medical practice is in full compliance with all the requirements of HIPAA and the new regulations, please feel free to reach out to us for a more in-depth discussion. 
COMING NEXT: HIPAA UPDATES Part Two: Business Associate Rules

[i] See www.aaos.org/news/aaosnow/jul13/managing4.asp
[ii] See www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
© 2015 Edelstein & Company LLP. All Rights Reserved.
powered by emma
Subscribe to our email list.