New Patient Privacy Requirements
The new regulations are designed to enhance patients’ privacy rights and set more limits on the release of medical records.
-
What information can be sent to insurers?
Medical practices can no longer simply send all medical information to insurers. For example, if patients pay for a medical visit out-of-pocket, they can forbid the provider from telling any insurers about the appointment. This can create logistical complications for medical practices, which will need to ensure that information is continually separated into what can and cannot be sent to insurers.
-
Reporting more privacy violations
More privacy violations must now be reported to patients as well as the government. If a medical practice improperly discloses any protected health information, it must now notify patients of a privacy breach – unless the practice can prove there is “a low probability” that the information was compromised. This is a dramatic change from the previous rules, which declared that data breaches only had to be reported to patients if the information posed “a significant risk of financial, reputational, or other harm to the individual.”
-
Avoid potential liability by encrypting data
Medical practices can still avoid all these privacy breach issues if they simply encrypt all protected health information. No one can be fined if encrypted data is disclosed.
-
Required revisions to privacy notices
Medical practices need to revise their privacy notices, explaining the new rules. These new rule revisions should include, but are not limited to the following statements:
-
Patient authorizations are required when protected health information is used or disclosed for marketing or constitute a sale.
-
Psychotherapy notes typically require patient authorizations for most uses and disclosures.
-
Uses or disclosures of protected health information not identified in the practice's privacy notice would only be made with prior patient authorization.
-
Patients or individuals have the right to regulate disclosures of their protected health information when they choose to pay out-of-pocket in full for any healthcare related items or services.
-
In the event of any protected health information breaches, patients or affected individuals will be notified. [i]
Medical practices no longer need to give all patients paper copies of these notices. Instead, you can provide e-mail copies or give patients the opportunity to review a laminated copy of the notice while at their appointment. However, if patients want to take home a paper copy, the practice must provide one.
-
New time frame for sending requested medical records
New regulations also give patients the right to get their medical records relatively quickly. Medical practices now have a time limit -- 30 days -- to provide records, though they can get a one-time 30-day extension, if necessary. Medical practices should offer the records in electronic form. The law only allows paper copies of the documents to be printed if the patients and providers can’t agree on an electronic format.
Training Staff
Medical practices must make sure they educate staff members about HIPAA regulations annually and document the training sessions. Training sessions should cover practice privacy policies and procedures. An effort should be made to train all new hires as soon as possible.
In addition, pursuant to the HIPAA Security Rule’s “contingency planning standard,” a medical practice must develop an emergency plan to address how employees are to respond to a loss of electronic information in the event of a disaster or emergency. Training should include what employees need to do if they are involved in an emergency situation and who they should contact to assess the seriousness of the situation.
Staff training is critical because under certain circumstances a practice could be held accountable for the HIPAA violation of a member of their “workforce.” Under HIPAA, “workforce” is defined as paid employees, trainees, supervisors and volunteers who are under direct control of the covered physician.
IT Security
The Security Rule requires providers to maintain three types of safeguards in order to properly protect electronically saved health information. The three types of safeguards include administrative, technical and physical aspects. The main goals of these safeguards are to:
-
Secure the confidentiality, integrity, and availability of your practice's electronic protected health information
-
Recognize and protect against any reasonably anticipated electronic security threats
-
Ensure practice wide compliance and protect against reasonably anticipated unauthorized uses or disclosures [ii]
HIPAA Reviews Available
To ensure that your medical practice is in full compliance with all the requirements of HIPAA and the new regulations, please feel free to reach out to us for a more in-depth discussion.
COMING NEXT: HIPAA UPDATES Part Two: Business Associate Rules
[i] See www.aaos.org/news/aaosnow/jul13/managing4.asp
[ii] See www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html