HIPAA Update: Important Information for September 2013 Compliance Deadline

Vital Signs: March 2013

In recent months there has been a lot of news focusing on fines levied for data breaches of private health information (PHI) as a result of lack of compliance with HIPAA. Fines have been imposed on large academic medical centers and small physician practices across the country and here in Massachusetts. Recently, four pathology groups and a medical billing company agreed to $140,000 in fines for violations related to improper disposal of medical record information. Reviewing internal practice policies and HIPAA compliance is extremely important, especially in light of the Final Rule published January 25, 2013, by the U.S. Department of Health and Human Services, which outlined changes to HIPAA.

Many changes have taken place since HIPAA was first enacted. As such, the recent update addresses a number of regulations that have been introduced since 1996, including the Health Information Technology for Economic and

Clinical Health Act (HITECH), final regulations for breach notification requirements, and privacy protections required under the Genetic Information Nondiscrimination Act. The latest update is meant to protect patient privacy in the digital age and is scheduled to take effect March 26 with the expectation that entities will be fully compliant by September 23, 2013.

Changes outlined in the final rule require the attention of practices in three key areas:

  • Review of vendor relationships to ensure HIPAA compliance. The Final Rule defines a business associate as anyone who "creates, receives, maintains, or transmits" PHI for a covered entity. Practices must be sure that vendors are actually living and breathing HIPAA compliance. Practices should also review and update existing business associate agreements to ensure compliance with the requirements of the Final Rule and engage in business associate agreements with vendors who meet the newly defined definition of a business associate.
  • Know what qualifies as a "breach." The definition of "breach" has been expanded and does not require there to be a significant risk of financial, reputational, or other harm to an individual. The definition now relates to the impermissible acquisition, access, use, or disclosure of the PHI itself. This means that PHI data without information that could directly identify a patient could still be considered a breach if it were not handled properly. The new definition allows for protection of the data itself.
  • Review and update "Notice of Privacy Practices." The new rule requires changes to the existing Notice of Privacy Practices provided to patients. These documents are now required to include:
    • A description of the types, uses, and disclosures of PHI that require patient authorization
    • The ability for a patient to opt out of having PHI disclosed for payment if the PHI relates to health care paid in full and out-of-pocket by the patient
    • Language that indicates the patient has the right to opt out of fundraising communications
    • Language that indicates the practice is required by law to notify individuals of a breach of PHI in the event a breach occurs

This summary of recent changes to HIPAA law is provided for educational purposes. If you have questions regarding how it applies to you, please contact the Physician Practice Resource Center at (781) 434-7702.

- Kerry-Ann Hayon

Share on Facebook

New: Advertise With MMS

Increase your brand awareness and visibility to physicians and the general public through advertising space on the MMS website and several MMS email newsletters.

Read More »

Subscribe to e-Newsletters

Stay on the cutting edge of medicine by subscribing to free MMS e-newsletters. Choose from up to ten subject areas including physician and patient advocacy, public health, CME, daily health care news, and more. 

Sign Up »

NEJM Resident 360  Ad

MMSMediaWatch

FacebookTwitterLinkedInYouTube

Copyright © 2017. Massachusetts Medical Society, 860 Winter Street, Waltham Woods Corporate Center, Waltham, MA 02451-1411

(781) 893-4610 | (781) 893-3800 | Member Information Hotline: (800) 322-2303 x7311