Curious as to how the new rules included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013.
The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas:
1. Privacy, Security, and Breach Notification Policies and Procedures
- You now must notify affected patients if there is a protected health information (PHI) breach unless—after completing a risk analysis—you determine that there is a “low probability of PHI compromise.”
- If a patient has paid out-of-pocket, you must honor that patient’s request not to disclose information to a health plan about his or her care, unless it is to further treatment or is required by law (which is rare).
- You may only tell a patient about a third-party product or service if that patient provides you with written authorization, unless—generally speaking—the communication:
- doesn’t result in you receiving compensation;
- takes place face-to-face;
- involves medication the patient is currently prescribed (from which you’re not making a profit);
- involves general health promotion (rather than the promotion of a specific product or service); or
- involves government-sponsored programs.
- You may not sell a patient’s PHI without express written authorization from the patient—this includes licenses, lease agreements, and the receipt of financial (or similar) benefits as well as research if there is any profit to be had. (This restriction does not apply to reasonable cost-based fees associated with permitted disclosures.)
- You may make relevant PHI disclosures to a deceased patient’s family and friends in the same way you would if the patient was alive: if the family member or friend was involved in providing care or payment for care and you do not know of any preference otherwise. Also, HIPAA protection ceases 50 years after a patient passes away.
- You must provide a patient with his or her PHI within 30 days of receiving a written request (preferably sooner) regardless of whether the information is in paper or electronic form. If for some reason you cannot reasonably comply, you may take one 30-day extension. However, you must respond to the patient with an explanation as to why it is taking you more than 30 days and when he or she can expect to receive the information. For electronic records, you must provide the information in the format that the patient requests it as long as the records are “readily reproducible” in that format. If they aren’t, you must provide the records in a mutually agreeable electronic format. Paper copies are only permissible if the requestor rejects all other “readily reproducible” electronic formats.
- You are allowed to charge an individual for copies, including labor and supply costs. However, you may not make a profit nor charge more than your state law allows.
- You may not send PHI in unencrypted emails unless you advise a patient of the risk and he or she still requests the information in that form.
2. Notice of Privacy Practices (NPP)
Be sure to amend your NPP to reflect these changes and make it available at your office to all new patients and any existing ones upon request. If you maintain a website, you should have this notice posted there as well.
3. Business Associate (BA) Agreements
This new ruling expanded the definition of a Business Associate to include Patient Safety Organizations and those involved with patient safety, health information organizations (like health information exchanges), and personal health record vendors. So, review your relationship with all of your vendors that create, receive, store, maintain, or transmit PHI on your behalf to determine if you need to enter into new BA Agreements before September 23, 2013. This new ruling also changes the nature of the BA Agreements so that now:
- You (as the provider) no longer need to report the failures of your BA to the government—when it’s not feasible to terminate the agreement—because the BA is liable for the violation.
- BAs are responsible for their subcontractors.
- BAs must comply with the Security and Breach Notification Rules.
- You (as the provider) are liable for the actions of your BAs who are agents, but not those who are independent contractors.
Also, as part of this final ruling, HHS passed the 2009 proposed increase in monetary penalties for civil (unintentional) breaches. This means that you could be looking a $50,000 penalty for each violation. See the table below that we modified from page 5583 of the Federal Register, and trust us: you don’t even want to know the penalties for criminal breaches.
TABLE 2—CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE
|Violation category--Section 1176(a)(1)||Each Violation||All such violations of an identical provision in a calendar year|
|(A) Did Not Know||$100–$50,000||$1,500,000|
|(B) Reasonable Cause||$1,000–$50,000||$1,500,000|
|(C)(i) Willful Neglect-Corrected||$10,000–$50,000||$1,500,000|
|(C)(ii) Willful Neglect-Not Corrected||$50,000||$1,500,000|
So to sum up: What does this new ruling mean for you? It means you better protect PHI—carefully. Not only is this extremely important to your patients’ well being—how would you like it if your personal health information was being broadcast at the water cooler or used to discriminate against you?—it’s also crucial to the financial stability of your practice.
How is your clinic preparing to be compliant with the new HIPAA ruling? Tell us in the comments below.
Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts; but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or health care attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.