Cloud with snow Learn how your practice can weather the flurry of healthcare changes throughout 2017 in our February webinar. Register now.


HIPAA Omnibus ApplicationCurious as to how the new rules included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013.

The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas:

1. Privacy, Security, and Breach Notification Policies and Procedures

  • You now must notify affected patients if there is a protected health information (PHI) breach unless—after completing a risk analysis—you determine that there is a “low probability of PHI compromise.”
  • If a patient has paid out-of-pocket, you must honor that patient’s request not to disclose information to a health plan about his or her care, unless it is to further treatment or is required by law (which is rare).
  • You may only tell a patient about a third-party product or service if that patient provides you with written authorization, unless—generally speaking—the communication: 
    • doesn’t result in you receiving compensation;
    • takes place face-to-face;
    • involves medication the patient is currently prescribed (from which you’re not making a profit);
    • involves general health promotion (rather than the promotion of a specific product or service); or
    • involves government-sponsored programs.
  • You may not sell a patient’s PHI without express written authorization from the patient—this includes licenses, lease agreements, and the receipt of financial (or similar) benefits as well as research if there is any profit to be had. (This restriction does not apply to reasonable cost-based fees associated with permitted disclosures.)
  • You may make relevant PHI disclosures to a deceased patient’s family and friends in the same way you would if the patient was alive: if the family member or friend was involved in providing care or payment for care and you do not know of any preference otherwise. Also, HIPAA protection ceases 50 years after a patient passes away.
  • You must provide a patient with his or her PHI within 30 days of receiving a written request (preferably sooner) regardless of whether the information is in paper or electronic form. If for some reason you cannot reasonably comply, you may take one 30-day extension. However, you must respond to the patient with an explanation as to why it is taking you more than 30 days and when he or she can expect to receive the information. For electronic records, you must provide the information in the format that the patient requests it as long as the records are “readily reproducible” in that format. If they aren’t, you must provide the records in a mutually agreeable electronic format. Paper copies are only permissible if the requestor rejects all other “readily reproducible” electronic formats.
  • You are allowed to charge an individual for copies, including labor and supply costs. However, you may not make a profit nor charge more than your state law allows.
  • You may not send PHI in unencrypted emails unless you advise a patient of the risk and he or she still requests the information in that form.

2. Notice of Privacy Practices (NPP)

Be sure to amend your NPP to reflect these changes and make it available at your office to all new patients and any existing ones upon request. If you maintain a website, you should have this notice posted there as well.

3. Business Associate (BA) Agreements

This new ruling expanded the definition of a Business Associate to include Patient Safety Organizations and those involved with patient safety, health information organizations (like health information exchanges), and personal health record vendors. So, review your relationship with all of your vendors that create, receive, store, maintain, or transmit PHI on your behalf to determine if you need to enter into new BA Agreements before September 23, 2013. This new ruling also changes the nature of the BA Agreements so that now:

  • You (as the provider) no longer need to report the failures of your BA to the government—when it’s not feasible to terminate the agreement—because the BA is liable for the violation.
  • BAs are responsible for their subcontractors.
  • BAs must comply with the Security and Breach Notification Rules.
  • You (as the provider) are liable for the actions of your BAs who are agents, but not those who are independent contractors.

Also, as part of this final ruling, HHS passed the 2009 proposed increase in monetary penalties for civil (unintentional) breaches. This means that you could be looking a $50,000 penalty for each violation. See the table below that we modified from page 5583 of the Federal Register, and trust us: you don’t even want to know the penalties for criminal breaches.

TABLE 2—CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE

Violation category--Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100–$50,000  $1,500,000 
(B) Reasonable Cause  $1,000–$50,000 $1,500,000 
(C)(i) Willful Neglect-Corrected $10,000–$50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

So to sum up: What does this new ruling mean for you? It means you better protect PHI—carefully. Not only is this extremely important to your patients’ well being—how would you like it if your personal health information was being broadcast at the water cooler or used to discriminate against you?—it’s also crucial to the financial stability of your practice.

 

How is your clinic preparing to be compliant with the new HIPAA ruling? Tell us in the comments below.

 

Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts; but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or health care attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.

Triumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Regular BannerTriumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Small Banner
  • articleAug 1, 2012 | 4 min. read

    Holy Autonomy, Batman! It’s Compliance!

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. Autonomy, direct access, and respect. We all know the fight—in fact, at this point these three words have become more like a rehab therapist mantra. But we get the sneaking suspicion that not everyone really understands what these words means. Today, let’s tackle autonomy. For a dictionary definition , autonomy means: “independence or freedom, as of the will or one's actions: the autonomy of the individual.” …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • How the Affordable Care Act Impacts Patient Payment Collection Image

    articleMay 16, 2016 | 5 min. read

    How the Affordable Care Act Impacts Patient Payment Collection

    You take the good; you take the bad. You take ’em both, and you have healthcare reform. Like most government-led initiatives, healthcare reform in general—and the Affordable Care Act (ACA) in particular—has inspired a lot of passionate debate. And that’s because, while it has expanded health coverage to millions of previously uninsured people (woo-hoo!), it also has given way to some less-than-positive consequences. One such effect: the trend toward increased patient financial responsibility (whomp, whomp). Out-of-Pocket Overload …

  • New Year, New Codes: How to Bill for PT and OT Evaluations in 2017 Image

    webinarOct 27, 2016

    New Year, New Codes: How to Bill for PT and OT Evaluations in 2017

    As we prepare to ring in the new year, PTs and OTs also must prepare to ring in a new set of CPT codes for therapy evaluations and re-evaluations. That’s right—the ball isn’t the only thing dropping on January 1, 2017. On that day, all of the existing PT and OT evaluative codes—including 97001, 97002, 97003, and 97004—are fading into the annals of history. In their place will be eight new codes: three for PT evals, three …

  • Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017 Image

    webinarJan 5, 2017

    Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017

    Predicting the weather is tough—just ask any meteorologist who has called for sun on the day of a major downpour. Well, predicting the fate of the US healthcare system isn’t much easier—there’s a lot up in the air, after all. But, even without a healthcare equivalent of Doppler Radar, there are a few key trends that are sure to have a major impact on PTs, OTs, and SLPs in 2017 and beyond. And to keep your practice …

  • Direct Access Laws by State (Missouri-Pennsylvania) Image

    articleOct 22, 2014 | 8 min. read

    Direct Access Laws by State (Missouri-Pennsylvania)

    Welcome to day three of covering direct access at the state level. If you have missed states Alabama through Mississippi, be sure to check out my last two blog posts ( Alabama-Hawaii and Idaho-Mississippi ). I would like to point out, again, that I am not a legal expert, and I’ve sourced all of the following information from the APTA and various state association websites. If you have any questions about your state’s law, please consult your …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.