Updated HIPAA regulations: What ODs need to knowMarch 6, 2013
The Health Insurance Portability and Accountability Act (HIPAA) patient privacy protection processes optometrists implemented years ago have now become routine for doctors, staff members, and patients. With the issuance of the new regulations, now is the time for optometrists to update their compliance procedures.
The U.S. Department of Health & Human Services (HHS) changed some of the requirements, and practitioners face bigger penalties for noncompliance. Here are some basic concepts that optometrists should understand as they begin to identify the changes that may need to be made in their practices.
Please note the AOA provides guidance on HIPAA by citing relevant provisions of the HIPAA regulations. This guidance should not be construed as legal advice. Practitioners are encouraged to contact an attorney for legal guidance. For additional information, see the “Updated HIPAA Regulations: What Optometrists Need to Know Now” frequently asked question document at www.excelod.com/HIPAA.
HIPAA: the federal health care privacy law
The HIPAA Privacy and Security Rules are federal law. The Privacy Rule gives individuals rights over their health information and sets rules and limits on who can look at and receive health information. The Security Rule delineates safeguards to protect health information in electronic form and helps to ensure that electronic protected health information is secure.
Who must comply?
Individuals, organizations, and agencies that meet the definition of a “covered entity” must comply with HIPAA. An optometrist is considered a “covered entity” if he/she transmits any information in an electronic form in connection with a transaction for which the HHS has adopted a standard. For example, submitting an electronic claim to Medicare or another payer is such a transaction. To determine if you are a covered entity, visit www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html.
Notice of Privacy Practices
Most covered entities (including optometrists) are required to have a Notice of Privacy Practices (NPP). An NPP describes uses and disclosures of protected health information a covered entity is allowed to make. The NPP also includes the covered entity’s legal duties and privacy practices with respect to protected health information. A patient’s rights with regard to protected health information is also included in an NPP.
Business associate agreements
According to the HHS, “The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”
Breaches of protected health information
“Breach” is generally defined as the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information. Health care practitioners may be required to notify affected patients, the HHS, and even the media in the event of a breach of health information protected under the law. If the protected health information is secured by encryption, the security or privacy is generally not considered compromised and the incident is not considered a breach, so the risk assessment and subsequent reporting is not required.
Patient access to health records
Patients will be guaranteed additional access to their health records under the new regulations. The regulations will allow patients to request electronic copies of their patient health information. The new regulations specifically require health care providers to provide electronic information to a patient in the electronic format requested by the patient, if it is readily producible, or, if not, in a readable electronic format as agreed to by the health care provider and the patient.
Patient rights when paying out of pocket for services rendered
In a significant change for the previous HIPAA regulations, patients who pay out of pocket for treatment can prohibit their health care practitioners from disclosing their health information to a health plan. The regulations require that optometrists agree in most cases to a patient’s request to restrict disclosure to a health plan of the patient’s protected health information that pertains to a health care service for which the patient has paid the health care provider in full out of pocket.
The penalties for noncompliance range from $100 to $50,000 for each HIPAA violation. A maximum of $1.5 million will be assessed for violations of the same provision in one calendar year. The HHS will take into account a number of factors in determining the financial penalty. Issues such as the extent of the violation, the harm of the violation and other factors will be considered. If your state has additional privacy protections that are more stringent than the federal regulations, you are also required to comply with those state provisions.
Optometrists have until Sept. 23, 2013, to comply with the rule unless an exception applies.