Revised HIPAA privacy rule compliance deadline Sept. 23August 30, 2013
In most cases, practitioners will not have to completely revamp all their established policies and procedures to protect patient information in their practices, said AOA General Counsel Michael Stokes, J.D. However, they should conduct a comprehensive review of their current privacy protection polices to ensure all provisions of the new rules are met.
A new edition of the AOA HIPAA Security Compliance Manual developed to facilitate that process is now available (see related article.)
Specifically, the new rules:
- Require patients receive, on request, an electronic copy of the information contained in their electronic health record. (Until now, a paper copy would suffice.)
- Limit the use or disclosure of patient information for marketing and fundraising purposes.
- Prohibit the sale of individuals’ health information for marketing or other purposes without their specific permission, and
- Give patients who pay out-of-pocket for services the right to instruct their doctors to not share information about treatment with their insurance company.
For the first time, the privacy and security rules will apply not only to health care practitioners and their business associates but to any subcontractors who provide services to those business associates. Of particular importance are provisions extending the security breach notification requirement to business associates and subcontractors. HIPAA requires patient notification if health information is compromised.
“Some of the largest breaches reported to HHS have involved business associates,” the U.S. Department of Health & Human Services noted in announcing the new HIPAA rules.
Practitioners should ensure any business associates with access to protected health information, such as billing firms or claims clearinghouses, are aware of the new rules and are taking steps to adhere to them.
HIPAA requires health care practitioners to have formal agreements with business associates, confirming compliance with the federal privacy protection rules.
Updated HIPAA Business Associate Agreement forms, reflecting new changes in the privacy protection, are included in the new edition of the AOA HIPAA Security Compliance Manual available through the AOA Marketplace (www.aoa.org).
The revised HIPAA rules increase penalties for noncompliance, with the maximum penalty now $1.5 million per violation. Penalties will be assessed based on the level of negligence associated with a security breach.
Each health care practice will have to update its Notice of Privacy Practice (NPP) to indicate compliance with the new HIPAA provisions regarding patients’ rights following breaches of protected health information and information regarding a patient’s rights when paying for services out of pocket.
Practitioners will not have to distribute an updated notice to each existing patient. However, they will be required to provide one to every new patient or to any patient who asks for one.
Copies of the updated NPP must be available in the practice. Practices that post such documents on their websites should make a copy of the updated NPP available online.
Practitioners are required to properly instruct their staff on the updated privacy protection rules, through staff meetings, continuing education courses or other appropriate measures.
The updated HIPAA rules formally took effect March 26, 2013; however, covered entities and their business associates in most cases had 180 days (until Sept. 23) to bring their operations into compliance.
For additional information – including the HHS’ new HIPAA Regulations FAQs on updates – visit http://www.aoa.org/optometrists/tools-and-resources/ hipaa-compliance (member login required).