- CATEGORIES: Doctors and Hospitals,Improve Your Practice,Nurse Learning Center,Nurses,Technology,Technology for Nurses,Technology for Providers
- No comments
September 23rd marked the compliance deadline for implementation of the new HIPAA regulations. Still, many healthcare providers and associated businesses are unaware of the new rules in effect. Unfortunately, part of the new Omnibus Rule increases enforcement and large fines for infractions, ranging from $50,000 to $1.5 million for identical violations. As a result, it is crucial that all providers know the new Rules, and ensure that their business partners do, too.
The Omnibus Final Rule comprises more than 500 pages of updates addressing HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and other modifications to improve the Rules. One of the key areas of change involves the liability of Vendors/Business Associates.
Vendors (Business Associates)
Vendors are now directly liable for compliance with certain HIPAA Privacy and Security Rules. This includes any business associate that provides services to HIPAA-covered plans such as third-party administrators, pharmacy benefit managers, security solution providers, etc.
As such, Business Associates are directly liable for:
- Impermissible uses and disclosures
- Failure to provide breach notification to the Covered Entity
- Failure to provide access of Electronic Protected health Information to the Individual or the Covered Entity
- Failure to disclose Protected Health Information to the Secretary
- Failure to provide an accounting of disclosures
- Failure to comply with the requirements of the HIPAA Security Rule
A subcontractor who creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate, is a HIPAA Business Associates, and therefore required to comply with applicable rules. This includes:
- Having security practices in place that either complies with the HIPAA Security Rule.
- Not disclosing Protected Health Information
- Comply with the “Minimum Necessary” principle.
- Enacting Business Associate Agreements with sub-contractors that use Protected Health Information on their behalf.
Covered Entities are required to obtain satisfactory assurances from their Business Associates, and Business Associates are required to get the same from their sub-contractors.
(An exception applies to organizations that merely transmit Protected Health Information, but do not maintain or store it.)
Additional HIPAA Changes:
- Strengthened limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expanded individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full
- Require modifications to, and redistribution of, a Covered Entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members and others.
- Increased, tiered civil money penalty structure.
- Modification of the HIPAA Privacy Rule to prohibit most health plans from using or disclosing genetic information for underwriting purposes
UPDATES YOU SHOULD HAVE IN PLACE
To meet the new Rules and be in compliance, all organizations and business associates should now have in place:
- Updated Security Policies and Procedures
- Updated Business Associate Agreements
- Updated Privacy Policies and Procedures
- Updated HIPAA Privacy Notices
- Updated Workforce Training on the new expectations. (The new definition of Workforce includes employees, volunteers, trainees, and other persons whose conduct is under the direct control of a Covered Entity or Business Associate.
Changes to Notice of Privacy Practices
The Omnibus Rule requires that NPPs include the following:
- A statement indicating that authorization is required for uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI. If the Covered Entity records or maintains psychotherapy notes, it must also include a statement indicating that authorization is required for most uses and disclosures of those notes.
- A statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual to whom the PHI relates.
- A statement regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a Covered Entity intends to contact an individual to raise funds for the Covered Entity.
- A statement that individuals who pay out-of-pocket in full for a healthcare item or service have the right to restrict disclosures of PHI to their health plan.
- A statement that individuals will be notified following a breach of unsecured PHI.
Because these changes constitute “material changes” under the HIPAA regulations, the revised NPP must be provided to all new patients and made available to existing patients upon request, posted to the office website, and prominently posted in the offices.
Protect yourself by reviewing the new Rules, and ensuring that you, your Business Associates, and sub-contractors are in compliance.
Gordon, Ph. (2013). Five Critical “To Do’s” Before the Next HIPAA Compliance Deadline. Mondaq.com. Retrieved October 7, 2013 from http://www.mondaq.com/unitedstates/x/262994/employee+rights+labour+relations/5+Critical
Leyva, C. (2013). HIPAA Omnibus Rule Summary. Hipaa Survival Guide. Retrieved October 7, 2013 from http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
Rodriguez, T. (20130. What You Need to Know about the HIPAA Omnibus Rule.
American Academy of Orthopaedic Surgeons. Retrieved October 8, 2013 from http://www.aaos.org/news/aaosnow/jul13/managing4.asp