Recently released changes to some Health Insurance Portability and Accountability Act regulations affect how providers handle patients' protected information.
The final rule, released Jan. 25, has important operational consequences for "covered entities" and their business associates. The covered entities include any health plan, health care clearinghouse or health care provider that transmits any health information in electronic form. A business associate is a person or entity (such as accountants, lawyers and billing services) that performs certain administrative and operation functions for the provider that involve protected health information.
The rule has been expanded to include a business associate's subcontractor that also deals with protected health information, and may include patient safety organizations, e-prescribers and documentation storage entities.
The final rule, which took effect March 26, comprises four parts.
The new regulations on privacy, security and enforcement:
- Hold business associates of covered entities liable for compliance. Therefore, if you hire someone to transmit medical information, that person is now required to comply with HIPAA requirements.
- Strengthen limitations on use and disclosure of protected health information without authorization. Although some protected health information can be used for marketing and fundraising or sold to another company, this use is prohibited without individual authorization. For example, you cannot provide information about patients with dysphagia to a company selling a new thickening product without the patient's authorization. This restriction does not include communication such as refill reminders or Medicare/Medicaid eligibility.
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosure of information about services for which the individual has paid out of pocket to health plans. If a patient pays privately for treatment, the patient can prevent you—with rare exceptions—from releasing that information to a health plan.
- Require providers to modify and redistribute their notice of privacy practice. This requirement can be phased in and isn't immediately necessary for patients who have already received privacy notices.
- Modify requirements to facilitate research, facilitate disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
- Adopt enhancements to the enforcement rule, including provisions on noncompliance with HIPAA rules due to willful neglect (the provider is cavalier about compliance). An electronic health record system running on a local server in an unlocked room or your employees posting their passwords on readily visible "sticky notes" could be considered willful neglect.
Changes to the enforcement rule incorporate new increased, tiered civil monetary penalties for noncompliance. Breaches cost businesses through penalties and loss of income. The likelihood of some type of breach is common, and medical identity theft is becoming more common than credit card or bank identity theft. Using mobile devices increases the likelihood of a breach.
A third rule related to breach notification more objectively quantifies the "harm" caused by a breach and, in imposing penalties, considers the number of individuals involved, the nature and extent of resultant harm, and the provider's history and prior HIPAA compliance.
A fourth rule concerns genetic information, and prohibits health plans from using or disclosing genetic information for underwriting purposes.
Every provider should have procedures to protect the confidentiality and privacy of their patients' information. Even if you don't transmit health information electronically, most likely you will begin to do so soon. Learn the rules that apply to your practice now to make sure you comply when you make the transition. For example:
- If your privacy notice needs changing, start using a new notice with all new patients.
- Obtain appropriate authorization for providing information, even if that information is not yet electronic.
- If you transmit information electronically, consult your compliance officer, attorney, accountant, business manager or other expert to make sure you comply with the new regulations.
For more information, visit ASHA's recently updated HIPAA website.