HIPAA Compliance Changes. Is Your Practice Compliant?

The Health Information Technology for Economic and Clinical Health Act mandated three significant HIPAA guidelines that took effect in February 2010.

Section 13420d of the HITECH Act effective 02/18/09 revised section 1176 and 1177 of the Social Security Act by establishing four categories of violations with provisions to substantially increase the enforcement of penalties for breach of private healthcare information. Please take note of the following requirements:

1. New requirements for "Business Associates" - Deadline: February 17, 2010
HIPAA rules were strengthened by extending the responsibility for protection of PHI to "Business Associates." Under the new law, the "Business Associates" have the same responsibilities for any breach of private health care information as do the provider of the services. However, it is the medical practice's responsibility to create new "Business Associate Agreements" or amend the agreements currently in place to add the additional language to effectively communicate this added responsibility to any party or entity that might have access to private healthcare information of the patients of the medical practice. Your agreements should outline these responsibilities and the practice should make sure that all such associates have read, signed, and returned the agreements for appropriate record-keeping requirements of the practice. "Business Associates" would include Attorneys, Consultants, Accountants, Third-Party Billing Companies, Comput er Vendors or maintenance companies, etc.

2. Disclosure Agreement Provision - Effective: February 18, 2010
Patients have the right to pay in full for out of pocket expenses for health care services and request that your practice not disclose his or her medical information to a health plan or other entity. Your practice must comply with this request. Make sure that all your employees are informed about this provision and modify notification or follow-up procedures where applicable. This is information that will have to be shared with all employees in the medical practice that is involved in health information and insurance processing.

3. Information Breach Notification - Effective February 22, 2010
New provision requiring that HIPAA covered entities such as physicians, hospitals, and health plans notify patients (and Business Associates notify the partnering entity) of any breach of health care information. If a breach involves 500 people or less, the responsible party must notify each affected individual by written notice. This notice must contain the details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information. If the breach involves more than 500 persons, the Act requires that the Department of Health and Human Services be notified as well as the local media outlets.

Additional information can be found at: http://waysandmeans.house.gov/media/pdf/111/hitech.pdf