What physician practices must comply before deadline?
HIPAA Omnibus Final Rule has made several modifications to the privacy, security and enforcement rule which is ensuring confidentiality and security of the health data of patients across the United States since its enactment almost fifteen years ago. Since then, a number of changes and amendments have been made to the rule and the modifications made earlier this year have been termed ‘omnibus’ which is an indication of combining all the amendments and finalizing the rule. The rule obligates physicians and healthcare providers to vehemently safeguard the privacy of their patients health information and has recently extended this obligation to ‘Business Associates’ as well.
The United States Department of Health and Human Services (HHS) summarizes the 500 pages that encompass the Omnibus rule and highlights the modifications that physician practices are obligated to,
- Make Business Associates of Covered Entities directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
Physician practices need to implement and comply with the HIPAA Omnibus Final Rule requirements before the September 23, 2013 deadline and according to The American Medical Association (AMA), there are three areas that they need to focus on:
1. Privacy, Security, and Breach Notification policies and procedures
If there is a breach of Protected Health Information (PHI), physicians first have to perform a risk analysis that denotes how sensitive the health data was and the extent of damage incurred from a financial or clinical perspective. Then, they must notify the patients that the security of their PHIs have been compromised.
Moreover, physicians cannot disclose details of their patients health plan to third parties containing details about the services that the patient paid out-of-pocket.
Although physicians can give their patients gifts of nominal value, they may not promote a specific brand or product as if marketing it.
Physicians are not permitted to sell PHIs to a third party for any type of financial gains in the absence of the patient’s written authorization.
If a patient requests a copy of their health records, physicians have to respond to the request within 30 days and must provide it in mutually agreeable formats.
2. Notice of Privacy Practices (NPP)
Physicians are required to revise Notice of Privacy Practices (NPP) and provide them to patients through their website or distribute in print form, making necessary changes in the light of the Omnibus rule (breach notification, disclosures of PHI or health plans etc.)
3. Business Associate (BA) Agreements
If physician practices are utilizing services performed by third parties for the handling of PHIs, such as for health information exchange, data storage or e-Prescribing, they are termed as ‘Business Associates’ in the Omnibus rule. Physicians are responsible for the actions of their Business Associates as well as Subcontractors and require them to meet the HIPAA security standards. Physicians should review and renew their agreements with BAs, in the light of the HIPAA Omnibus final rule.