It’s Time Once Again For Your HIPAA Check-up

In the Press · February 12, 2013

If you haven’t had
your annual HIPAA check-up yet, now is a good time to schedule it.  On
January 17, 2013, the Department of Health and Human Services published a final
rule which strengthens the privacy and security protections afforded to
individuals’ protected health information. The rule modifies the breach
notification requirements that are applicable to health care providers and
business associates under the Health Insurance Portability and Accountability
Act (HIPAA), as amended by the Health Information Technology for Economic
Clinical Health Act (HITECH Act).  The final rule is effective on March
26, 2013.

  • The major changes
    affecting health care providers and business associates include the following:
  • A patient/resident who
    does not want his/her medical records disclosed to his/her health plan may opt
    to pay out of pocket for medical services.
  • If a patient requests
    a restriction on the disclosure of protected health information for payment
    purposes or health care operations, both the provider and the business
    associate are required to restrict the disclosure.
  • A patient/resident has
    the right to opt out of receiving fundraising communications.
  • A patient/resident may
    request a copy of his/her medical records in a preferred format.
  • There is a prohibition
    against selling a patient’s/resident’s health information without an
    authorization.
  • Business associates
    are required to report breaches of unsecured protected health information to
    health care providers.
  • Business associate
    provisions are applicable to subcontractors of business associates; both are
    directly liable for violations of HIPAA.
  • A health care provider
    or a business associate who is found to have engaged in multiple violations of
    HIPAA may be subject to a penalty of up to a $1.5 million cap per
    violation.  The total penalty amount could therefore exceed $1.5 million.

Because the changes in
the final rule are material, a number of HIPAA documents will need to be
reviewed and revised including:

  • Accounting of
    Disclosure Form and Policy on Accounting of Disclosures
  • Business Associate
    Agreement and Policy on Business Associates
  • Notice of Privacy
    Practices and Policy on Notice of Privacy Practices
  • Policy on Minimum
    Necessary Disclosures
  • Policy on Notification
    of Breaches
  • Request for
    Restrictions and Policy on Patient’s Right to Request Restrictions

If you have any questions
concerning HIPAA or would like assistance in updating your HIPAA policies and
procedures to reflect the changes imposed by the rule, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this
alert. You can reach Rochelle at 617 456 8036 or rzapol@princelobel.com