If you haven’t had
your annual HIPAA check-up yet, now is a good time to schedule it. On
January 17, 2013, the Department of Health and Human Services published a final
rule which strengthens the privacy and security protections afforded to
individuals’ protected health information. The rule modifies the breach
notification requirements that are applicable to health care providers and
business associates under the Health Insurance Portability and Accountability
Act (HIPAA), as amended by the Health Information Technology for Economic
Clinical Health Act (HITECH Act). The final rule is effective on March
26, 2013.
- The major changes
affecting health care providers and business associates include the following: - A patient/resident who
does not want his/her medical records disclosed to his/her health plan may opt
to pay out of pocket for medical services. - If a patient requests
a restriction on the disclosure of protected health information for payment
purposes or health care operations, both the provider and the business
associate are required to restrict the disclosure. - A patient/resident has
the right to opt out of receiving fundraising communications. - A patient/resident may
request a copy of his/her medical records in a preferred format. - There is a prohibition
against selling a patient’s/resident’s health information without an
authorization. - Business associates
are required to report breaches of unsecured protected health information to
health care providers. - Business associate
provisions are applicable to subcontractors of business associates; both are
directly liable for violations of HIPAA. - A health care provider
or a business associate who is found to have engaged in multiple violations of
HIPAA may be subject to a penalty of up to a $1.5 million cap per
violation. The total penalty amount could therefore exceed $1.5 million.
Because the changes in
the final rule are material, a number of HIPAA documents will need to be
reviewed and revised including:
- Accounting of
Disclosure Form and Policy on Accounting of Disclosures - Business Associate
Agreement and Policy on Business Associates - Notice of Privacy
Practices and Policy on Notice of Privacy Practices - Policy on Minimum
Necessary Disclosures - Policy on Notification
of Breaches - Request for
Restrictions and Policy on Patient’s Right to Request Restrictions
If you have any questions
concerning HIPAA or would like assistance in updating your HIPAA policies and
procedures to reflect the changes imposed by the rule, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this
alert. You can reach Rochelle at 617 456 8036 or rzapol@princelobel.com