In January 2013, the US Department of HSS (Health and Human Services) finally published all the sweeping changes that will be implemented concerning HIPAA (Health Insurance Portability and Accountability Act). The proposal of these changes falls under HITECH (Health Information Technology for Economic and Clinical Act). The act was a portion of the huge ARRA (American Recovery and Reinvestment Act) stimulus bill of 2009. On March 26, 2013, the implementation of these changes became effective.
Physicians will feel the greatest impact on the enforcement of these new privacy regulations. Any breach of confidential information will bring with it heavier legal scrutiny and significantly higher fines. The changes could bring with it a significant impact on the methods doctors utilize in running their practices.
More Privacy Control for the Patient
Every physician’s office will need to prominently display all of the newly revised confidential privacy notices. Every patient will now be able to obtain copies of all of their health records (electronic). Additionally, patients will be able to restrict access to any of their confidential information to health plans, whenever they are paying for the services on their own. The most crucial change in the way physicians’ practices handle privacy issues will be the high serious fines involved from breaches in security.
The final omnibus ruling about to be set in place will greatly enhance privacy protection of patient information by strengthening the existing regulations under HIPAA. Facing greater legal scrutiny from the US government, physicians and their practices need to implement these changes now.
Any breach of the new patient privacy rules should make physicians assume the problem will create the worst-case scenario for the practice. The new rulings eliminate the traditional standards that there needed to be harm to the patient’s reputation, or risk of financial damage, whenever there was a breach concerning confidential patient records. The new regulations are result of privacy advocates that wanted the rulings changed to remove the responsibility of the physician’s practice in determining harm to the patient.
The new regulation is much stricter than the old one. Any scenario surrounding patient records is automatically assumed to be a security breach. When the incident happens, the physician’s practice must conduct their own risk assessment to determine the probability of compromised information. Any breach of patient information must be immediately reported.
Business Associate Changes
Since the inception of HIPAA, the focus of security breaches has been primarily on health care professionals, medical plans and all of the entities that were used to process the patient’s insurance claims. However, recognizing the highest number of security breaches actually involved medical business associates of health professionals, doctors and healthcare plans, the US Department of Health and Human Services extended the regulations to incorporate all of these entities, along with associated subcontractors.
The new regulations claim that any healthcare business associate will be defined as a firm that handles, manages or controls patient confidential data. This can include storage providers, a physician performance benchmarking firm, and even a shredding company. Now that contractors and subcontractors must follow the standards under the new HIPAA regulations, the physician’s office will assume the burden of even more legal responsibilities.
Additionally, if the doctor chooses to simply throw away confidential patient files that causes a breach instead of paying a contractor to shred private data, he or she would be immediately subject to severe enforcement violations. Some of these fines can be more than $1 million in specific cases of an egregious nature. The federal government is no longer simply looking the other way, as in the past.
New Privacy Notices
All physician’s practices are required to completely revise their existing privacy notices. These new notices will detail the relationships the practice has with business associates. The privacy revisions will also include an explanation of the breach notification process. These revisions will need to be placed in a conspicuous area, with copies provided to the patient upon request.
Preparing for the Change
Medical practices were given until September 23, 2013 to become fully compliant with all the changes in the federal privacy rules. Preparing for the change would include:
- Fully assess the security risks within the practice involving capturing, storing, transmitting, and using electronic patient confidential health information.
- Create effective procedures concerning notification and breach avoidance. New procedures should include the use of patient records outside the practice such as performing hospital rounds. New procedures can include encrypted data inside and outside the office.
- Revamped workflow within the office to adjust to the new requirements. If the practice already utilizes an electronic patient health record system only, the office will need to offer a hard copy format if one is requested by the patient.
These new rules greatly enhance the privacy protection of all patient’s confidential information. It helps strengthen the US government’s capacity at enforcing the laws, and expands the fines for any breach.