Long-awaited HIPAA changes coming soon to a practice near you
Just when you thought you had a good handle on the patient security and privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), here comes some new ones.
The U.S. Department of Health and Human Services on Jan. 17 announced a final “omnibus” rule that it said would strengthen patient privacy protections, give patients greater control over their health records, and beef up the government’s ability to enforce the regulations.
The new rules go into effect March 26. Practices and others governed by HIPAA must comply with the regulations by Sept. 23.
While experts continue to parse through the new rules – the entry in the Federal Register is 563 pages long – here are some immediate takeaways for family medicine practices:
• Requirements of privacy and security will now extend to a practice’s business associates, such as contractors and sub-contractors, making them directly liable for violations. So practices that have business associates working on their behalf need to have contracts or other arrangements to ensure they’re following the Privacy Rule and Security Rule in regards to protected health information.
• Notification requirements have been strengthened to clarify when security breaches must be reported.
• Patients can now ask for a copy of their medical record in an electronic format. Practices should develop new policies and prepare their staff to accommodate patients requesting these electronic copies.
• If a patient pays in cash, they can request that their provider not share information about their treatment with their health insurer. Practices will need to prepare their registration and billing staff to handle patient requests for this.
• There are new rules limiting how a provider can use patient information for marketing and fundraising efforts. Practices that use patient information for these activities will need to make sure they’re compliant before proceeding.
• Patients will face a much more streamlined process for authorizing the use of their information for research purposes. This makes it easier for parents and guardians to give permission to share proof of a child’s immunization with schools.
For a refresher on HIPAA and how practices should comply with the law, here’s a collection of Family Practice Management articles on the subject: http://www.aafp.org/fpm/hipaa.
– Renae Moch, MBA, CMPE, practice management strategist for the AAFP, contributed to this story.