Three new HIPAA rules take effect this month
Over the next two weeks, three significant HIPAA changes mandated by the Health Information Technology for
Economic and Clinical Health Act will take effect. Is your practice ready?
Beginning Feb. 17, your practice's "business associates" (i.e., any organization to which your practice submits electronic patient information) must comply with the HIPAA security rule, and your agreements with these entities must be amended to reflect their new obligations. Your agreements should outline the responsibilities of each party in the event of a breach, including how long the business associate has to report a breach to your practice
once it has been discovered and who will cover the costs of notifying patients about a breach.
Beginning Feb. 18, if a patient is paying in full out of pocket for health care services, he or she may request that your practice not disclose his or her medical information to a health plan or other entity, including state
pharmacy registries. You must comply with these requests.
Beginning Feb. 22, enforcement of the Breach Notification Rule goes into effect. The rule requires HIPAA-covered entities (e.g., physicians, hospitals and health plans) and their business associates to notify patients of breaches of their health information. For breaches involving 500 people or less, you must provide written notice to each affected individual, describing the nature of the breach, the type of patient information
disclosed, steps they can take to protect themselves and
steps your practice is taking to remedy the situation. If the breach affects more than 500 individuals, you must notify prominent media outlets in the area and must immediately report the incident to the Department of Health and Human Services.