The deadline for compliance with the HIPAA Final Rule, issued in January 2013, is rapidly approaching. By September 23, 2013, all Covered Entities (CE) and Business Associates (BA) will be expected to meet the new regulations.
What are some important requirements and updates in the HIPAA Final Rule that providers and Business Associates need to be aware of? These three should be on your short list …
- The Notice of Privacy Practices (NPP)
- BA requirements
- Patient requests for restrictions on use of PHI
HIPAA Final Rule Requirements: A Closer Look
1. The HIPAA Final Rule of 2013 requires updates to the Notice of Privacy Practices, some of which are included below.
An NPP should include a statement that the uses and disclosures listed below will only be made after the patient’s authorization:
- Uses and disclosures of psychotherapy notes (only applicable if CE maintains a record of psychotherapy notes),
- Uses and disclosures of Protected Health Information (PHI) for the purpose of marketing and fundraising,
- Uses and disclosures that involve the selling of PHI, and
- Other uses and disclosures that are not permitted for healthcare operations or for special circumstance, e.g., pursuant to subpoenas.
Under the HIPAA Final Rule of 2013, the patient has a right to opt out of fundraising related communications from the CE if the CE is involved in fundraising activities.
Patients have a right to restrict the CE from disclosing PHI to the payor if the patient has paid for that particular medical expense in full himself/herself.
It is important to note that under the HIPAA Final Rule of 2013, the CE will be responsible for making the NPP available to any patient requesting a copy, as well as making the NPP visible in a prominent location on site. An NPP must also be available on the CE’s website, if one exists. All new patients should be given an NPP that has been updated to reflect the HIPAA Final Rule of 2013 requirements.
2. Business Associates will now be required to do more than just sign a BA Agreement. They must also comply with the following:
- Business Associates will be liable for noncompliance in the same way as Covered Entities.
- In the event of a breach of confidential patient information, Business Associates must notify the CE.
- Business Associates are expected to have an appropriate HIPAA compliance program in place by September 23, 2013, which includes possession of written policies and procedures, privacy and security training for employees, and a formal HIPAA Security Rule Assessment (for BA’s with access to ePHI).
The definition of Business Associate has been broadened to include Subcontractors of the BA, which means they will be subject to the same requirements as Business Associates, including having a BA Subcontractor agreement on file. And you are a BA by definition of your role in creating, receiving, maintaining or transmitting PHI on behalf of a CE – even if you don’t sign a BA agreement!
3. The HIPAA Final Rule provides patients with the right to greater control over the use or disclosure of their PHI.
As noted above in the discussion about NPPs, patients may restrict the use of PHI for fundraising or marketing activities by a CE, and restrict disclosure of PHI to a health plan for services they pay for themselves.
In addition to controlling the transmission of information about such self-pay services via submitting claims, CEs may be called upon to avoid transmitting prescriptions electronically so the information about the prescription does not go to the health plan. And medical records – electronic or paper – must be flagged when such a restriction on use or disclosure is requested so a copy of the record is not disclosed inadvertently when the health plan requests copies of the medical record.
In summary, it is crucial for Covered Entities and Business Associates to:
- update the current Notice of Privacy Practices,
- revise the BA Agreement and have a BA Agreement on file with all sub-contractors,
- undergo a formal HIPAA Security Rule Assessment (if you are a Business Associate with access to ePHI), and
- be prepared to honor patient requests for restriction of certain disclosures of PHI.
Major changes are just around the corner
With the deadline just weeks away, it would be in all healthcare professionals’ benefit to take prompt action to ensure that they’re compliant with the HIPAA Final Rule requirements. No one wants to deal with hefty fines or criminal charges, and it’s still not too late to take all necessary steps to make sure of your readiness for September.