FROM: ACA News ~ November 2013 ~ FULL TEXT
By Julie Lenhardt, Sr. Director, Insurance Advocacy
Do you know why Sept. 23, 2013, was significant for covered entities?
It's because Sept. 23 was the date by which covered entities must be compliant with the new portions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that were added when the omnibus rule was finalized in January. What do you need to do in order to be compliant? ACA will help you answer that question and will provide you with the resources you need to be compliant.
The following steps are recommended, at a minimum. These suggestions do not take into consideration state provisions that may be more stringent than the federal regulations. Certainly, guidance should always be sought from your attorney, and your malpractice carrier may also offer some assistance as well.
(Note: If you are not sure you are a covered entity, you may check the Centers for Medicare and Medicaid Services website)
STEP 1: Update your clinic's Notice of Privacy Practices (NPP) -
The Omnibus Rule made several changes to how and when providers must get patient authorization to release Protected Health Information (PHI). The changes need to be reflected in a covered entity's NPP.
(Note: Existing patients do not need to be provided with a copy of the new NPP: only patients new to the practice must receive it. However, a copy of the updated NPP must be prominently displayed and must be provided to existing patients if they request it.)
After the NPP is updated, provide it to all new patients seen on or after Sept. 23, 2013, and post the new NPP prominently for all existing patients to read.
(See ACA sample at https://www.acatoday.org/HIPAA)
STEP 2: Update your clinic's Authorization Forms to Release PHI -
To reflect changes in disclosure requirements including access to decedent information by family members and others, be sure to update the clinic's “Authorization Forms to Release PHI”. Samples of these forms can be found in ACA:s “Clinical Documentation Manual”.
STEP 3: Update all Business Associate Agreements (BAA) -
The definition of a Business Associate was expanded to include subcontractors of vendors that either directly OR indirectly interface with your practice. Additionally, Business Associates now also have direct liability to the federal government for breaches, where before only the covered entity had direct liability.
(Note: Covered entities are STILL directly liable.)
Obtain newly signed BAAs from all vendors.
(See ACA sample at https://www.acatoday.org/HIPAA)
STEP 4: Update your clinic's HIPAA Policies and Procedures (Compliance Manual) -
To reflect the changes resulting from the omnibus rule, including the new definition of "breach," increased penalties for noncompliance, etc., you will need to update your existing HIPAA Compliance Manual and staff training materials. Helpful language can be found at:
www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html (for guidance on the Security Rule) and
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html (for guidance on the Privacy Rule), which can be printed, read and reviewed with clinic staff.
So what if you do not make all of these changes? What happens if you do not comply with all of the privacy and security rule safeguards, a breach occurs (whether due to human error or willful neglect) and PHI is compromised? The omnibus rule formally adopted the following penalty structure laid out in the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), and implements tiered penalties up to a maximum of $1.5 million. These tiered ranges correspond with four categories of violations with increasing culpability:
For violations in which a covered entity did not know (and, by exercising reasonable diligence, would not have known) that the covered entity violated a provision, a penalty of not less than $100 or more than $50,000 for each violation.
For a violation due to reasonable cause and not to willful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation.
For a violation due to willful neglect that was timely corrected, a penalty of not less than $10,000 or more than $50,000 for each violation.
The amount of the penalty will be determined by taking into account the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
For a violation due to willful neglect that was not timely corrected, a penalty of not less than $50,000 for each violation; the amount of the penalty will be determined by taking into account the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
The penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year. All of these changes were implemented to better protect patients and their health and personal information. Identity theft is on the rise, and the government is sensitive to this fact. Therefore, covered entities need to be vigilant in protecting the PHI with which they have been entrusted by their patients. Make sure that you have everything in place to protect your patients, and to protect your practice. To stay abreast of new HIPAA resources, please visit our HIPAA webpage at:
Return to the HIPAA Compliance Page