Physicians will pay a hefty price if they don’t comply with sweeping changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act by Sept. 23, 2013.
Failure to comply with the rules that went into effect March 26 can lead to fines of up to $1.5 million per violation per year.
The U.S. Department of Health and Human Services released its omnibus rule in January strengthening the protection of health information established under HIPAA. The rule requires updating the Notice of Privacy Practices (NPP) and includes a new standard for breach notification.
Additionally, many HIPAA requirements have been expanded to business associates of healthcare providers, health plans and others that process health insurance claims.
Notice of Privacy Practices
The new rule requires that information be included in the notice regarding a patient’s right to restrict disclosure, the types of uses and disclosures requiring no authorization and a patient’s right to opt out of certain disclosures.
Specifically, the NPP must contain statements that cover the following:
- The uses and disclosures that require a patient’s authorization include:
- Most uses and disclosures of psychotherapy notes – if recorded and maintained by a covered entity
- Uses and disclosures of protected health information for marketing purposes, including subsidized treatment communications
- Disclosures that constitute a sale of protected health information
- Other uses and disclosures not described in the notice will be made only with authorization from the individual.
- The individual has a right to opt out of fundraising solicitations (if the covered entity intends to send fundraising communications to the individual).
- The covered entity is required to notify individuals of any breach of their personal health information.
- An individual’s right to review or obtain copies of their protected health information has been extended to all protected health information maintained in one or more designated record sets electronically, regardless of whether the designated record set is an electronic health record. It must be provided in the electronic form and format requested by the individual, limited only by whether the form or format requested is readily producible. The individual also may request that a copy of such information be transmitted in electronic format directly to the individual’s designee. A covered entity has 30 days to provide access (with a 30-day extension when necessary).
- Individuals have a new right to restrict certain disclosures of protected health information to a health plan when the individual, a family member or other person pays out of pocket in full for the healthcare item or service. (Only healthcare providers are required to include such a statement in the NPP.)
The new right to restrict disclosure as noted above is an exception to the general rule that a covered entity is not required to agree to a restriction. The provider must accommodate the request unless the disclosure is required by law, such as submitting protected health information to a federal health plan like Medicare. Physicians may continue to do so as necessary to comply with that legal mandate.
There is no requirement to alert downstream providers of the individual’s desire to request a restriction and pay out of pocket for a particular healthcare item or service. While patients have an obligation to request a restriction from a subsequent provider, they should be made aware of this need.
Physicians will be happy to learn that it isn’t necessary to print and hand out a revised NPP to all individuals seeking treatment – only to new patients. However, providers must post the revised notice in a clear and prominent location and have copies available for individuals to take with them. Alternatively, a summary can be posted, as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up.
Covered entities also must ensure effective communication with individuals with disabilities. This can include making the revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print or audio.
Breach Notification Standard
The final rule lowers the standard for breach notification. All situations involving impermissible use or disclosure of protected health information necessitates breach notification unless the covered entity demonstrates a low probability through an objective risk assessment that the information has been compromised – or one of the other exceptions to the definition of breach applies.
It’s advisable for physicians to consult with legal counsel in updating their NPPs and HIPAA procedures.