The U.S. Department of Health and Human Services (HHS) Office for Civil Rights published the “HIPAA Omnibus Rule” on January 25, 2013 to reinforce the privacy and security requirements for Patient Health Information (PHI) established under the Health Insurance Portability and Accountability Act (HIPAA). The compliance date for this rule is September 23, 2013. It has a bearing on both covered entities (health care providers who transmit PHI in electronic format) and business associates (a person or company who handles PHI on behalf of the covered entity). So, what should a physician practice do to comply with the new HIPAA rule? Well, read on.
- The rule provides patients the right to obtain the electronic copy of their health records and to have the designated health record sent to a third party. A written authorization from the patient is required separately before selling PHI, receiving marketing communications and disclosing psychotherapy notes. Due to these reasons, physician practices should review their notice of privacy practices and update their policies and procedures to implement the new changes. They should train their workforce on the Omnibus final rule.
- The old law defined security breach as an event which would cause impermissible use or disclosure of PHI. But, the new law modifies the definition that even the risk of impermissible use or disclosure of PHI will be considered as security breach. That is, if you store patient records without password protection or encryption in a laptop and that laptop is lost or stolen, then it is considered as security breach even if the data is not accessed by anyone. The physician’s office must conduct a complete risk assessment to ensure that the PHI remains safe on the system, it is not transmitted unsafely (for example, an unsecured e-mail) and check if there are any other possible risks.
- Business associates and their subcontractors can be held liable for security breach with the new law. For example, if a physician’s office is outsourcing their billing to a medical billing company and somebody steals the PHI during the billing process, then the company is liable for security breach. At the same time, if the company has brought in a subcontractor for running network cable and electric lines, then the subcontractor is also liable for the breach. Hence, it is very important for physician practices to review all business associate agreements and check whether they need to be revised or modified.
- There will be more frequent HIPAA audits and the auditors will be given incentives for identifying security problems. Also, the fines with penalties are higher. All physicians’ offices should conduct at least a quarterly risk assessment to stay clear of security issues.
To put in a nutshell, it has become more challenging for physician practices to comply with the new HIPAA rule. If administrative tasks are outsourced, then they should rely upon a company that offers HIPAA compliant medical billing and coding services and has strict security measures in place. Such a company provides the service of employees who are well-trained in HIPAA rules, password protection and encryption for PHI during its storage and transmission and has other safeguard measures such as thorough checking of employees, and restrictions on bringing in electronic devices.