|
New
HIPAA laws/confusion CONDENSED IN A NUTSHELL
for you!
1.5 million dollars.
That
is the maximum penalty a medical practitioner
or business associate can incur if there is
a breach with the privacy of a patient's health
information. In a 563 page document, the U.S.
Department of Health and Human Services (HHS)
outlines the significant changes necessary
to bring the Health Insurance Portability
and Accountability Act of 1996 (HIPAA) into
the digital age. It is concerning that HHS
anticipates that, with the new notification
requirements, they will receive notification
of 19,000 breaches annually which will affect
6.71 million people. The Omnibus ruling goes
into effect March 23, 2013, and practitioners
will have 180 days to implement changes to
comply.
The law
Besides
the original HIPAA ruling of 1996, the new
ruling includes the HITECH Act (Health Information
Technology for Economic and Clinical Health
Act) and GINA (section 105 of Title I of the
Genetic Information Nondiscrimination Act
of 2008). The concern with this Omnibus ruling
is that there are so many facets it may be
difficult for many practitioners to understand
all that is required, and then it will be
difficult to implement all of the considerable
changes. However, after initial implementation,
the government hopes that it is actually easier
for practitioners to abide by this ruling
than before. With a $1.5 million penalty,
it also has grown some considerable teeth
to ensure better patient privacy protection;
practitioners have no choice but to adapt.
The new requirements
- The new ruling
increased data breach notification requirements.
Now any incident involving patient records
is assumed to be a breach, and, unless a
practice conducts a risk assessment that
proves a low probability that any protected
information was compromised, the breach
must be reported to the government. (This
is why the HHS anticipates the increase
in official reports of breaches.) Previous
regulations had required a practitioner
to notify affected patients and the federal
government only if the practitioner determined
that a breach involving patient records
had occurred and that it carried a significant
risk of financial or reputational harm to
patients.
- These laws
now apply to business associates and subcontractors.
However, this does not mean that any breach
incurred by subcontractors is their liability
alone. The practitioner who hired the contractor
will also take on legal responsibility.
For example, if someone who was paid to
shred patient files instead throws the documents
into a trash bin and causes a breach, the
practitioner is also subject to enforcement
violations caused by the contractor.
- Genetic information,
previously neglected by HIPAA, is now protected.
It prohibits health plans from using or
disclosing genetic information for underwriting
purposes.
- The sale
of patient health information for marketing
and fundraising is now prohibited. Also,
it prohibits the sharing of information
with health insurance companies if the patient
paid for services with cash.
- The ruling
streamlines the patient's ability to authorize
the use of their health records for research
purposes and sharing immunization records
with schools.
- The ruling
provides patients rights to access their
health information, including obtaining
records in an electronic form.
- It mandates
that practitioners must revise their notices
of privacy practices to explain relationships
with business associates and the breach
notification process. This policy must be
placed within a prominent area in the medical
facility and be made available for patients
to review and keep a copy. Placing this
policy on the practice's website is acceptable.
It does not need to be reissued to current
patients, but it must be given to all new
patients.
- Most significantly,
the new ruling strengthens the government's
ability to enforce the law and has higher
penalties for data breaches. These penalties
max out at $1.5 million per incident.
Steps
for implementation
Implementing
these requirements will take some effort,
but, once they are in place, practitioners
should be able to meet the new HIPAA regulations
with ease. Here is a list of steps practitioners
can take to ensure patient privacy is guaranteed
and the medical facility is in compliance.
- Encrypt all
electronic data
- Review and
update notices and documents since 2003
to include electronic records
- Train all
employees on privacy and security
- Develop appropriate
procedures for the disposal of information
- Designate
a security official within the medical facility
to monitor procedures
- Implement
appropriate contracts with subcontractors
- Conduct a
thorough security risk assessment on all
activities related to capturing, using,
storing or transmitting electronic patient
health information
- Develop notification
procedures if a breach of HIPAA is found
- Examine and
redesign workflow to handle the new requirements.
For example, if a practice has an electronic
health records system, patients can ask
for copies of their medical records in electronic
formats of their choosing. If the practice
cannot readily produce a record that way,
it must offer another electronic format
or a hard copy if that format is rejected
- Terminate
all access to information for former employees
immediately upon termination/resignation
Transcription
Plus, LLC and HIPAA
Upon
research, The HHS found that the largest breaches
of privacy were with contractors and subcontractors.
It is important that practitioners select
their associates with care. They should be
wary of any contractor who sends work to be
done in off-shore locations. They should be
confident that the contractor uses the most
rigorous technology to ensure privacy. Additionally,
the contractor must continue to educate and
train staff to maintain a meticulous standard
of ethics and conduct.
Transcription
Plus, LLC is pleased to announce that we do
just that.
We hand-pick our staff to ensure we can provide
the upmost respect for our clients and continuously
implement training and auditing to maintain privacy
standards. We are proud that, unlike many other
transcription companies, we have NEVER outsourced
our work overseas for a cheaper labor. Finally,
our technology privacy measures are multi-faceted,
which includes full transmission encryption of all
data and an audit trail for every transaction. Click
here
to learn more about our technology and how we are
HIPAA Compliant.
Transcription
Plus, LLC is ready to step into the next phase of
health care with you. Please contact us here to learn more about how we
are making this change easier for you.
Best,
|
