Health Law Blog

Healthcare practitioners need to be aware of revised, heightened patient privacy requirements.  On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") released new rules expanding protections afforded by the Health Insurance Portability and Accountability Act (“HIPAA”).  The rules are expected to place greater burdens on healthcare practices and affiliated entities than ever before.   

The new rule’s focus is two-fold: more individual protections for patients, and higher privacy protection obligations on practices and affiliated entities, with tougher penalties resulting from privacy breaches. 

More Individual Protections for Patients

Under the new rules, patients will have the right to receive electronic copies of their health information.  Practitioners will need to have electronic versions of medical records readily accessible.  Patients will have the added benefit of their treatment being protected from disclosure to health plans where they pay in full for their treatment.  The new rule also prohibits or places significant restrictions on the use of patient data for marketing or fundraising purposes.

Heightened Privacy Protection Obligations and Penalties

Under the new privacy rules, practices now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients.  The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported.  Such assessments should be conducted in cooperation with knowledgeable counsel specializing in HIPAA-related issues. 

Practices are also going to be responsible for any breaches that occur as a result of actions or inactions of the practices’ business associates.  HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law’s requirements to these entities, as well as their subcontractors.

For healthcare practices, a business associate may be any firm that handles patient data, such as a storage provider or a shredding company. With contractors becoming as fully liable as everyone else affected by HIPAA, healthcare practices will be subject to penalties for actions of their business associates. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate.

Potential penalties associated with these violations range from fines up to $1.5 million to criminal penalties in particularly egregious cases.  The government is expected to take a much more aggressive stance in investigating and enforcing potential privacy violations.

HOW TO PREPARE FOR NEW HIPAA REQUIREMENTS

Healthcare practices must urgently and aggressively tackle the new challenges presented by the changed privacy rules.  With the new rules becoming effective as of March 26, 2013, and compliance expected by September 23, 2013, healthcare practices must act fast. 

First, healthcare providers must review and revise all existing business arrangements and agreements with third parties to make sure that the contractors are compliant with the new privacy regulations.  The contactors’ privacy policies need to be carefully examined, and practices need to assure themselves that these policies are in fact followed. 

Healthcare practices will need to revise their notices of privacy practices to explain their relationships with business associates and their new status under the final rule. They also will need to explain the breach notification process. These notices must be displayed in prominent places in providers’ offices and on practices’ websites.

All healthcare providers are advised that pursuant to Section 6503 of the Federal Patient Protection Affordability Care Act (“PPACA”), all providers using third party billing companies or agencies to submit claims to Medicaid on their behalf are responsible for ensuring that those companies are properly registered and compliant with the NYS Medicaid Program as per the regulations promulgated by the Office of Medicaid Inspector General ("OMIG"). Since February 2011, OMIG has made a list of the currently enrolled billing service agencies available for general public on its website. 

To comply with the law, medical billing service companies must be registered with Medicaid and disclose their fee schedules arrangements. Despite popular belief and common practice, NYS law prohibits fee-splitting between medical practitioners and third parties. Therefore, billing/collection service agreements based on a percentage of the amount billed, collected, or any formula based on actual collections are improper. The only permitted billing collection service payment arrangement is one based on the cost and processing of the bills.

It should be noted that, as Medicaid registrants billing&collection companies are increasingly targeted for audits by the OMIG. This means that healthcare providers and billers should follow the OIG Compliance Program guidance for Third Party Medical Billing companies to make sure they do not violate any federal or state laws.

If you have any questions or need legal guidance in connection with billing service agreements or any other legal questions, please feel free to contact an experienced healthcare attorney by phone at 718-787-9500 or email at This email address is being protected from spambots. You need JavaScript enabled to view it. .

 

We would like to emphasize to all healthcare providers who have been affected by Hurricane Sandy that you must notify all your patients and customers whose protected personal health information may have been compromised.  This is particularly relevant if your practice or pharmacy was looted, if you have discovered that files, records, prescriptions, or electronic data have been stolen or compromised, or if your practice or store was left unattended or accessible due to damage or destruction.

While not every situation may require patient notification, it is important to conduct meaningful risk assessment to determine whether the reportable situation exists.  

If you believe that your data or records may have been compromised in any way, we encourage you to contact us to discuss your specific situation.  We will guide you on your HIPAA obligations.

You can reach us at:

718-787-9500
This email address is being protected from spambots. You need JavaScript enabled to view it.  

Dear Friends:

We would like to take an opportunity to update you on some of the recent developments with respect to post-hurricane assistance.  

1.  Governor Cuomo and State Health Department Request Federal Waiver to Help Expedite Care and Relief to New Yorkers Affected by Hurricane Sandy

Dear Medical and Pharmacy Practitioners:

As you begin to assess your post-storm situation at your business, we want to let you know that we stand by and are ready to help in any way that we can so you can resume normal operations as quickly as possible.  We are offering all pharmacy owners and health care practitioners who have been affected by the hurricane free consultation on how to properly document and deal with data losses, damage to and theft of controlled substances, loss of scripts and patient files,  as well as all other issues that you might be facing right now during this difficult time.

The team at Medical and Pharmacy Attorneys