The new rule’s focus is two-fold: more individual protections for patients, and higher privacy protection obligations on practices and affiliated entities, with tougher penalties resulting from privacy breaches.
More Individual Protections for PatientsUnder the new rules, patients will have the right to receive electronic copies of their health information. Practitioners will need to have electronic versions of medical records readily accessible. Patients will have the added benefit of their treatment being protected from disclosure to health plans where they pay in full for their treatment. The new rule also prohibits or places significant restrictions on the use of patient data for marketing or fundraising purposes.
Heightened Privacy Protection Obligations and PenaltiesUnder the new privacy rules, practices now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. Such assessments should be conducted in cooperation with knowledgeable counsel specializing in HIPAA-related issues.
Practices are also going to be responsible for any breaches that occur as a result of actions or inactions of the practices’ business associates. HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law’s requirements to these entities, as well as their subcontractors.
For healthcare practices, a business associate may be any firm that handles patient data, such as a storage provider or a shredding company. With contractors becoming as fully liable as everyone else affected by HIPAA, healthcare practices will be subject to penalties for actions of their business associates. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate.
Potential penalties associated with these violations range from fines up to $1.5 million to criminal penalties in particularly egregious cases. The government is expected to take a much more aggressive stance in investigating and enforcing potential privacy violations.
HOW TO PREPARE FOR NEW HIPAA REQUIREMENTSHealthcare practices must urgently and aggressively tackle the new challenges presented by the changed privacy rules. With the new rules becoming effective as of March 26, 2013, and compliance expected by September 23, 2013, healthcare practices must act fast.
First, healthcare providers must review and revise all existing business arrangements and agreements with third parties to make sure that the contractors are compliant with the new privacy regulations. The contactors’ privacy policies need to be carefully examined, and practices need to assure themselves that these policies are in fact followed.
Healthcare practices will need to revise their notices of privacy practices to explain their relationships with business associates and their new status under the final rule. They also will need to explain the breach notification process. These notices must be displayed in prominent places in providers’ offices and on practices’ websites.
- Conduct a thorough security risk assessment on all activities related to capturing, using, storing or transmitting electronic patient health information.
- Develop comprehensive breach avoidance and notification procedures and policies. Emphasis should be put on data encryption and stricter password protections.
- Examine and redesign workflow to handle the new requirements. For example, if a practice has an electronic health records system, patients can ask for copies of their medical records in electronic formats of their choosing. If the practice cannot readily produce a record that way, it must offer another electronic format or a hard copy if that format is rejected.
- Develop new privacy notices and patient intake procedures to comply with the rules.
- Discuss with your attorneys the protocol to follow once a suspected breach has occurred. In such cases, a comprehensive risk assessment must be conducted in the most expeditious fashion.