Warren Averett’s Healthcare Division conducts medical practice roundtables in many areas throughout Alabama and the Florida panhandle. In almost every roundtable over the last year, HIPAA was a hot topic among our participants. An outside company conducted HIPAA audits 2011 – 2012 and reported consistent areas of non‐compliance. Almost every report issued by the Office of Inspector General (OIG) included a major breach of security. Many of you may have already updated your HIPAA program from the original version in the late 1990s, but once again there are new rules. Get ready for more updates to your plan.

What’s new

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release regarding new rules to strengthen the privacy and security protection for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The changes in the final rulemaking provide the public with increased protection and control over their personal health information (PHI).

The HIPAA Privacy and Security Rules have typically focused exclusively on healthcare providers, health plans and other entities that process health insurance claims. The changes mentioned in this new ruling expand the requirements of business associates of these entities that receive or have access to protected health information including contractors and subcontractors.

The new HIPAA rule is effective March 26, 2013, and covered entities will have an additional 180 days (September 23, 2013) to comply with applicable requirements. The regulations include:

  • Enhanced HIPAA enforcement.
  • Clarify when data breaches must be reported to the HHS Office of Civil Rights.
  • Expand many HIPAA requirements to “business associates” that receive PHI.
  • Expand individuals rights to receive their medical record in electronic format and restrict disclosures to their health plan for services for which they paid in cash.
  • Streamline an individual’s ability to authorize the use of their health information for research purposes.
  • Expand the definition of “health information” to include genetic information.
  • Modify rules that apply to marketing and fundraising communications, and the sale of PHI.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

Penalties have increased for non‐compliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

What you need to do

Is your practice HIPAA proofed? The following are a few ideas on how to ensure compliance:

  • Conduct an internal HIPAA risk assessment.
  • Implement HIPAA training (documenting the training).
  • Review, and execute new business associate agreements.
  • Identify all patient protected health information and determine if the information is stored on smart phones, tablets, laptops, and other portable medical equipment.
  • Update your policy manual with appropriate HIPAA policies and procedures for new laws and technologies.

Do you need help?

Warren Averett’s healthcare consultants are ready to assist you with all of the changes in healthcare to help ensure your practice is compliant.