Health and Human Services

15
Jul
2013

Elements of the Notice of Privacy Practices

Content of the Notice.

One important requirement under the final HIPAA Omnibus Rule is that covered entities must update their notice of privacy practices. Below are the elements that are required to be a part of the updated Notice of Privacy Practices.

Covered entities are required to provide a notice of privacy practices in plain language that describes:

1. How the covered entity may use and disclose protected health information about an individual.

2. The individual’s rights with respect to the information and how the individual may exercise these
rights, including how the individual may complain to the covered entity.

3. The covered entity’s legal duties with respect to the information, including a statement that the
covered entity is required by law to maintain the privacy of protected health information.

4. Whom individuals can contact for further information about the covered entity’s privacy policies.

5. The notice must include an effective date.

6. The HITECH Act also states that if a medical practice shares information electronically with another
covered entity, that information must be listed in the Notice of Privacy Practices. Examples that must be
disclosed: A physician office is electronically connected to transmit and/or receive lab reports from on
outside vendor through the practice’s EMR.

Required Additions by the HITECH Omnibus Rule: All covered entities must include the following in their
notice of privacy practices:

7. A statement that the following uses and disclosures will be made only with authorization from the
individual:
 uses and disclosures for marketing purposes;
 uses and disclosures that constitute the sale of PHI;
 most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy
notes); and
 other uses and disclosures not described in the notice

8. A statement regarding an individual’s right to notice in the event of a breach

9. Notice of the right to opt out of fundraising communications (if the covered entity conducts
fundraising)

10. Health care providers must include in their notice of privacy practices a statement about an
individual’s right to restrict disclosures of protected health information to health plans if an individual
has paid for services out of pocket in full.

11. Health plans (except for long-term care plans) must include in their notice of privacy practices a
statement that the health plan is prohibited from using or disclosing genetic information for
underwriting purposes.

Notes: A covered entity is required to promptly revise and distribute its notice whenever it makes
material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals. All patients must sign that they have received the updated Notice. The HITECH Omnibus is a
material change to the Notice and therefore requires resigning of the Receipt of NPP by all of your
patients.

You must include your Notice of Privacy Practices on your web site (if you have one) and post or place a
copy in your waiting area.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

11
Jul
2013

The Final Omnibus Rule Sept 23, 2013 is an important date for Medical Practices as this is the day when the government will start enforcing the Omnibus Rules changes made to the Health Insurance Portability and Accountability Act (HIPAA). The changes that were made as part of the Omnibus Rule relate to how medical practices are securing Protected Health Information (PHI), whether medical practices have updated the Business Associate (BA) agreements and what medical practices need to communicate with their patients in terms of their privacy rights.

The new changes under the final Omnibus Rule Sept 23, 2013 were put in effect in March of 2013. However, covered entities were given 6 months to review their HIPAA plans and comply. The department on Health and Human Services (HHS) updated the HIPAA regulations under the final Omnibus Rule as a way to account for the wider use of electronic health records by medical providers.

In order to comply with the new regulations medical practices are required to:

1.Perform a risk analysis to find out vulnerabilities with PHI. Medical practices are expected to document that they have completed a risk analysis. Practices that complete a risk analysis will have a risk management report that provides the vulnerabilities of their electronic PHI.

2.Encrypt devices that store PHI so that this information can’t be used in case that the devices are lost or stolen.
3.Develop and review policies and procedures that the medical practice will need to follow in the case that PHI is breached (lost, stolen or inappropriately disclosed).

4.Review the BA agreements with their current vendors. Updated BA agreements are required for all vendors that have access to PHI. Medical practices need to ensure that their BAs have put in place all the required safeguards to secure PHI.

The breach of PHI brings hefty fines to medical practices that are found in willful neglect. The fines range from $100 to $50,000. The fines can go higher depending on the size of the medical practice and the type of breach.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.

10
Jul
2013

According to the department of Health and Human Service (HHS), “a major goal of the HIPAA Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing”.

The Privacy Rule prohibits a medical practice from using or disclosing “protected health information” or PHI unless the disclosure is required or permitted. For purposes of determining compliance with the Privacy Rule, the only two required disclosures of PHI are disclosures to the patient and disclosures to the Department of HHS, or one of its agencies.

The principal permitted uses and disclosures include treatment, payment and healthcare operations (TPO), and uses and disclosures pursuant to a HIPAA compliant patient authorization. TPO encompasses the use and disclosure of PHI for treatment of patients, and disclosing PHI to other health care providers for their purposes, uses and disclosures necessary to obtain payment for services provided to patients; and uses and disclosures necessary for operations of our practice, including quality management, peer review, compliance, business management and obtaining legal advice.

The final category of permitted uses and disclosures is uses and disclosures pursuant to a HIPAA compliant authorization. The authorization must be specific as to the identity of the person, state the reason for disclosure, and specify the date that the authorization will terminate. The form must also notify the patient of their right to revoke the authorization.

With several exceptions, uses and disclosures of PHI are subject the “minimum necessary rule,” which limits the use, disclosure or receipt of PHI to that amount of information that is reasonably necessary to accomplish the purpose of use, disclosure or receipt. The most notable exceptions to the minimum necessary rule permit complete use and disclosure of PHI for treatment purposes, and permit full disclosure of PHI at the request of the patient or his/her representative.

For more information on the HIPAA Privacy Rule visit the HHS site at HIPAA Privacy Rule

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .