HIPAA Rules

23
Jul
2013

HIPAA Compliance KitHIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

Covered entities (healthcare providers) have until Sept. 23, 2013 to implement all the policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).

The OCR department of Health and Human Services (HHS) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. HHS has made it clear that penalties can range between $100 to $1,500,000.00, depending on the type of violation that the covered entity has committed.

One of the most important changes that come with the final omnibus rule are with covered entities relations with their business associates. These rules affect the working relations that exist between a covered entity and its business associates. Business associates are those vendors that have access to a covered entity’s Protected Health Information (PHI). With the new rules, business associates are responsible to secure PHI just like covered entities are. In other words, business associates need to be HIPAA Compliant and can face the same kind of penalties covered entities face. With the Omnibus Rules, vendors that have access to PHI need to comply with all the HIPAA regulations.

Even though a covered entity’s business associates are required to be HIPAA compliant, in the case of a breach on the part of the business associate, the covered entity is responsible for sending notifications to its patients and for reporting the breach to HHS.

Covered entities must review all their business associate contracts to make sure that these are updated to meet all the omnibus requirements. Business associates such as health information technology companies and consultants have put in place business associate agreements that does not make them responsible for the loss of patient data. With the final omnibus rules, business associates need to sign agreements that abide by the final omnibus rules. Medical practices must make sure that all their business associate agreements are updated and signed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we provide updated business associate agreements. We also help medical practices Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

18
Jul
2013

HIPAA Compliance

HIPAA


HIPAA Patient Rights

One important aspect of HIPAA is that it gives patient rights. Covered entities are responsible for looking after the rights of their patients.

HIPAA provides patients with a number of rights with respect to their Protected Health Information (PHI). For example, patients have the right to request additional restrictions on the disclosure and use of their PHI. These requests need to be reviewed by the HIPAA Compliance Officer who is not required to honor the request. Similarly, patients have the right to request changes to their records, but medical practices do not have to honor the request if the record is complete and accurate, or if the information the patient seeks to amend was obtained from another provider.

Under HIPAA patients have the right to obtain an accounting of the Covered Entity’s disclosures of PHI from the Covered Entity. Under HITECH, medical practices must provide an accounting of disclosures made for payment, treatment or health care operations; disclosures to the patient; or incidental disclosures made in the course of a required or permitted disclosure.

Patients also have a right, with some exceptions, to inspect and copy their records. Exceptions include situations in which the records include psychotherapy notes and situations in which records were prepared in connection with legal proceedings. In some situations, a medical practice’s refusal to provide access to information can entitle the patient to challenge the refusal through a review process. Medical practices may charge their patients a “reasonable, cost-based fee” for copying and providing the records.

Finally, patients have a right to receive the HIPAA Notice of Privacy Practices.

Failure to abide by the HIPAA patient rights regulations can end in the patient reporting a complaint to the Health and Human Services (HHS) Office of Civil Rights (OCR). A complaint made to the HHS OCR can end in the practice being audited and fined in the case that willful neglect is found.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit:

15
Jul
2013

Elements of the Notice of Privacy Practices

Content of the Notice.

One important requirement under the final HIPAA Omnibus Rule is that covered entities must update their notice of privacy practices. Below are the elements that are required to be a part of the updated Notice of Privacy Practices.

Covered entities are required to provide a notice of privacy practices in plain language that describes:

1. How the covered entity may use and disclose protected health information about an individual.

2. The individual’s rights with respect to the information and how the individual may exercise these
rights, including how the individual may complain to the covered entity.

3. The covered entity’s legal duties with respect to the information, including a statement that the
covered entity is required by law to maintain the privacy of protected health information.

4. Whom individuals can contact for further information about the covered entity’s privacy policies.

5. The notice must include an effective date.

6. The HITECH Act also states that if a medical practice shares information electronically with another
covered entity, that information must be listed in the Notice of Privacy Practices. Examples that must be
disclosed: A physician office is electronically connected to transmit and/or receive lab reports from on
outside vendor through the practice’s EMR.

Required Additions by the HITECH Omnibus Rule: All covered entities must include the following in their
notice of privacy practices:

7. A statement that the following uses and disclosures will be made only with authorization from the
individual:
 uses and disclosures for marketing purposes;
 uses and disclosures that constitute the sale of PHI;
 most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy
notes); and
 other uses and disclosures not described in the notice

8. A statement regarding an individual’s right to notice in the event of a breach

9. Notice of the right to opt out of fundraising communications (if the covered entity conducts
fundraising)

10. Health care providers must include in their notice of privacy practices a statement about an
individual’s right to restrict disclosures of protected health information to health plans if an individual
has paid for services out of pocket in full.

11. Health plans (except for long-term care plans) must include in their notice of privacy practices a
statement that the health plan is prohibited from using or disclosing genetic information for
underwriting purposes.

Notes: A covered entity is required to promptly revise and distribute its notice whenever it makes
material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals. All patients must sign that they have received the updated Notice. The HITECH Omnibus is a
material change to the Notice and therefore requires resigning of the Receipt of NPP by all of your
patients.

You must include your Notice of Privacy Practices on your web site (if you have one) and post or place a
copy in your waiting area.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

12
Jul
2013

Omnibus Rules Patient Rights

The final HIPAA omnibus rule that will start being enforced on Sept. 23, 2013 has some requirements that medical practices need to put in effect in order to safeguard Protected Health Information (PHI). The final omnibus rules has included new regulations that relate to patient rights that practices need to abide to.

In order to comply with the omnibus rules patient rights, the new regulations require covered entities to:

1. Allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider.

2. Permit patients to request their health information in electronic form. The new regulations require that practices comply with the request within 30 days with one 30-day extension permitted.

3. Medical practices are required to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients. Medical practices are also required to post the updated notice of privacy practices in the office and on their web sites.

Medical practices that do not comply with the new regulations can be found to be in willful neglect if they are reported to the department of Health and Human Services (HHS) office of civil rights (OCR).

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.

11
Jul
2013

The Final Omnibus Rule Sept 23, 2013 is an important date for Medical Practices as this is the day when the government will start enforcing the Omnibus Rules changes made to the Health Insurance Portability and Accountability Act (HIPAA). The changes that were made as part of the Omnibus Rule relate to how medical practices are securing Protected Health Information (PHI), whether medical practices have updated the Business Associate (BA) agreements and what medical practices need to communicate with their patients in terms of their privacy rights.

The new changes under the final Omnibus Rule Sept 23, 2013 were put in effect in March of 2013. However, covered entities were given 6 months to review their HIPAA plans and comply. The department on Health and Human Services (HHS) updated the HIPAA regulations under the final Omnibus Rule as a way to account for the wider use of electronic health records by medical providers.

In order to comply with the new regulations medical practices are required to:

1.Perform a risk analysis to find out vulnerabilities with PHI. Medical practices are expected to document that they have completed a risk analysis. Practices that complete a risk analysis will have a risk management report that provides the vulnerabilities of their electronic PHI.

2.Encrypt devices that store PHI so that this information can’t be used in case that the devices are lost or stolen.
3.Develop and review policies and procedures that the medical practice will need to follow in the case that PHI is breached (lost, stolen or inappropriately disclosed).

4.Review the BA agreements with their current vendors. Updated BA agreements are required for all vendors that have access to PHI. Medical practices need to ensure that their BAs have put in place all the required safeguards to secure PHI.

The breach of PHI brings hefty fines to medical practices that are found in willful neglect. The fines range from $100 to $50,000. The fines can go higher depending on the size of the medical practice and the type of breach.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.

10
Jul
2013

According to the department of Health and Human Service (HHS), “a major goal of the HIPAA Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing”.

The Privacy Rule prohibits a medical practice from using or disclosing “protected health information” or PHI unless the disclosure is required or permitted. For purposes of determining compliance with the Privacy Rule, the only two required disclosures of PHI are disclosures to the patient and disclosures to the Department of HHS, or one of its agencies.

The principal permitted uses and disclosures include treatment, payment and healthcare operations (TPO), and uses and disclosures pursuant to a HIPAA compliant patient authorization. TPO encompasses the use and disclosure of PHI for treatment of patients, and disclosing PHI to other health care providers for their purposes, uses and disclosures necessary to obtain payment for services provided to patients; and uses and disclosures necessary for operations of our practice, including quality management, peer review, compliance, business management and obtaining legal advice.

The final category of permitted uses and disclosures is uses and disclosures pursuant to a HIPAA compliant authorization. The authorization must be specific as to the identity of the person, state the reason for disclosure, and specify the date that the authorization will terminate. The form must also notify the patient of their right to revoke the authorization.

With several exceptions, uses and disclosures of PHI are subject the “minimum necessary rule,” which limits the use, disclosure or receipt of PHI to that amount of information that is reasonably necessary to accomplish the purpose of use, disclosure or receipt. The most notable exceptions to the minimum necessary rule permit complete use and disclosure of PHI for treatment purposes, and permit full disclosure of PHI at the request of the patient or his/her representative.

For more information on the HIPAA Privacy Rule visit the HHS site at HIPAA Privacy Rule

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

27
Jun
2013

Covered entities are health care providers, health plans and health care clearing houses that must comply with the HIPAA rules. Under the HIPAA Rules, health care providers, health plans, and health care clearing houses who electronically transmit patient health information that are connected to the Health and Human Services (HHS) adopted transaction standard are considered covered entities. The HIPAA Privacy Rule applies only to covered entities. The HHS department states that organizations, agencies and individuals that are considered HIPAA covered entities are responsible to comply with all the rules and requirements to protect the privacy and security of health information. Covered entities must provide individuals they work with certain rights with respect to their health information.

Heath care providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies are considered covered entities. Health plans such as health insurance companies, HMOs, company health plans, and government programs that pay for health care (i.e. Medicare, Medicaid, the military and the veterans health programs) are considered covered entities. Health Care Clearinghouses such as entities that process nonstandard health information they receive from another entity into a standard or vice versa are considered covered entities.

Under HIPAA, covered entities must comply with the Privacy Rule, the Transaction and Code Set Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

Vitruvian MedPro’s HIPAA compliance kit helps covered entities with the most updated HIPAA compliance plan that covers all the requirements that have been put in place in the final Omnibus Rule.

For more information on covered entities visit the HHS site at Covered Entities

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .