OCR

23
Jul
2013

HIPAA Compliance KitHIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

Covered entities (healthcare providers) have until Sept. 23, 2013 to implement all the policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).

The OCR department of Health and Human Services (HHS) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. HHS has made it clear that penalties can range between $100 to $1,500,000.00, depending on the type of violation that the covered entity has committed.

One of the most important changes that come with the final omnibus rule are with covered entities relations with their business associates. These rules affect the working relations that exist between a covered entity and its business associates. Business associates are those vendors that have access to a covered entity’s Protected Health Information (PHI). With the new rules, business associates are responsible to secure PHI just like covered entities are. In other words, business associates need to be HIPAA Compliant and can face the same kind of penalties covered entities face. With the Omnibus Rules, vendors that have access to PHI need to comply with all the HIPAA regulations.

Even though a covered entity’s business associates are required to be HIPAA compliant, in the case of a breach on the part of the business associate, the covered entity is responsible for sending notifications to its patients and for reporting the breach to HHS.

Covered entities must review all their business associate contracts to make sure that these are updated to meet all the omnibus requirements. Business associates such as health information technology companies and consultants have put in place business associate agreements that does not make them responsible for the loss of patient data. With the final omnibus rules, business associates need to sign agreements that abide by the final omnibus rules. Medical practices must make sure that all their business associate agreements are updated and signed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we provide updated business associate agreements. We also help medical practices Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

15
Jul
2013

Elements of the Notice of Privacy Practices

Content of the Notice.

One important requirement under the final HIPAA Omnibus Rule is that covered entities must update their notice of privacy practices. Below are the elements that are required to be a part of the updated Notice of Privacy Practices.

Covered entities are required to provide a notice of privacy practices in plain language that describes:

1. How the covered entity may use and disclose protected health information about an individual.

2. The individual’s rights with respect to the information and how the individual may exercise these
rights, including how the individual may complain to the covered entity.

3. The covered entity’s legal duties with respect to the information, including a statement that the
covered entity is required by law to maintain the privacy of protected health information.

4. Whom individuals can contact for further information about the covered entity’s privacy policies.

5. The notice must include an effective date.

6. The HITECH Act also states that if a medical practice shares information electronically with another
covered entity, that information must be listed in the Notice of Privacy Practices. Examples that must be
disclosed: A physician office is electronically connected to transmit and/or receive lab reports from on
outside vendor through the practice’s EMR.

Required Additions by the HITECH Omnibus Rule: All covered entities must include the following in their
notice of privacy practices:

7. A statement that the following uses and disclosures will be made only with authorization from the
individual:
 uses and disclosures for marketing purposes;
 uses and disclosures that constitute the sale of PHI;
 most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy
notes); and
 other uses and disclosures not described in the notice

8. A statement regarding an individual’s right to notice in the event of a breach

9. Notice of the right to opt out of fundraising communications (if the covered entity conducts
fundraising)

10. Health care providers must include in their notice of privacy practices a statement about an
individual’s right to restrict disclosures of protected health information to health plans if an individual
has paid for services out of pocket in full.

11. Health plans (except for long-term care plans) must include in their notice of privacy practices a
statement that the health plan is prohibited from using or disclosing genetic information for
underwriting purposes.

Notes: A covered entity is required to promptly revise and distribute its notice whenever it makes
material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals. All patients must sign that they have received the updated Notice. The HITECH Omnibus is a
material change to the Notice and therefore requires resigning of the Receipt of NPP by all of your
patients.

You must include your Notice of Privacy Practices on your web site (if you have one) and post or place a
copy in your waiting area.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

12
Jul
2013

Omnibus Rules Patient Rights

The final HIPAA omnibus rule that will start being enforced on Sept. 23, 2013 has some requirements that medical practices need to put in effect in order to safeguard Protected Health Information (PHI). The final omnibus rules has included new regulations that relate to patient rights that practices need to abide to.

In order to comply with the omnibus rules patient rights, the new regulations require covered entities to:

1. Allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider.

2. Permit patients to request their health information in electronic form. The new regulations require that practices comply with the request within 30 days with one 30-day extension permitted.

3. Medical practices are required to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients. Medical practices are also required to post the updated notice of privacy practices in the office and on their web sites.

Medical practices that do not comply with the new regulations can be found to be in willful neglect if they are reported to the department of Health and Human Services (HHS) office of civil rights (OCR).

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.