Office of Civil Rights

23
Jul
2013

HIPAA Compliance KitHIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

Covered entities (healthcare providers) have until Sept. 23, 2013 to implement all the policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).

The OCR department of Health and Human Services (HHS) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. HHS has made it clear that penalties can range between $100 to $1,500,000.00, depending on the type of violation that the covered entity has committed.

One of the most important changes that come with the final omnibus rule are with covered entities relations with their business associates. These rules affect the working relations that exist between a covered entity and its business associates. Business associates are those vendors that have access to a covered entity’s Protected Health Information (PHI). With the new rules, business associates are responsible to secure PHI just like covered entities are. In other words, business associates need to be HIPAA Compliant and can face the same kind of penalties covered entities face. With the Omnibus Rules, vendors that have access to PHI need to comply with all the HIPAA regulations.

Even though a covered entity’s business associates are required to be HIPAA compliant, in the case of a breach on the part of the business associate, the covered entity is responsible for sending notifications to its patients and for reporting the breach to HHS.

Covered entities must review all their business associate contracts to make sure that these are updated to meet all the omnibus requirements. Business associates such as health information technology companies and consultants have put in place business associate agreements that does not make them responsible for the loss of patient data. With the final omnibus rules, business associates need to sign agreements that abide by the final omnibus rules. Medical practices must make sure that all their business associate agreements are updated and signed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we provide updated business associate agreements. We also help medical practices Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

15
Jul
2013

Elements of the Notice of Privacy Practices

Content of the Notice.

One important requirement under the final HIPAA Omnibus Rule is that covered entities must update their notice of privacy practices. Below are the elements that are required to be a part of the updated Notice of Privacy Practices.

Covered entities are required to provide a notice of privacy practices in plain language that describes:

1. How the covered entity may use and disclose protected health information about an individual.

2. The individual’s rights with respect to the information and how the individual may exercise these
rights, including how the individual may complain to the covered entity.

3. The covered entity’s legal duties with respect to the information, including a statement that the
covered entity is required by law to maintain the privacy of protected health information.

4. Whom individuals can contact for further information about the covered entity’s privacy policies.

5. The notice must include an effective date.

6. The HITECH Act also states that if a medical practice shares information electronically with another
covered entity, that information must be listed in the Notice of Privacy Practices. Examples that must be
disclosed: A physician office is electronically connected to transmit and/or receive lab reports from on
outside vendor through the practice’s EMR.

Required Additions by the HITECH Omnibus Rule: All covered entities must include the following in their
notice of privacy practices:

7. A statement that the following uses and disclosures will be made only with authorization from the
individual:
 uses and disclosures for marketing purposes;
 uses and disclosures that constitute the sale of PHI;
 most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy
notes); and
 other uses and disclosures not described in the notice

8. A statement regarding an individual’s right to notice in the event of a breach

9. Notice of the right to opt out of fundraising communications (if the covered entity conducts
fundraising)

10. Health care providers must include in their notice of privacy practices a statement about an
individual’s right to restrict disclosures of protected health information to health plans if an individual
has paid for services out of pocket in full.

11. Health plans (except for long-term care plans) must include in their notice of privacy practices a
statement that the health plan is prohibited from using or disclosing genetic information for
underwriting purposes.

Notes: A covered entity is required to promptly revise and distribute its notice whenever it makes
material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals. All patients must sign that they have received the updated Notice. The HITECH Omnibus is a
material change to the Notice and therefore requires resigning of the Receipt of NPP by all of your
patients.

You must include your Notice of Privacy Practices on your web site (if you have one) and post or place a
copy in your waiting area.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

01
Jul
2013

12 Common HIPAA Violations

1. Lack of yearly training of all employees.

2. Lack of an enforced Sanctions Policy.

3. Your Notice of Privacy Practices does not contain all of the required disclosures.

4. You do not have a procedure, documentation or process for a patient filing a privacy complaint with the office.

5. Staff did not apply “Minimum Necessary” standards.

6. Practice does not follow the uses and disclosures as listed in your Notice of Privacy Practices.

7. Practice has not been updated to meet HITECH Act requirements.

8. All staff members are not assigned a unique identifier for system access.
HIPAA Compliance Officer does not review audit log or network access reports.

9. Practice does not have in place policies and procedures to ensure an accurate and
complete Accounting of Disclosures and a sample of your report to patients.

10. There is no documented Confidential Communications process in place.

11. The office does not have a documented list of all users (employees) with their job
description and level of access.

12. HIPAA required documentation is not kept for a period of 6 years. (Not to be confused
with medical records retention.

Be assured the Office of Civil Rights and State Attorney Generals take each and every violation of HIPAA very seriously. Every complaint to HHS is required under federal law to be investigated, so any complaint by your patient will get your practice’s HIPAA compliance reviewed. If you are found to be in “Willful Neglect” you will have to pay hefty fines that start at $50,000 and can go as high as $250,000. What you may consider a small violation can cost you big both in money and in time. Investigations commonly take as long as 2 years to resolve.
Schedule a “Quick Compliance Review” and in 15 minutes or less we can access your
compliance status. If you know you are not in compliant we can outline your plan to get
compliant. 15 Minutes with us or 2 years with an Office of Civil Rights
Attorney/investigator.

Visit our HIPAA Compliance page for more information at http://www.vitruvianmedpro.com/services/hipaa-compliance-kit/