URGENT: Amended HIPAA Requirements
Thursday, September 19, 2013
Posted by: Tara Breitsprecher
The Department of
Health and Human Services (HHS) released the Health Insurance Portability and
Accountability Act (HIPAA) Final Rule on Jan. 25, 2013. The Rule went into
effect March 26, 2013 and covered
entities (CE's) and business associates must comply with the requirements of
the Final Rule by September 23, 2013. The Final Rule enhances patient
privacy protections, provides individuals with new rights to their health
information and strengthens the government's enforcement of and penalties under
the law. The changes that must be in effect on September 23rd in the
Changes to Notice of Privacy Practices
Changes were made to the information that is now required in the
CE's Notice of Privacy Practices (Privacy Notice). CEs will need to update their Privacy Notices as required by the law.
The updated Privacy Notice need not be given to existing patients who have
already received a Privacy Notice. However, a copy of the updated Privacy
Notice must be posted in the practitioner's office and all new patients must be
given a copy.
Updated Privacy Notices must include the following statements,
Most uses and disclosures of psychotherapy notes, uses and disclosures of protected health information (PHI) for marketing purposes, and disclosures that constitute a sale of PHI require patient authorization;
- Other uses and disclosures not described in the Privacy Notices will be made only with authorization from the individual;
- Patients have the right to restrict certain disclosures of PHI to health plans/insurance companies if the patient pays out of pocket in full for the health care service; and
- Affected patients have the right to be notified following a breach of unsecured protected health information.
Modifications to the Breach Notification Rule
"impermissible use or disclosure” of PHI is presumed to be a breach unless the
CE or business associate demonstrates that there is a "low probability that the
protected health information has been compromised.” Breach notification is not
necessary if a CE or business associate demonstrates through a documented risk
assessment that there is a low probability that the PHI has been compromised. CE's
and business associates must assess the probability that the PHI has been
compromised based on a risk assessment that would be performed routinely
following any security breaches. The risk assessment considers the following
Nature and extent of PHI involved;
- To whom the PHI may have been disclosed;
- Whether that PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated (for example, assurances from recipient that information has been destroyed or will not be further used or disclosed).
are required to give notification of a breach unless the information was
secure. If the risk assessment fails to demonstrate that there is a low
probability that the PHI has been compromised, breach notification is required.
This risk assessment should be documented in your records for all potential
will need to update their incident response and breach notification processes
to reflect the change from a "risk of harm” standard to a "presumption of
breach” standard and to include the four factor assessment. It is important to
note that HHS includes not just unauthorized access to PHI, but also
impermissible uses by knowledgeable insiders in its definition of breach
requiring an assessment.
associates and their subcontractors must now comply with the HIPAA rules in the
same manner as covered entities. Any entity that "creates, receives or
transmits” PHI on behalf of a covered entity may now be held directly liable
for impermissible uses/disclosures. Business associates and subcontractors must
conduct risk assessments under the HIPAA Security Rule.
business associates are now directly regulated under HIPAA, covered entities
are still responsible for their business associates' actions. Therefore, CEs
must ensure that they obtain satisfactory assurances of HIPAA compliance
through their business associate contracts and business associates must do the
same for their subcontractors.
HHS set up
a four-tier financial penalty structure for breaches deemed serious enough to
warrant a penalty imposed by the federal government. Based on culpability,
fines range from $100 to $50,000 per violation with a cap of $1.5 million on
violations of identical provisions happening within the same calendar year.
High-level penalties are targeted at CEs who are being willfully neglectful or
making no attempt to correct problems.
Covered entities are
defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses,
and (3) health care providers who electronically transmit any health information
in connection with transactions for which HHS has adopted standards. Generally,
these transactions concern billing and payment for services or insurance
coverage. For example, hospitals, academic medical centers, physicians, and
other health care providers who electronically transmit claims transaction
information directly or through an intermediary to a health plan are covered
entities. Covered entities can be institutions, organizations, or persons.
Please visit NASW's website to
view updated sample forms that social workers can use in their practice.