Are You Compliant with the New HIPAA Regulations Effective March 26, 2013?
The United States Department of Health and Human (HHS) has issued the Final Rule of the HIPAA Privacy and Security Regulations implement modifications of HIPAA and amendments to the HITECH (electronic security) Act, to take effect March 26, 2013. Dental and medical providers across the country are appropriately nervous about these new rules, given that providers are only given until September 23, 2013 to implement most of the new rules. The 563 page HHS release discussing the new rules was recently issued, and gives the necessary detailed procedures that must be followed. Here is a summary of the new rules and their effect on dental practices:
Business Associates. A major new change to the rule which will affect dental practices is the extension of the requirement to have Business Associate Agreements with any business or person who handles Protected Health Information (PHI) “downstream” from the dental office. This includes any dental labs, computer maintenance companies, telecommunications companies and any other companies which may regularly handle or have access to PHI because of their dealings with dental offices.
Now, dental offices must have their attorneys or other document drafters create “business associate agreements” with these companies, which are contracts which lay out the responsibilities of both the dental offices and the business associate companies or persons to secure and prevent breaches of unauthorized release of PHI. PHI includes information such as addresses or social security numbers which may identify individuals having medical records, and thus goes beyond just medical information. The business associates can now be penalized directly under HIPAA, and they have to have agreements with their own subcontractors beyond those agreements with the offices. The dental office Business Associate Agreements must spell out those requirements as well as other requirements on not revealing PHI and keeping it secure on computers amongst dental personnel, and the direct penalties for Business Associates for breaches.
Notices of Privacy Practices. The Notices of Privacy Practices must now be changed to inform patients of the new responsibilities of dental practices and their associates, and of changes to HITECH rules on digitalized PHI. The new Notices must be prominently displayed, with copies readily available in the office area, and not just upon request at the receptionist’s desk.
Marketing and Finance. Dental offices now are under stricter scrutiny regarding the release of PHI in any marketing of their practices, description of their services, or sale of any products associated with their practices.
Expanded Right to Receive PHI by Patients, etc. Patients now have expanded rights to receive more health information available within dental offices, particularly the information which is digitalized or maintained on computers. Dental offices must inform them of these rights in new Notices of Privacy Practices, as well as the patients’ rights to receive PHI by electronic means and their right to prevent transfer of this information to them by e-mails, etc. More encryption of PHI and transmission methods will have to be used in dental practices, with IT companies or experts sometimes required to train personnel in proper encryption.
Notification requirements. The procedures for breach notification of patients and reporting of security breaches are now more detailed, with 30 days notice to patients required if a breach of their PHI is made.
The definitions of what a “breach” is, whether inadvertent releases must require notification, and the increase in notification requirements if “reputational harm” might result has become more complex.
Child Immunizations and GINA The requirements for authorization to release PHI to schools for purposes of child immunizations are now outlined, and releases of genetic information (such as family history of diseases or illnesses) are now regulated under the new HIPAA laws and the GINA law on discrimination based on genetic history.
New Enforcement. Finally, the new greater enforcement of penalties for negligent or willful breaches of HIPAA has been formalized, so that penalties may range from $100 to single breaches to $1.5 Million multiple, willful and large scale breaches.