The compliance date for the new HIPAA Omnibus Rule implementation was September 23rd, meaning your practice should already have integrated the provisions of the new rules into your policies and procedures. But what does that mean and how will it affect the documents and records you are responsible for? Today we want to take a closer look at some of the most important changes in this new rule and what protections they are meant to convey.
The new rules were first published as part of the HITECH Act, which was initially passed in 2009. They have been described as sweeping and the most significant revisions to HIPAA since it was first implemented, so this transition is a big deal.
In short, the new rules are designed to further protect PHI (protected health information) for patients and they apply not just to physicians and practices but to anyone who, by association, has access to that information (an ever growing number of information and advocacy organizations, as well as their subcontractors). It therefore covers your policies and procedures for privacy, security and breach notification, as well as your Notice of Privacy Practices (NPP) and your Business Associate Agreements (BA).
What Changed and Why
One of the biggest changes relates to breach notification. It’s always been required to notify a patient if their information was accessed by someone without authorization, but the rules have been clarified quite a bit.
Now things like the identity of who accessed the PHI, whether the information was accessed or physically acquired, and how much risk is actually at stake when the PHI is accessed are all taken into consideration after a breach. Basically, the government is providing detailed instructions for practices to identify and grade a breach, to determine if it needs to act in accordance with HIPAA notification requirements.
On top of this there are other limitations on disclosure including:
- Health Plan Disclosure – Patients can now request that physicians with hold out-of-pocket expenses to health plans and other entities.
- Marketing – The new HIPAA rules are very clear on when and how a health services professional can contact a patient with marketing messages, especially without written consent.
- Selling PHI – Without written authorization PHI is now limited when there is a potential profit involved.
- Electronic Provisions – The new rules integrate a number of electronic factors as well, including delivering copies of e-PHI to patients, responding to requests for information, the procedure for emailing PHI, and charging for copies of e-PHI.
As you can imagine, quite a few things have changed in terms of who you can disclose information to, when you can do it, and how it can be transmitted. So your privacy practices need to be updated accordingly. And legally, the NPP you give to patients needs to be updated as well.
In addition to updating your NPP, BAs need to be updated as an expanded range of organizations and individuals are now considered BAs. Patient Safety Organizations, health information organizations, and health information exchanges have all been added to the list, for example. At the same time, all existing BAs are now responsible for their subcontractors and the BAs must comply with the new breach and notification rules.
What This Means for You
This is just a sampling of the new rules in the HIPAA Omnibus. The bottom line, however, is that the way you present information, store information, and share information needs to change, and so it’s important you have strong privacy structures in place for your practice, including not only safety systems but document and data destruction when it is necessary.
If you have any additional questions about the new provisions or how it applies to your practice, call Strongbox Document Destruction today.