A quick guide to HIPAA compliance for physicians

July 10, 2013

If you haven’t done so already, consider circling September 23, 2013 on your calendar. That’s the day that the federal government will start enforcing changes to the Health Insurance Portability and Accountability Act (HIPAA).

To read other articles in Medical Economics' series "Making sense of government regulations," click here.

If you haven’t done so already, consider circling September 23, 2013 on your calendar. That’s the day that the federal government will start enforcing changes to the Health Insurance Portability and Accountability Act (HIPAA). The changes affect everything from how you secure your patients’ protected health information to the contracts you sign with vendors to what you need to tell patients about their privacy rights. Although the new regulations officially took effect in March, physicians and other entities covered by HIPAA were given 6 months to comply. The U.S. Department of Health and Human Services, which developed the regulations, says the updates are needed to account for the widespread use of electronic health records and other changes in health information technology that have occurred since HIPAA was enacted in 1996.

Compliance with the updated regulations require medical practices to:

  • conduct a risk analysis to determine the vulnerability of electronic protected health information (PHI) to loss or theft, and document that they have done so;

  • encrypt patient PHI so that it can’t be used if it’s lost or stolen;

  • review policies and procedures for what do if PHI is lost, stolen, or inappropriately disclosed;

  • review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.

The penalty for unauthorized disclosure of PHI consists of fines that range from $100 to $50,000, depending on the circumstances of the disclosure and the size of the practice.

The new regulations also:

  • allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring  practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider;

  • permit patients to request their health information in electronic form, and require practices to comply with the request within 30 days with one 30-day extension permitted; and

  • require practices to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients and posting it in the practice’s office and on its Web site.

The regulations will be enforced by the Office of Civil Rights, part of the U.S. Department of Justice. More information about the updated HIPAA regulations is available at www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html.

To get ready, experts say, conduct a thorough evaluation of your practice operations to make certain you remain in compliance for data security, privacy, and reporting of breaches.