Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

A quick guide to HIPAA compliance for physicians

July 10, 2013

Article

To read other articles in Medical Economics' series "Making sense of government regulations," click here.

If you haven’t done so already, consider circling September 23, 2013 on your calendar. That’s the day that the federal government will start enforcing changes to the Health Insurance Portability and Accountability Act (HIPAA). The changes affect everything from how you secure your patients’ protected health information to the contracts you sign with vendors to what you need to tell patients about their privacy rights. Although the new regulations officially took effect in March, physicians and other entities covered by HIPAA were given 6 months to comply. The U.S. Department of Health and Human Services, which developed the regulations, says the updates are needed to account for the widespread use of electronic health records and other changes in health information technology that have occurred since HIPAA was enacted in 1996.

Compliance with the updated regulations require medical practices to:

conduct a risk analysis to determine the vulnerability of electronic protected health information (PHI) to loss or theft, and document that they have done so;

encrypt patient PHI so that it can’t be used if it’s lost or stolen;

review policies and procedures for what do if PHI is lost, stolen, or inappropriately disclosed;

review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.

The penalty for unauthorized disclosure of PHI consists of fines that range from $100 to $50,000, depending on the circumstances of the disclosure and the size of the practice.

The new regulations also:

allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider;

permit patients to request their health information in electronic form, and require practices to comply with the request within 30 days with one 30-day extension permitted; and

require practices to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients and posting it in the practice’s office and on its Web site.

The regulations will be enforced by the Office of Civil Rights, part of the U.S. Department of Justice. More information about the updated HIPAA regulations is available at www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html.

To get ready, experts say, conduct a thorough evaluation of your practice operations to make certain you remain in compliance for data security, privacy, and reporting of breaches.