Managing Your Practice

New HIPAA requirements


I’m hearing a lot of concern about the impending changes in the Health Insurance Portability and Accountability Act (HIPAA) – which is understandable, since the Department of Health and Human Services has presented them as "the most sweeping ... since [the Act] was first implemented."

But after a careful perusal of the new rules – all 150 three-column pages of them – I can say with a modest degree of confidence that for most physicians, compliance will not be as challenging as some (such as those trying to sell you compliance-related materials) have warned.

However, you can’t simply ignore the new regulations; definitions will be more complex, security breaches more liberally defined, and potential penalties will be stiffer. Herewith the salient points:

Business associates. The criteria for identifying "business associates" (BAs) remain the same: nonemployees, performing "functions or activities" on behalf of the "covered entity" (your practice), that involve "creating, receiving, maintaining, or transmitting" personal health information (PHI).

Typical BAs include answering and billing services, independent transcriptionists, hardware and software companies, and any other vendors involved in creating or maintaining your medical records. Practice management consultants, attorneys, companies that store or microfilm medical records, and record-shredding services are BAs if they must have direct access to PHI to do their jobs.

Mail carriers, package-delivery people, cleaning services, copier repairmen, bank employees, and the like are not considered BAs, even though they might conceivably come in contact with PHI on occasion. You are required to use "reasonable diligence" in limiting the PHI that these folks may encounter, but you do not need to enter into written BA agreements with them.

Independent contractors who work within your practice – aestheticians and physical therapists, for example – are not considered BAs either, and do not need to sign a BA agreement; just train them, as you do your employees. (I’ll have more on HIPAA and OSHA training in a future column.)

What is new is the additional onus placed on physicians for confidentiality breaches committed by their BAs. It’s not enough to simply have a BA contract. You are expected to use "reasonable diligence" in monitoring the work of your BAs. BAs and their subcontractors are directly responsible for their own actions, but the primary responsibility is ours. Let’s say that a contractor you hire to shred old medical records throws them into a trash bin instead; under the new rules, you must assume the worst-case scenario. Previously, you would only have to notify affected patients (and the government) if there was a "significant risk of financial or reputational harm," but now, any incident involving patient records is assumed to be a breach, and must be reported. Failure to do so could subject your practice, as well as the contractor, to significant fines – as high as $1 million in egregious cases.

New patient rights. Patients will now be able to restrict the PHI shared with third-party insurers and health plans if they pay for the services themselves. They also have the right to request copies of their electronic health records, and you can bill the actual costs of responding to such a request. If you have EHR, now might be a good time to work out a system for doing this, because the response time has been decreased from 90 to 30 days – even less in some states.

Marketing limitations. The new rule prohibits third-party-funded marketing to patients for products and services without their prior written authorization. You do not need prior authorization to market your own products and services, even when the communication is funded by a third party, but if there is any such funding, you will need to disclose it.

Notice of privacy practices (NPP). You will need to revise your NPP to explain your relationships with BAs, and their status under the new rules. You will need to explain the breach notification process, too, as well as the new patient rights mentioned above. You must post your revised NPP in your office, and make copies available there, but you need not mail a copy to every patient.

Get on it. The rules specify Sept. 23 as the effective date for the new regulations, although you have a year beyond that to revise your existing BA agreements. Extensions are possible, even likely.

Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J.

Next Article: