The deadline for compliance with the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule, which modified requirements relating to privacy, security and breach notification, passed on Sept. 23. Physician practices that haven't already done so should take the opportunity to revise policies and procedures, review staff training and in general make sure they are meeting requirements to protect personal health information.
While many of the omnibus changes are subtle and may not require a great deal of effort on the part of the practice, the penalties for noncompliance are severe. It would be wise to conduct a gap analysis of how your practice protects the privacy and security of patient information.
The most immediate action that requires attention is to revise the Notice of Privacy Practices and business associate agreements. Under the old rules, business associates were not held directly liable for their actions in terms of protecting patient privacy. However, business associates are now directly liable under the HIPAA rules and are subject to civil and in some cases criminal penalties for making use of and disclosing health information or for failing to safeguard electronic versions of protected health information. Thus, business associate agreements should be modified accordingly.
There are two requirements that might be tricky for practices. The first is that patients who pay in full up front may ask practices to withhold information about that appointment from their health plan. This may be more feasible in some systems (billing or electronic health records) than in others. Not all systems make it easy to flag visits so that notes are separated out or a bill is not automatically generated.
This requirement poses another problem. Any outside testing, prescriptions or other downstream activities resulting from the visit are out of the control of the practice. Patients should be advised that they will have to make the same request of other clinicians and providers separately. If the practice e-prescribes, then a paper prescription may be necessary in order to keep the information from the insurance company; the patient will have to make a similar request at the pharmacy. Practices will need to modify their financial responsibility forms or create a separate form to reflect this change. Patients should also be advised that it may be difficult to exclude certain encounters in the event of an insurance audit or a treatment-related request from another clinician.
The other requirement that may be tricky is how to handle requests for electronic copies of electronically stored patient charts. The new rules require that, upon request, practices that store protected health information electronically must provide the patient with an electronic copy of the records within 30 days for a “reasonable” cost.
Practices will need to work with their vendors to determine how to make a copy of the record in electronic format, including what information would be included and how to make it readable outside the electronic health record. The omnibus rule does not define a particular format, but the practice should determine what is feasible (e.g., CD, thumb drive, etc.) and what an appropriate charge should be. This information should be included in the practice's records release policy. Patient-supplied media should not be used, so practices should supply whatever is decided to be the best format option.
More information about the new HIPAA rules is online. ACP's recently revised HIPAA Privacy Manual and HIPAA Security Rule Manual include updated Notice of Privacy Practices and Business Associate agreements, as well as revised practice walk-through/risk assessment and many forms that can be customized to each practice. Remember that many states have rules more stringent than HIPAA rules, so it is important to ensure that your practice complies with all relevant state privacy laws.