Physicians need to get ready to comply with new rules recently issued under HIPAA. The so-called “Final Rule” makes significant changes to several of the laws governing physicians and the health care field in general. The general deadline to comply with the Final Rule is September 23, 2013. The following summarizes some of the major compliance considerations related to the new rules.
Definition of Business Associates
The Final Rule expands the definition of the term “business associate” to include any entity or individual that “creates, receives, maintains, or transmits” PHI or ePHI. This means that anyone that possesses PHI is now a business associate, including record storage companies and possibly even paper shredding companies. Physicians should now require these companies to enter into business associate agreements to govern their use of PHI and ePHI.
The Final Rule also adds new liability risks for physicians and business associates. Physicians now have a duty to use reasonable diligence in selecting and overseeing business associates. Business associates can now be directly held liable for HIPAA breaches. As a result, almost all business associate agreements will need to be reviewed and revised.
Changes to Notices of Privacy Practices
The Final Rule requires changes to Notice of Privacy Practices. NPPs now must inform patients that, if they pay for services out-of-pocket in full, they have a right to limit certain disclosures of PHI. NPPs must also inform patients about their rights when notified of a privacy breach. In some cases, NPPs will also need to include new notices about psychotherapy notes, marketing, and fundraising.
Tier Three: If the violation was due to willful neglect, but was corrected within 30 days after the Covered Entity or Business Associate discovered the violation, the civil penalty will be not less than $10,000 but not more than $50,000 per occurrence, up to a maximum of $1.5 million for all similar violations per calendar year. The Covered Entity or Business Associate will be treated as discovering a violation when the facts that would have been disclosed by an exercise of reasonable due diligence would have led to the discovery of the violation.
Third-Party Marketing Restrictions
The Final Rule generally requires patients to give prior written authorization before physicians may send third-party funded marketing. An exception exists if the physician is marketing his or her own services and facilities.
Patient Rights to Receive Machine-Readable Copies of EHR
The Final Rule gives patients the right to receive machine-readable copies of their EHR. If a patient makes the request, the physician must respond within 30 days. Physicians can only charge the actual costs of responding to this request. These new rights are likely to lead to many requests for machine-readable copies, especially among younger patients. Therefore, physicians should get their systems ready to handle these requests in an efficient manner that minimizes the risk of a breach.