Medical Practices Must Adjust to Comply with New HIPAA Rules

The HIPAA Omnibus Final Rule, which went into effect in late September, includes several changes that medical practices must be aware of.

"The idea, at the 60,000 foot level, is as we, the government and American healthcare, begin to become more electronic, we have to take into account additional privacy and security issues," Robert Tennant, senior policy advisor for Medical Group Management Association (MGMA) government affairs and a presenter at the MGMA Annual Conference in San Diego, recently told Physicians Practice.

During his MGMA session on Tuesday, Oct. 8, "Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups," Tennant identified several of the important changes included in the HIPAA Omnibus Final Rule that practices must pay attention to.

Breach notification. Should a potential breach occur, for example, a physician's laptop containing electronic protected health information (ePHI) is stolen, practices must now report the breach unless they can demonstrate that there is a low risk that ePHI has been exposed.  

The four risk assessment provisions to consider are:

• The nature and extent of PHI involved;

• The person who used the PHI or to whom the disclosure was made;

• Whether PHI actually was acquired or viewed; and

• The extent to which the risk to the PHI has been mitigated.

Of note: If the ePHI associated with a potential breach is encrypted, your practice will meet safe harbor requirements and it will not need to report the breach. "It really is a get-out-of-jail-free card," said Tennant."If you do [encryption] right it really can protect your data."

New patient rights. The final rule outlines several new patient rights that practices must comply with, said Tennant. These include:  

• The patient's right to request a copy of their medical record electronically if the practice retains a copy of the record in that format. Practices must provide the record in the format requested by the patient. If the format is not readily producible, practices must work with the patient to find a suitable medium. If the practice and patient can't reach an agreement, a readable hard copy must be provided, said Tennant.

• The patient's right to ask that a practice not forward a particular service or test to their health plan if the patient pays in full, out of pocket.

Changes to notices and agreements. The final rule requires practices to modify their Notice of Privacy Practices (NPPs) and their business associate agreements. For more guidance on some of the key changes and updates practices must make, visit:

• Two Essentials for HIPAA Omnibus Final Rule Compliance

• What Practices Need to Do Now to Prepare for HIPAA Omnibus Changes

• Sample NPPs are available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html