HIPAA Changes Require Practices to Take Additional Compliance Steps

Earlier this week, new HIPAA mandates went into effect and hopefully most providers have a new form of Notice of Privacy Practices (NPP) as well as new Business Associate Agreements (BAAs) in place. While these forms are relatively easy for providers to understand and incorporate into their daily operations, it’s also important to think about the HIPAA changes and determine whether there are additional steps to take to ensure your HIPAA compliance:

1. Do you have a BAA with legal counsel? Although there was much debate about whether lawyers are business associates under HIPAA or otherwise protected under the attorney-client privilege, it has been made increasingly clear that counsel is considered a business associate. Make sure your lawyer and other advisers have executed a BAA before you share any protected health information (PHI).

2. Do you receive financial remuneration that might implicate HIPAA?  In some cases, physicians and healthcare providers receive payments from manufacturers which may be used to support the costs of newsletters or other information sent to patients. An example of this might be an ENT group which receives funding from a hearing aid manufacturer to supplement the costs of a mailing about hearing aids that the group sends to its patients.

If this sounds like a familiar scenario, it’s important to understand how you might be affected by the 2013 updates to HIPAA, which made significant changes to the rules on marketing. Under the revised HIPAA rules, patients must be aware of, and be able to opt out of, marketing activities of a healthcare entity with which the individual does business, except in limited circumstances. For purposes of HIPAA, “marketing” is generally defined as making a communication that encourages the recipient to use a product or service, with certain excepted activities that relate to the individual’s specific treatment (i.e. communications about refills, treatment plans, alternatives to treatment, etc.) or the operations of the provider. If an activity satisfies the definition of “marketing,” the covered entity (or business associate) may be required to obtain the authorization of each person receiving the communication (with certain exceptions).

Many covered entities are not aware they may need to seek patient authorization before using PHI for marketing. If you are: (a) a covered entity or a business associate; (b) use PHI for purposes of marketing; and (c) receive financial remuneration from a third party for marketing to patients (and the third party’s items or products are included in such marketing), in most situations this transaction requires a targeted patient’s authorization under HIPAA.

In the above scenario, the ENT group needs to seek patient authorizations before sending newsletters that contain information about hearing aids manufactured by the party that supplied funding for the mailing. This can be a daunting task! Keep in mind this scenario likely also creates issues under state and federal kickback laws as well as the Sunshine Act.

UPDATE:  As of Sept. 25, 2013, enforcement of the marketing rules under HIPAA has been delayed until later this year. HHS says it won’t restrict marketing on prescription refill reminders until Nov. 7. Apparently, the suspension was caused by a lawsuit brought by Adheris, a company that works with practices to provide prescription refill reminders.  The lawsuit is challenging the HIPAA marketing provision on the grounds that it violates free speech.
 

3. Be sure to actually offer the NPP to patients. When I visit physician offices, I am often asked to sign a summary of the NPP, which indicates that I have received and reviewed the NPP. In fact, I’m rarely offered an NPP to review. Office staff frequently stares at me like a deer in headlights when I seek an actual copy!

4. If you are a business associate, make sure you know that it’s not business as usual!  There are new requirements and liabilities for business associates under HIPAA and a review of security measures is needed from top to bottom. Make sure you consult with a HIPAA specialist to get the job done correctly and limit liability.

5. Finally, keep a close eye on use of social media by your staff, physicians and business associates. Inappropriate use of Twitter, Facebook, email, messaging and other social media is a dangerous risk for providers. Don’t assume physicians know the right thing to do. Specific and ongoing training is needed. Recent stories in the news are evidence that healthcare providers are still not thinking enough about HIPAA.

Whether you were able to meet this week’s HIPAA deadline or not, the work is still not done. Ensuring compliance and understanding the full requirements of HIPAA is an ongoing process for every healthcare provider.