Rheumatology Practice Management
Subscribe to Rheumatology Practice Management

Stay up to date with rheumatology news & updates by subscribing to receive the free RPM print publications or e‑Newsletters.

RPM e-Newsletter
RPM print publication
Rheumatology Practice Management December 2013 Vol 1 No 2 — December 30, 2013

Long Beach, CA—The final reg­u­la­tions to update the Health In­formation Por­ta­bility and Accoun­­tability Act (HIPAA) privacy rules outline the process for breach identification and notification, and provide further definition of “business associates.” The effective date was March 26, 2013. Karen Gregory, RN, reminded listeners at the National Organization of Rheumatology Managers 8th Annual Conference that September 23, 2013, was the compliance date for the new changes that were published for HIPAA this year. Was your practice ready? And just how safe are your documents? There have been several recent incidents in which medical records were seriously compromised:

  • On July 15, 2013, 4 desktop computers were stolen from Advocate Med Group in Chicago, compromising the medical records of 4 million patients.
  • On July 22, 2013, a laptop was stolen from a St. Louis orthodontist’s office that compromised the medical records of 10,000 patients.
  • On August 2, 2013, a laptop was stolen from a physician’s practice at the University of Texas Health Science Center, compromising the medical records of 600 patients.

To prevent a similar incident in your practice, Ms Gregory urged practices to prepare. “If you are not doing a risk analysis and updating it based on what’s going on in your practice, you do not know what the areas of vulnerability are as they relate to information stored electronically. If you do not know this, then you cannot protect yourself against an inappropriate action,” she said.

The security rule states exactly what is required—you must update and conduct a risk analysis in your practice to protect yourself and your patients. Ms Gregory noted, “There is no wiggle room in there. And the security rule clearly states that you must perform a risk analysis. You must list what the issues are, and you must fix them.”

In stage 2 meaningful use, practices must address the encryption and security of their data. This means that anything in your practice that stores data (eg, every desktop, laptop, tablet, or mobile phone) must be encrypted.

Notice of Privacy Practices
Your office’s Notice of Privacy Practices (NPP) must be updated with regard to authorizations and patients’ rights. Authorizations must be obtained prior to the release of any protected patient information.

It is not necessary to provide the new notice to existing patients. Redistribution is not necessary; however, the new notice must be given to all new patients either via e-mail, mail, or in person. Practices must be aware of the new patients’ rights: (1) If a patient does not want you to file an insurance claim and prefers to pay out of pocket, you must comply with the patient’s request. If the insurance company seeks to review certain files on your patients, you must note somewhere that this transaction was paid out of pocket and you are then obliged to keep it private and not show the insurance company; (2) You must inform patients of any breaches. The revised NPP must be displayed in a prominent location and patients must sign the acknowledgment form. If your organization has a website, you must remember to update the NPP on the company website.

Business Associate Relationships
A business associate (BA) is an entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (ie, your practice). Your practice must obtain satisfactory assurance in the form of a contract or other arrangement that the BA will safeguard the information appropriately. The rule has been updated to include:

  • A health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to protected health information to a covered entity, and that requires routine access to such protected health information.
  • A person who offers a personal health record to 1 or more individuals on behalf of a covered entity.

 

A BA is also responsible to protect patient information. In fact, your BAs can have their own BAs (eg, a subcontractor, such as a shredding company). That subcontractor will also be subject to the same liabilities and responsibilities. “Your practice is not responsible for entering into a contract with a subcontractor; however, if the subcontractor has a problem, your practice is responsible for reporting it. Furthermore, if someone performs a BA function, even without a contract in place, the rules still apply,” Ms Gregory warned.

A breach is the unauthorized acquisition, access, use or disclosure of public health information not permitted under the privacy rule that compromises the security or privacy of such information. “Before September 23, 2013, if there was no harm, there was no liability. But after September 23, even if no harm occurred, your practice might be liable.” All breach exclusions must be documented:

  • A worker with authority to access information accidentally accesses the wrong record.
  • A worker with authority inadvertently shares information with another worker not involved in the care of the patient.
  • A worker shares information with a person who is not authorized, but the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

 

Despite these exclusions, it is important to decide which breach to report. Remember, once you consider something a breach of privacy, you are bound to report it. Document every event, even the exclusions, and why you think they are not breaches.

How BAs communicate breaches should be outlined in the contract, including how quickly breaches must be reported to you, because your organization ultimately has the responsibility to report the breach. Note that laboratories do not need BA agreements, because they are covered entities.

The law requires written contracts between practices and BAs, but existing agreements may stay in place until September 23, 2014. Updated contracts must include required uses and disclosures. There must be a provision to comply with the security rule with respect to electronic patient health information and the elements of the privacy rule that apply to the covered entity. Breach reporting requirements to the practice must also be clearly outlined.

Access to Protected Health Information
Patients have a right to access their own information. They can ask for a copy of their records and you can charge a “reasonable cost-based fee.” When you are releasing information to the patient and to the patient only, you cannot include an administrative fee. The fee must be related to the number of pages you are releasing.

If you store information in an electronic format and the patient seeks a copy of his or her notes in an electronic format, your practice is required to provide a readable copy of the medical notes to the patient. “You need to keep in mind what format you will provide this information,” Ms Gregory noted. “If a patient requests that you send their medical records via e-mail to another physician, you must do this as required by law. If you do not have the capacity to send the information in a protected manner (encrypted), you must inform the patient that you will comply with their request, but that the information will not be protected.” The important issue is to comply with all patient requests, while informing them of any risks that this action might entail.

Research authorizations can be combined with conditioned or unconditioned elements. Practices can have a research authorization that will allow you to use information for future research studies.

For fundraising communications, a practice does not need a patient’s permission to send fundraising information; however, you must give patients the option to opt out and not receive further fundraising information or requests.

Fines for Willful Neglect
Fines for willful neglect range from $100 to $50,000. Fines can begin at $50,000 and are capped at $1.5 million for violations of identical provisions in the same year. Practices may be fined even if the practice was unaware of a violation that the US Department of Health & Human Services investigated. The time is now to look at the updated regulations and make the required changes.

Related Items