On March 26,
2013 the final rules that implement the Health and Information Technology for
Economic and Clinical Health (HITECH) Act went into effect. These rules
directed that all providers and groups must be in compliance by September 23,
2013. That date is right around the corner and it is imperative to use these
last few weeks to make the proper preparations to paper work and policies.
Failure to do so can result in increased fines.
The following
are key aspects of the law that providers must be aware of:
Business
Associate Agreements
Image courtesy of digitalart / FreeDigitalPhotos.net |
A business
associate (BA) is any company that handles PHI, such as vendors and
contractors. If no BA agreement exists, then one must be in place by September
23. Any already existing BA agreements that were previously considered HIPAA
compliant have a 1 year extension on revisions, as long as no renewals are done
between March 26 and September 23. Any BA agreement that is renewed after
September 23 must follow the new laws. BAs are now considered responsible for
their subcontractors and must have BA agreements with them.
Patient
Rights
The ruling
allows for patients to have expanded rights when it comes to the privacy and
security of their PHI. After September 23, they will be able to request their
records in electronic form. They can also request that a provider not disclose
any treatments to the health insurance carriers when the patient has paid in
full. There are also much stricter rules in place for the use of PHI for
marketing and fundraising purposes. The law prohibits selling a patient’s PHI
without their consent. September 23 is the deadline for adding and/or revising
your practice’s Notice of Privacy Practices (NPP) to reflect these changes. The
new changes will also implement the Genetic Information Nondiscrimination Act
(GINA) of 2008, which ensures that patient’s genetic health information cannot
be used by health insurance carriers for underwriting purposes.
It is vital
for every practice to do the following updates before the September 23
deadline:
-Notice of
Privacy Practices form
-Business
Associate Agreements
-Authorization
forms
-staff
training
-HIPAA
privacy policies
-HIPAA
security policies
-Agreements
between BAs and Subcontractors
Contact our
office if you have any questions concerning your practice and the September 23
HIPAA deadline. We are available to aid in all forms of practice preparation
and compliance to avoid the new higher fines of up to $1.5 million per
violation that comes with deadline.
No comments:
Post a Comment