The HIPAA Omnibus Final Rule went into effect in late September 2013, and it strengthens the ability of the Office for Civil Rights (OCR) to enforce new patient’s-rights rules – and levy fines if the rules are not followed. The Final Rule includes significant changes to privacy and security issues that medical groups must comply with, including:
- Data breach notification. Practices must now report data breaches, unless they can demonstrate that there is a low risk that electronic Protected Health Information (ePHI) has been exposed.
- New patient rights. Patients can now request copies of their electronic medical records in electronic form. Patients can also request that information about their treatment not be shared with their health insurance provider if the patient pays all costs in cash.
- Modified NPPs. Practices must modify their Notice of Privacy Practices (NPPs) and their business associate agreements.
A major goal of the HIPAA Privacy Rule is to make sure the patients’ health information is protected while still allowing proper sharing of information with other healthcare providers to promote quality health care. The HIPAA Security Rule is designed to protect the privacy of individuals’ health information while allowing medical professionals to adopt new technologies that are appropriate for the size and structure of their organizations.
In addition to HIPAA, your practice must be in compliance with other federal and state regulations regarding infection control, exposure to blood borne pathogens, proper credentialing of all employees, and other issues overseen by the Occupational Safety and Health Administration (OSHA), the Safe Medical Devices Act of 1990, and the Americans with Disabilities Act (ADA), among others.
- To see if your practice meets the definition of a covered entity and must comply with the HIPAA Rules’ requirements, visit HHS.gov
- Download the Final Rule from the U.S. Department of Health and Human Services PDF.
- To minimize the chance of exposing patients’ ePHI, create strong passwords for all electronic files and consider encrypting data, especially if it resides on laptops or other portable devices which can be easily stolen or lost.
- Train and educate all office personnel in risk management and loss prevention best practices, along with emergency medical procedures (such as CPR) and proper use of emergency equipment.
- Limit access to HIPAA-protected information and ensure that everyone who manages and accesses this information understands the Final Rule requirements on patient privacy and security.