Healthcare providers, healthcare clearinghouses, health plans (“Covered Entities”) and their business associates all have less than one month to go before they are required to be in compliance with the enhanced privacy and security requirements that became final and effective on March 26, 2013. The compliance deadline for “Covered Entities” is September 23, 2013. For many, there is a lot of work to be completed before the compliance deadline arrives.
On the privacy side, Covered Entities need to update the Notice of Privacy Practices. On the Notice of Privacy Practices (“Notice”), Covered Entities need to ensure that the following notifications have been included in the Notice: (1) if a patient pays out of pocket for a visit in full and request a restriction on disclosing the PHI to the health plan the protected health information related to the services would not be disclosed; (2) most uses and disclosures of psychotherapy notes require an authorization;