Healthcare providers, healthcare clearinghouses, health plans (“Covered Entities”) and their business associates all have less than one month to go before they are required to be in compliance with the enhanced privacy and security requirements that became final and effective on March 26, 2013. The compliance deadline for “Covered Entities” is September 23, 2013. For many, there is a lot of work to be completed before the compliance deadline arrives.
On the privacy side, Covered Entities need to update the Notice of Privacy Practices. On the Notice of Privacy Practices (“Notice”), Covered Entities need to ensure that the following notifications have been included in the Notice: (1) if a patient pays out of pocket for a visit in full and request a restriction on disclosing the PHI to the health plan the protected health information related to the services would not be disclosed; (2) most uses and disclosures of psychotherapy notes require an authorization; (3) most uses and disclosures for marketing purposes, and disclosures that constitute a sale of protected health information require an authorization; (4) any uses or disclosures of protected health information that is not identified in the Notice would also require an authorization; (5) patients will be provided an opportunity to “opt out” of fundraising notices; and (6) patients will receive a notice if there is a breach of the unsecured protected health information. All patients should receive an updated Notice following September 23, 2013.
More importantly, the security rules and regulations have dramatically modified Covered Entities and business associates’ obligations under the new laws. When the American Recovery and Reinvestment Act of 2009 (“Stimulus Act”) was passed, it provided financial incentives to healthcare providers to adopt electronic medical records. Many patients were concerned about the electronic exchange of patient information and the need to ensure that any loopholes under the previous HIPAA laws were closed. Therefore, the Stimulus Act final implementing rule enhances the restrictions on security requirements and increases the fines and penalties for failure to comply with the HIPAA laws and regulations. This new HIPAA law also expanded application of the specific security safeguards and the new fines and penalties directly to business associates.
Business associates include companies that provide certain types of services on behalf of a covered entity and entities that receive protected health information electronically and regularly access it such as the health information gateway or regional health information organization. Based upon this expanded definition of business associates and the expanded obligations of the business associates, it is critical for vendors that provide services in the healthcare industry, to ensure that they have addressed and are in compliance with the security safeguards by September 23, 2013.
In order to comply with the security safeguards, business associates and covered entities must ensure that they have documented how they have addressed or implemented all of the administrative, physical and technical safeguards required by the HIPAA Security Rule. The top five administrative safeguards that must be implemented as a priority include:
(1) Performing a full risk assessment of the electronic exchange of protected health information, the infrastructure and addressing any potential vulnerabilities;
(2) Address how access to protected health information is granted, supervised and terminated for its workforce and contractors. Any individual obtaining access to a database holding protected health information must receive training, a unique password and be cleared before access is granted;
(3) Assign a security officer that is responsible for handling potential breaches of the electronic exchange of protected health information;
(4) Ensure the organization has a comprehensive disaster recovery and back up contingency plan; and
(5) Audit and update business associate agreements to include the updated language required by HIPAA.
In addition to the administrative safeguards, the physical safeguards to ensure the physical facility and the workstations are secure must be addressed. Physician safeguards include secure workstation use, security reminders, malicious software protection and the proper disposable and reuse of media that contains PHI. And last but not least, the technical safeguards such as access controls, encryption, and identifying how to maintain the integrity of information are all safeguards that must be addressed.
This is an extensive project and should not be put on the back burner for any organization. Accordingly, with less than a month to go, it is important to ensure that covered entities and business associates are in compliance with HIPAA. Fines and penalties will continue to roll out for HIPAA breaches and it is anticipated that the government sponsored audits will continue to detect individuals who have failed to address the administrative, physical and technical safeguards as well as the privacy protections that are required. September 23rd is coming fast and this should be a priority project for all Covered Entities and business associates.