Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

HIPAA: it’s time to update the office’s privacy notice

The mega rule deadline is September 23, 2013

What should managers be doing right now for HIPAA?

They should be updating the Notice of Privacy Practices and getting patients to sign off on the revision. And they have only until September 23, 2013 to get it done.

Along with that, they need to be paying close attention to some other HIPAA requirements that are getting overlooked, says Nathan A. Kottkamp, a health care attorney with McGuire Woods in Richmond, VA.

The new privacy notice items

The privacy notice tells patients about their rights with their protected health information, or PHI. And the requirement to update it comes from HIPAA’s new mega rule, or the final HIPAA regulations that came out in January.

The deadline for complying with those regulations is September 23, 2013.

What offices have to do is revise the notice so it tells patients about four new items that the mega rule has brought in.

  • Release authorizations. The office’s new notice has to say that certain disclosures and uses of patient information require authorization from the patient.

Those disclosures include

  • Psychotherapy notes. These are the notes of a mental health professional that are kept separate from the record itself.
  • Protected information that the office uses for marketing.
  • Any disclosure the office makes that constitutes a sale of the protected information.

  • Fundraising. The notice has to tell patients they can opt out of getting fundraising communications from the office.

  • Restricting information releases. The notice has to explain that a patient who pays for a service in full and out of pocket can request that the office not disclose any information about that service to an insurance company.

The request has to be in writing and has to identify what information is restricted and what insurance company is not to receive it.

What’s being called the HIPAA mega rule is the final regulations for the Omnibus Health Insurance Portability and Accountability Act. Offices have until September 23 to comply.

The mega rule is outlined in the February issue of MOM at “HIPAA’s rules get tighter and its penalties get higher.

The new regulations appear in the January 25 Federal Register, and they can be accessed by clicking here.

Kottkamp points out that this applies to all payers, including Medicare and Medicaid. To a great extent, what will get restricted is information that a patient considers embarrassing such as alcohol or drug treatment.

  • Breach notification. The notice has to say that patients will be notified in writing when a breach in their protected information occurs.

And beyond telling patients about the new notification requirement, the office itself has to pay special attention to that provision, Kottkamp notes.

Under the new rule, any loss or inappropriate disclosure of data is presumed to be a breach unless the office can show there’s only minimal probability the data will be used improperly.

That means any breach – no matter how minor – has to be reported to the patient and also covered in the office’s year-end HIPAA report. And a breach can be anything from a database disaster all the way down to a staffer’s giving out patient information to another person.

A new notice to every patient

The office has to tell patients about the revisions and have them sign off on the new notice, Kottkamp says. And the easiest way to do that is to have them sign the notice as they come in.

The office can give them an actual copy of the notice and have them sign it. Or it can simply give them a statement that there is a new notice and that they can access it if they want, and have them sign the statement.

However, he says, make sure that what gets signed is what actually happens. If the statement says “I have been given a copy of the notice,” the office must have handed the patient an actual copy. Otherwise, the statement should say “the notice has been made available to me.”

Plus a notice posted in the office

The revised notice also has to be posted in the office. It’s permissible to post a statement that it is available to patients upon request, he says, but it’s best to post the entire document.

Also, HIPAA requires that the notice be available for patients to take out, so the office needs to keep several copies of the full document on hand. That prevents the situation where a patient – or worse, a government HIPAA enforcer – asks to see it “and nobody knows where it is.”

Along with that, “it’s best practice to post the notice on the office’s website.” That’s good evidence the office is in compliance with the new requirement and is making patients aware of the content of the notice.

He adds that “there is no standard” for the wording of the notice. There are many samples on the internet, and some consulting firms sell them.

But because the government is cracking down on HIPAA compliance in small offices, his advice is to get an attorney to approve the new notice before giving it to patients.

HIPAA and staff confidentiality

HIPAA turns its sights on small offices

In the past, HIPAA has not gone after small offices. The government has focused instead on the big practices with the deep pockets.

Not so any more.

In a recent statement, the Office of Civil Rights, which enforces HIPAA, said that “regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

And the OCR means what it says.

Last year, a five-physician cardiac surgery practice agreed to pay $100,000 over violation charges. The action came from a complaint that the office was posting its appointment and surgery schedules on an internet site that could be accessed publicly.

The government said the practice had taken inadequate steps to comply with HIPAA.

And this year, the government imposed a $50,000 fine on a hospice where a laptop with information on 441 patients was stolen.

The government said the hospice had not conducted a risk analysis to safeguard its protected information and, along with that, did not have policies and procedures to ensure the security of its mobile devices.

The new HIPAA mega rule is serious business for offices. In fact the government has said it is looking hard for violations in small offices.

For that reason, managers need to be sure there is ongoing staff education on HIPAA, Kottkamp says.

And “to put some teeth into it,” include HIPAA in the confidentiality agreement staff sign. Put in a statement that disclosing information about patients in personal conversations with outsiders or with friends in other offices “is a HIPAA violation.” Then if a staffer does release information inappropriately, the office can say “you signed this” and discipline.

The discipline is up to the manager’s discretion. It might be no more than a reprimand and a requirement that the staffer take more HIPAA training. But it should come with a warning “that there is no second shot.” A second violation is serious enough to warrant termination.

HIPAA and staff training

Pay close attention too to the HIPAA training, he says. “The office is vulnerable if it’s not training staff regularly.”

If HIPAA walks in and all the manager can show is a training course a few years ago, the government is not going to be impressed. Expect a citation.

The education has to be ongoing. The safest approach is to hold it annually and then supplement it throughout the year at staff meetings. It doesn’t have to be anything formal, just ongoing. And always document it.

That’s what the government wants to see.

HIPAA and the physicians

Another precaution is to emphasize to the physicians that they must take HIPAA seriously.

Many doctors “see it as just a bunch of forms” and a lot of bother, he says. But it’s dangerous business.

Until now, enforcement has been weak. But the government has ramped it up. And come September 23 when the new mega rule takes effect, offices “will see a dramatic increase in enforcement.” And no one is immune to it.

Don’t overlook that risk analysis!

A final HIPAA compliance point is a requirement that has been part of HIPAA since 2003.

It is a written risk analysis, and very few offices have one, Kottkamp says.

Risk assessment “is at the core of HIPAA, and HIPAA expects it.” In fact, the government has assessed fines for missing or outdated analyses.

The security rule sets out the standards the analysis has to address. Some are required, and some are addressable.

They cover three areas: administrative safeguards, physical safeguards, and technical safeguards.

An explanation of each as well as information on the security standards in general can be found by clicking here. Go down to “Other Security Rule Notices and Materials” and click on “Security Rule Educational Paper Series.”









Try Premium Membership