By: Sarah E. Swank
The long-awaited changes to HIPAA were released on January 25, 2013, overhauling physicians’ current obligations. Practices should begin reevaluating their business associates, policies, training and notice of privacy practices to come into compliance by September 23, 2013. The top 10 HIPAA topics for physicians follow.
1. Business Associates
For the first time, business associates and downstream subcontractors must enter into agreements with their subcontractors ensuring protected health information (PHI) is safeguarded. Conduits or those who have custody of PHI are now considered business associates.
2. Access of Individuals to Protected Health Information
Physicians must send record copies directly to another individual when requested in writing by the patient. This request must be signed by the patient and clearly identify the designated person and their address.
Individuals will now be able to request electronic copies of their PHI that is maintained in an electronic health record (EHR) or other electronic designated record set. Covered entities must provide an electronic, “machine readable copy” accommodating individual requests for specific formats, if possible. Physicians may charge a reasonable fee that complies with state law.
3. Disclosures About a Decedent to Family Members and Others Involved in Care
Physicians may disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent, unless inconsistent with any prior expressed preference of the individual.
4. Disclosures of Student Immunization to Schools
Physicians may provide school immunization records with the assent of a parent, guardian, or person acting in loco parentis as long as this agreement is documented and complies with state law.
Authorizations are required for treatment or other communications, if the physician receives financial remuneration from the third party of that product or service. Exceptions exist for subsidized refill reminders or communications about a currently prescribed drug or biological, as well as certain face-to-face communications or gifts of nominal value.
6. Sale of PHI
A physician must obtain an authorization before receiving direct or indirect remuneration in exchange for the sale of PHI, except for certain activities related to public health activities, research, treatment, the sale or other business consolidation or record copy fees.
The Privacy Rule permitted physicians to use or disclose certain PHI to a business associate or related foundation for fundraising purposes without an individual’s authorization, as long as an opt-out was provided (e.g., a toll-free number or email address). Once the individual opts out, physicians cannot provide further fundraising communications described in the opt-out.
Conditional and unconditional authorizations for research are permitted, if they differentiate between the two activities and allow for an opt-in of unconditional research activities, such as data repositories and tissue. Future research studies may now be part of a properly executed authorization, except for psychotherapy notes, which may be combined only with another authorization for their use or disclosure.
9. Right to Request a Restriction of Uses and Disclosures
Individuals may now restrict certain disclosures of PHI to a health plan where the individual, family member or other person pays out of pocket in full for the healthcare item or service, noting the restriction in the medical record. Physicians can submit restricted information for required Medicare and Medicaid audits.
10. Modifications to the Breach Notification Rule
Physicians must report breaches of unsecured electronic PHI to individuals and HHS, along with the media, if more than 500 individuals are affected. Harm is no longer a consideration in defining a breach. If more than 10 notifications to individuals are returned as undeliverable, substitute notice must be provided “as soon as reasonably possible” within the required 60-day notification period. Physicians do not need to pay the cost of any media broadcasts. Reports are valid even if the media fails to publish the breach; however, posting a general press release on a website is insufficient.
Sarah Swank is a principal in Ober Kaler’s Health Law Group. Ms. Swank can be reached at email@example.com.