 |
Second Quarter 2009 |
| Subscribe | Download PDF | |
HIPAA: Round Two
As part of the recently enacted federal stimulus package, a number of aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were amended. The most significant change was to expand sanctions to business associates for noncompliance. Penalties for failing to comply with HIPAA were also substantially increased, and the prospect of requiring some form of encryption for medical records in some practices appears to have increased significantly. The Secretary of Health and Human Services is directed to work with stakeholders over the next 18 months to develop standards.
Also added are breach notification requirements that will overlay the current patchwork of state patient notification laws. The notification requirement rests with the covered entity even if the breach involves protected health information entrusted to a business associate. The media must be notified of breaches involving 500 or more patients. All breaches must be reported to the Secretary of Health and Human Services, who will maintain a log and post a list of breaches involving 500 or more individuals.
For practitioners who have been covered entities since HIPAA was first enacted, life will not change dramatically. Practitioners may find that third parties with whom they share protected health information (PHI) become more scrupulous in complying with requirements. This would be the salutary effect of increasing potential fines and extending the penalties to business associates.
While a number of significant fines have been assessed for failure to comply with HIPAA, they have generally been directed at larger entities in cases involving significant breakdowns. For example, earlier this year, CVS, the nation’s largest retail pharmacy chain, agreed to pay the government $2.25 million and to take corrective actions following an investigation by the Office for Civil Rights. The investigation revealed that many of CVS’s more than 6,000 retail pharmacies violated the HIPAA Privacy Rule by throwing pill bottles bearing patient information into dumpsters that could be accessed by the public.
Practitioners should ensure that HIPAA training and processes are in place. With the overlay of new requirements and any turnover in staff, it is a good time to ensure that your practice is still complying with HIPAA as effectively as when it was first promulgated more than five years ago. HIPAA has been and will likely remain a significant component of the practice of medicine.
If you have questions about HIPAA, please contact our Patient Safety Department at (800) 421-2368, extension 1243.
The Doctor’s Advocate is published by The Doctors Company to advise and inform its members about loss prevention and insurance issues.
The guidelines suggested in this newsletter are not rules, do not constitute legal advice, and do not ensure a successful outcome. They attempt to define principles of practice for providing appropriate care. The principles are not inclusive of all proper methods of care nor exclusive of other methods reasonably directed at obtaining the same results.
The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.
The Doctor’s Advocate is published quarterly by Corporate Communications, The Doctors Company. Letters and articles, to be edited and published at the editor’s discretion, are welcome. The views expressed are those of the letter writer and do not necessarily reflect the opinion or official policy of The Doctors Company. Please sign your letters, and address them to the editor.