Everyone old enough to remember will recall Y2K – the year our world was supposed to end in a catastrophic transition from December 31, 1999 to January 1, 2000. Instead, since we are still here, we all recall what happened – nothing.
September 23, 2013 was the day when the new HIPAA regulations for Covered Entities came into effect. Despite all the whining and predictions of disaster, we all continue to exist and the world did not end. What happened? A lot has happened.
The regulations gave all Covered Entities 180 days to comply with the new HIPAA requirements, which impose new and significant obligations on Covered Entities to revise their HIPAA policies. Covered Entities should have updated their HIPAA compliance policies and procedures, their notices of privacy practices and their business associate agreements for protecting sensitive health information from disclosure.
The key areas to change included:
Patients’ Authorizations or Restrictions on PHI disclosures: Covered Entities have to: (1) honor patients’ requests to restrict disclosure of PHI to a health insurance plan when a patient pays for the service out-of-pocket; (2) obtain patient approval to sell the patient’s PHI which includes direct or indirect payments from other parties for PHI; (3) obtain patient authorization to cover all treatment and healthcare communications where the Covered Entity may obtain money from a third party (e.g. drug or device company) and (3) permit patients to obtain an electronic record of their PHI.
Breach Notification: Covered Entities have to notify patients of a breach of their PHI, including an impermissible use or disclosure of PHI (unless the Covered Entity demonstrates there is a low-risk that PHI was compromised).
Fundraising Notices: Covered Entities have to give patients an opportunity to opt out of receiving fundraising notices.
Training: Covered Entities should have updated their HIPAA training programs.
Notice of Privacy Practices have to be updated and redistributed to reflect the changes to privacy and security practices. The NPP has to explain to patients that: they will be notified if their PHI is subject to a breach; they may opt out of fundraising communications; their PHI may be communicated to a health plan; any uses and disclosures beyond those described in the NPP require patient authorization, including any “sale of PHI”.
Covered Entities must make the NPP available upon request, distribute the modified notice to new patients, and display the NPP at the office, including the website.
Finally, with respect to Business Associate Agreements, Covered Entities were required to review all of their relationships with vendors to ensure compliance with new regulations. Each vendor who creates receives, maintains or transmits PHI must have a BAA in effect.
The Covered Entity has until September 22, 2014 to amend BAAs entered into prior to January 25, 2013. Updated BAAs must include provisions requiring the Business Associate to share responsibility for breach notifications and the protection of PHI. The BAA also must require the obligation to secure similar protections from its subcontractors.