HIPAA and HITECH

Protecting patient privacy is the most crucial facet of any health care operation. Recent federal legislation has resulted in several major changes to the Health Insurance Portability and Accountability Act (HIPAA) that you, as a health care entity, need to be aware of. These amendments may impact your organization’s operations and obligations.

The federal stimulus bill passed in 2009 addressed some of the outstanding issues that HIPAA did not foresee. The HITECH (Health Information Technology for Economic and Clinical Health) Act regulations consist of three major changes relating to how patient information is exchanged.

Review current and implement new contracts with your business associates.

The HITECH Act”s changes to the definition of business associate effectively make them covered entities. Restrictions on how protected health information is gathered, exchanged, and marketed will take effect in 2011. We recommend that you have a designated privacy compliance officer review all contracts with your business associates to ensure that you are not vulnerable to penalties. New contracts establishing how protected information is exchanged may be necessary for entities that were not previously considered business associates.

Be aware of your continuing obligations.

In addition to the requirements set forth by HIPAA and HITECH, you should also stay informed about changes to privacy laws within your state, as you are subject to these as well. HITECH has not only increased the security of information, but also requires additional disclosures in your privacy practices and implements new breach notification requirements.

Know which entities may access protected health information.

Rules regarding accounting of health information disclosure are scheduled to change in January 2011. These changes will no longer exempt you from keeping a record when protected health information is used for treatment, payment, or healthcare operations. You will now be required to maintain detailed documentation of the release of all protected information and must be able to provide that documentation upon request. Additionally, individuals will have the right to request that their information not be released to specific entities in certain circumstances.

For example, if a health plan requests protected health information for the purposes of making payment and the patient has paid for the service in full and disclosure is not required by law,the provider must honor the individual”s request.

To find out more about what you can do to prepare for upcoming changes to privacy laws,see the following links:

Leave a Comment