2013 HIPAA Modifications

The federal Department of Health and Human Services announced the final  rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009.

One of the hot topics in HIPAA right now, is what constitutes breach of information. In this day and age of technology, a stolen laptop or tablet could give someone an incredible amount of information at their fingertips. In the proposed rule breach of information would not be considered unless there was significant risk of harm to the individual. “Section 13400(1)(A) of the Act defines “breach” as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.””

The rule also states patient information can not be sold, used for marketing or fundraising without permission from the patient. These new rules will go in effect on March 26, 2013. There is a 6 month period to get used to the amendments, but healthcare providers (and any entity associated with healthcare) must comply by September, 2013.

Prior to 2013  the HIPAA Privacy Rule applied to deceased individuals as well as living. The amendment will exclude any health information of a person who has been deceased for more than 50 years.

Unless an exception applies, an impermissible use or disclosure of PHI (protected health information) is presumed to be a “breach”. A risk assessment should be done in each case of possible breach. The risk assessment should include at least the following 4 factors; the nature and extent of the PHI included, the unauthorized person who used the PHI or to whom the disclosure of PHI was made, whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired and the extent to which the risk to the PHI has been mitigated.

Healthcare entities will be held liable, the maximum penalty for each individual breach of patient information is 1.5 million dollars. Healthcare providers need to be taking extra steps to avoid the breach of patient information. One of the biggest things they can do is to encrypt data. It is also very important devices used to pull up patient records are secure.

Extensive reading on this amendment can be found here.

Patients have new rights under the 2013 HIPAA modifications as well. “The Privacy Rule currently requires covered entities to permit individuals to request that a covered entity restrict uses or disclosures of their PHI for treatment, payment, and health care operations purposes.” Patients now have the right to pay for any treatment out of their own pocket, and if requested healthcare entities can not submit claims for that particular service.

Patients currently have the rights to a copy of their own PHI. Under the new amendment, patients will now have full rights to an electronic version of their PHI (if it is readily producible in that form).

Further reading http://www.pwwemslaw.com/content.aspx?id=589

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: