The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.
Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.
It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.
Some other changes to be aware of are:
• Business associates are liable for HIPAA privacy and security rule requirements.
• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.
• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.
• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.
• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.
• Patients can request a copy of their electronic medical record (EMR) in an electronic form.
• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.
• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.
Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
As you face these challenges, it is wise to seek the advice and counsel of a Georgia lawyer who is experienced in all aspects of health care law.
Kevin S. Little has offices conveniently located in Atlanta and Augusta for your convenience. Conferences can be scheduled at either office, to fit your needs. Kevin has two decades of experience of advising business owners, entrepreneurs, professionals, physicians, dentists and other health care providers. In addition to having the highest possible rating for a lawyer by Martindale Hubbell, he is an active member of the American Health Lawyers Association and other health law organizations.
Contact us at our Atlanta office (404) 685-1662 or Augusta (706) 722-7886 to schedule a confidential, no obligation consultation. We would like to help guide you through these changing times.
Other Resources:
WHAT COVERED ENTITIES AND BUSINESS ASSOCIATES NEED TO DO TO PREPARE FOR THE NEW HIPAA/HITECH REQUIREMENTS, News Release, January 17, 2013
Related Blog Posts:
Seven Arrested, Charged with $22 Million Detroit-area Home Health Care Fraud Scheme , Health Care Law Blog, January 25, 2013
How The PPACA Can Affect Your Medical/Dental Practice , Health Care Law Blog, January 19, 2013
*Disclaimer: Thoughts shared here do not constitute legal advice.