MSPs Listen Up – You Are A Business Associate!
Stuart R. Crawford / Stuart Crawford
It’s Important For You To Understand and Comply With the New HIPAA Regulations
On March 26, 2013, HIPAA (the U.S. Health Insurance Portability and Accountability Act) established even stronger rules for health care organizations, medical clinics and companies who do business with them. These entities have until September 23, 2013, to comply with the new rules. The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
It’s important to know that any violation of the new HIPAA rules could result in the U.S. government investigating and penalizing your business more severely than ever.
Three Small But Important Changes That You Need To Know
- Patients who choose to pay for services personally and in full can request that their treatment and medical information be kept private.
- Patients can ask for copies of their medical record and receive it in electronic format. Your office will have only 30 days to produce these electronic or paper records if requested. The old ruling allowing 30-day extensions for inaccessible records will no longer apply.
- If a school is required by law to keep immunization records, and a parent or guardian gives written permission to release them to the school, you can provide these records to the school.
You’ll Be Guilty Until Proven Innocent
Another important change is how patient-privacy breaches must be reported to the government. Previously, offices had followed ‘the harm standard’ which states that a breach is only reportable if it posed a significant harm or risk to the patient’s reputation and/or finances. However, the new regulations state that any inappropriate disclosure or loss of data will be considered a breach unless the office (or business associate/hospital) can prove that there’s a low chance of the information being used improperly. To determine if the information will be used improperly, the office must do a documented risk assessment that includes four elements:
1. The recipient of information. It will be assumed that a breach has occurred if the office doesn’t know who accessed the information. However, the risk will be considered low if the other party is a HIPAA-covered entity.
2. The type of information. If social security numbers and credit card numbers are stolen and reveal a patient’s identity; or if information about STDs is stolen, these could harm a patient’s financial security and reputation; therefore the risk would be high.
3. Whether or not the data has been seen or used. It will be assumed that a breach has occurred if a patient’s record was mailed to the wrong person. This is the case if the record was returned opened or if it wasn’t returned. However, if the envelope that contained it was returned unopened, the risk will be considered as low.
4. How well the risk has been mitigated. The goal is to ensure the risk is low and to mitigate any harm to the patient’s reputation and/or finances. An office might do this by getting assurance that the information won’t be disclosed, used or destroyed. However, the identity of the other party will make all the difference. Assurance from a business associate is typically reliable, whereas assurance from an unrelated company or a person, who has no obligation to comply with HIPAA rules, isn’t reliable.
Business Associates Must Also Comply With HIPPA – THIS IS YOU!!! MSPs FALL INTO THIS CATEGORY!
Business associates of healthcare organizations and medical entities are now required to comply with HIPAA. They must have policies, procedures and safeguards in place to keep their data secure. It’s also mandatory that they have signed agreements from their business associates and subcontractors that mandate HIPAA enforcement. If not, they’ll be penalized. This is necessary because some of the worst breaches have involved business associates and subcontractors.
Penalties For HIPAA Non-Compliance Have Increased Dramatically
The previous penalties for noncompliance have increased dramatically, with the penalty amount depending on the level of negligence involved. In the past, violations had a limit of $25,000 per incident; now the limit is $50,000 per incident, with an annual limit of $1.5 million. The Office of Civil Rights has warned that it will be looking more diligently for violations and will be enforcing HIPAA “vigorously.”
The Last Three Changes
The following changes are less significant, but are still worth noting:
- It will now be easier to get patient authorization to use their personal health information for research purposes.
- Insurance companies will not be able to use a patient’s genetic information to determine cost and coverage limitations for their plans; however, this won’t apply to long-term care plans.
- There will be more restrictions on securing patient authorization to use their personal health information for fundraising, marketing and sales purposes.
For more information these new regulations can be found in the January 25, 2013, issue of the Federal Register.
Do you have a marketing strategy to address the growing need for competent IT services in the healthcare market. Ulistic offers a turn key and fully managed healthcare marketing program. Contact us today at 716.799.1999 ext 102 to learn more.