If you thought you knew the meaning of HIPAA… well, it’s changed.

Thursday, 07 February 2013 10:11

If you thought you knew the meaning of HIPAA… well, it’s changed. ^Featured

Written by Bill Hockett

font size decrease font size increase font size

Rate this item

(0 votes)

HIPAA Cybersecurity In 1996 HIPAA was signed into law by President Clinton.

You’ve probably implemented the forms and procedures to comply with these regulations and you can now move on to caring for your patients. Right?

HIPAA is a living breathing organism that changes and grows.

If you haven’t kept up with it over the past number of years then it’s time to take a fresh look at this teenager.

Over the years HIPAA has gone through numerous changes.

Here is an abbreviated recap of some of its milestones.

In 1998 the employer ID was created and added to the rules
In 2000 specific electronic transaction and code sets were added and then updated last year
Security standards were established in 2003
The national provider ID was added in 2008

As I said, it is a living breathing organism.

Recently it had another growth spurt and on January 25th Health and Human Services (HHS) published revisions to the privacy, security and enforcement of breach notification rules into the Federal Register. These new rules become effective on March 26th of this year.

Are you ready? Here are a few highlights of the updated rules.

It clarifies an individual’s right to access their PHI (Protected Health Information). They have the right to ask a provider for a copy of their PHI along with a list of all disclosures the provider has made of this information. These disclosures would include health plans and other providers in your referral or consulting network.
Privacy and security requirements have been extended to the provider’s business associates.
The maximum data breach penalties have been raised to $1.5 million per violation.

Let’s dedicate a little more space in this post to talking about data breach, since this is the item that is getting the most attention with the new rules.

A data breach or data exposure is an unauthorized release of a patient’s PHI. The old rule allowed the provider to assess whether the exposure created a risk of harm to the patient, sometimes called the “harm threshold”. If there was no risk of harm then the breach did not need to be reported.

The new rule strengthens this definition. Its focus is no longer on the risk of harm to the patient but whether there was an unauthorized release of PHI. Very little “wiggle-room” for a provider confronted with an exposure.

Since reporting a data breach means informing the patients involved, HHS and perhaps your local media it can have a detrimental effect on your dental practice. This does not even take into account the penalties that can be levied by the federal government.

I am not an attorney and this post is not intended to provide anyone with legal advice. It is to alert you to the new HIPAA rules and to suggest you consult your legal counsel for a more informed opinion, particularly if you are confronted with a potential breach.

I’ll leave you with a couple of quotes from Leon Rodriguez the Director of the HHS Office of Civil Rights (the HIPAA enforcement arm). He says about the new rules,

“…not only greatly enhances a patient’s rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections.”

And again from Mr. Rodriguez,

“We have moved into an area of more assertive enforcement.”

Taking these new rules seriously would be a right click.

Read 21774 times Last modified on Thursday, 07 February 2013 11:26

Published in Technology for Dentists

Tagged under

Bill Hockett

Website: www.softwarefordentists.com