New HIPAA rules: Make Sure You Are in Compliance Because Your Liability Has Increased
Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).
In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.
For primary care and other physicians in private practice, compliance will mean:
- Conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;
- Reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;
- Ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);
- Modifying the practice’s electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;
- Having the ability to send patients their health information in an electronic format;
- Reviewing your contracts with any vendors that have access to your practice’s PHI; and
- Updating your practice’s notice of privacy practices.
Continue reading this HIPAA rules article at Medical Economics.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.