MedEsthetics magazines offers business education and in-depth coverage of the latest noninvasive cosmetic procedures for physicians and practice managers working in the medical aesthetics industry.
Issue link: https://medesthetics.epubxp.com/i/123304
LEGAL ISSUES | By Padraic B. Deighan, JD, PhD Patient Privacy Rules Strengthened Recent changes to the Health Insurance Portability and Accountability Act (HIPAA) increase liability for practice owners and their business associates, and may allow for more federal investigations of apparent violations. The new rules strengthen the privacy and breach notification rules currently in place under (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and also broaden the definition of marketing as it relates to patient communications and the sharing of protected health information (PHI). The Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS, hhs.gov) released the final omnibus rule on January 17, 2013. It became effective on March 26, 2013. Covered entities and business associates will need to comply with the new regulations by September 23, 2013. These provisions apply to all medical practices. An extension of applicability is possible but it is prudent to plan compliance according to the effective date. Following is a summary of the new regulations. Business Associate Liability Increased. Business associates are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Examples would include impermissible uses and disclosures, 20 MAY/JUNE 2013 | MedEsthetics failure to provide breach notification to the covered entity, failure to provide access to a copy of PHI to either the medical practice or the patient, failure to disclose PHI where required by the Secretary of the HHS to investigate or determine the business associate's compliance with the HIPAA Rules, failure to provide an accounting of disclosures and failure to comply with the requirements of the Security Rule. Definition of Business Associate Expanded. The definition of "business associate" now includes subcontractors of business associates. Any individual or entity that "creates, receives, maintains or transmits" protected health information on behalf of a covered medical practice, as well as data-transmission services that require routine access to protected health information, are now included as business associates. Thresholds for Federal Investigations Lowered. Under the new rules, the Department of Health and Human Services is required—there is no discretion—to conduct compliance reviews when "a preliminary review of the facts" suggests a violation due to willful neglect. Any reported breach that suggests willful neglect would then appear to require HHS follow-up. The agency reports that it already receives an average of 19,000 notifications per year under © ISTOCKPHOTO.COM HIPAA's new omnibus rule expands the definition of marketing and the liability for breaches.