|Privacy||| Print ||
HIPAA included specific requirements to protect patient privacy. The H.R. 1 American Recovery and Reinvestment Act (ARRA) of 2009 includes new requirements and amends others. What we have in essence is the “new” HIPAA. With the ARRA, a covered entity or business associates of the covered entity must notify the individuals affected no later than 60 days after a privacy breach is discovered. The ARRA provides the details on what these notifications should include. And if the breach involves more than 500 people, prominent media outlets in the state involved must be notified. If the breach occurs with a business associate of the covered entity, the business associate is required to notify the covered entity. The legislation defines the actions that constitute a breach, including a few inadvertent disclosures.
Organizations that provide data transmission of protected health information (PHI) for covered entities, such as e-prescribing gateways, are required to enter into a written contract with the covered entity. The same holds true for each vendor that contracts with the covered entity, to allow the covered entity to offer a personal health record to patients as part of an electronic health record. What we see here is that the HIPAA privacy and security requirements are now applied to a business associate as if it were the covered entity. Business associates can be held directly responsible for privacy breaches and subject to monetary penalties, which, to a degree, provides some relief for covered entities. With the “old” HIPAA, covered entities had all the exposure. This is a significant change.
Where the HIPAA wording dealing with the privacy provisions was amended, the secretary of Health and Human Services will be going through the rules-making process to address implementation of these amendments. The secretary will also issue annual guidance on the appropriate technical safeguards dealing with the security standards. The effective date for the privacy provisions is Feb. 17, 2010.
There is another new wrinkle with privacy. Patients can request that prescriptions they pay for with cash not be disclosed. Pharmacy owners must take extra precautions that these transactions stay in the pharmacy, if this is what the patient decides. Also, a patient can request an accounting of disclosures.
There are terms that cover disclosure for treatment and reimbursement. I suggest that you Google and download a copy of H.R. 1 and go to the section that covers the privacy and security provisions. There is no substitute for personally having read the legislation. Don’t depend on what someone tells you, since the fines for breach of privacy are higher than those under HIPAA. And the legislation allows state attorneys general to enforce HIPAA.
My other advice is that you reassess your security policies and procedures. A risk assessment, as defined in HIPAA, must be updated on a periodic basis. Now is as good a time as ever to do this. Keep in mind that security measures protect privacy. In addition, be sure your staff fully understands the importance of protecting patient privacy. CT
Bill Lockwood, Chairman/Publisher