On March 26, 2013 the final rules that implement the Health and Information Technology for Economic and Clinical Health (HITECH) Act went into effect. These rules directed that all providers and groups must be in compliance by September 23, 2013. That date is right around the corner and it is imperative to use these last few weeks to make the proper preparations to paper work and policies. Failure to do so can result in increased fines.
The following are key aspects of the law that providers must be aware of:
Business Associate Agreements
A business associate (BA) is any company that handles PHI, such as vendors and contractors. If no BA agreement exists, then one must be in place by September 23. Any already existing BA agreements that were previously considered HIPAA compliant have a 1 year extension on revisions, as long as no renewals are done between March 26 and September 23. Any BA agreement that is renewed after September 23 must follow the new laws. BAs are now considered responsible for their subcontractors and must have BA agreements with them.
The ruling allows for patients to have expanded rights when it comes to the privacy and security of their PHI. After September 23, they will be able to request their records in electronic form. They can also request that a provider not disclose any treatments to the health insurance carriers when the patient has paid in full. There are also much stricter rules in place for the use of PHI for marketing and fundraising purposes. The law prohibits selling a patient’s PHI without their consent. September 23 is the deadline for adding and/or revising your practice’s Notice of Privacy Practices (NPP) to reflect these changes. The new changes will also implement the Genetic Information Nondiscrimination Act (GINA) of 2008, which ensures that patient’s genetic health information cannot be used by health insurance carriers for underwriting purposes.
It is vital for every practice to do the following updates before the September 23 deadline:
- Notice of Privacy Practices form
- Business Associate Agreements-Authorization forms
- staff training-HIPAA privacy policies
- HIPAA security policies
- Agreements between BAs and Subcontractors
Contact our office if you have any questions concerning your practice and the September 23 HIPAA deadline. We are available to aid in all forms of practice preparation and compliance to avoid the new higher fines of up to $1.5 million per violation that comes with deadline.