Think your health care organization or health plan has health care privacy covered? Think again.
A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.
Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.
Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:
- HIPAA Privacy Rule and Sharing Information Related to Mental Health
- Spanish Language Model Notices of Privacy Practices
- CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports
- Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)
Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:
- HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool
- The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual
- Health Information of Deceased Individuals
- Student Immunizations; and
- Model Notices of Privacy Practices (English).
With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.
When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to demonstrate their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.
For More Information Or Assistance
If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include a wide range of other workshops, programs and publications on fraud and other compliance, operational and risk management, and other health industry matters.
Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.
About Solutions Law Press
Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:
- CMS Publishes Tools To Help Providers Understand E-Health Administrative Simplification Tools & Processes
- Federal Health Care Fraud Enforcement Recouped Record $4.3 Billion in FY 2013
- OSHA Hospital Tool Signals OSHA Enforcement RIsk
- Health Insurance Provider Fee Reporting Rules Published
- IRS Extends Existing 501(r) Guidance Reliance Period For ACA-Added Hospital Tax-Exemption Requirements
- HHS “Safer Guides” Tool For Safe EHR Implementation Published
- Final CMS Rule To Expand Medicaid Support For Community & Home-Based Care
- Abbott Labs, Sisters of Charity Paying More Than $9M In Two Anti-Kickback Settlements
- APDerm To Pay $150k To Settle 1st HIPAA Breach Rule Charges
- Reminder To Follow Confidentiality, Due Process When Conducting Peer Revew & Credentialing
- CMS Gives Providers Facing Fee Schedule Reduction For Unsuccessful EPrescribing Can Request Review Until 2/28
- Update Mileage Reimbursement Policies, Communications For IRS 2014 Mileage Rates
- Doc Sentenced to 15 Years for Health Care Fraud
- DOL Extends Minimum Wage, Overtime Protections To Home Care Workers
- CMS Releases New Eligible Professionals Guide On Stage 2 EHR Incentive Program
- APDerm To Pay $150k To Settle 1st HIPAA Breach Rule Charges
- Reminder To Follow Confidentiality, Due Process When Conducting Peer Revew & Credentialing
- CMS Gives Providers Facing Fee Schedule Reduction For Unsuccessful EPrescribing Can Request Review Until 2/28
- Update Mileage Reimbursement Policies, Communications For IRS 2014 Mileage Rates
- Doc Sentenced to 15 Years for Health Care Fraud
- DOL Extends Minimum Wage, Overtime Protections To Home Care Workers
- CMS Releases New Eligible Professionals Guide On Stage 2 EHR Incentive Program
- Minimum Wage, Overtime Risks Highlighted By Labor Department Strike Force Targeting Residential Care & Group Homes
- Health Care Fraud Enforcement Packs New Heat
- Quality, Recordkeeping & Unprofessional Conduct Lead Reasons For Medical Board Discipline of Physicians
- Avoiding Post-Holiday Celebration Sexual Harassment & Discrimination Liability
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.
THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.
©2014 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.
slphealthcareupdate.com 