Effective September 23, 2013,
your practice (whether hospital- based or private) is now required to have adopted changes to your current Health Insurance Portability and Accountability Act (HIPAA) policies and procedures. The required changes, when reviewed objectively, are arguably geared to follow the trend of moving to a patient-centered, transparent healthcare delivery system. The purpose of this article is to highlight the most relevant requirements for practitioners, and to serve as a checklist of compliance. We will also briefly discuss the ramifications of noncompliance.
Before delving further, be advised that the required changes for many practices are far from onerous; however, compliance may easily be confirmed and noncompliance putatively punished.
The most overt change to the HIPAA rules is the requirement that each and every “Notice of Privacy Practices” nationwide be updated to include several new concepts that notify patients of how their protected health information may be used. The Notice of Privacy Practices is already a required document for every “covered entity,” which is inclusive of physician practices (whether hospital-based or private). The Notice of Privacy Practices details how a practitioner or practice may use or disclose protected health information, including disclosures for treatment, payment, and operation purposes, as well as disclosures to the patient and third parties, such as the government. The Final Omnibus Rule, published in January 2013 and effective September 23, 2013, requires the addition of several concepts to every Notice of Privacy Practices. The changes may not appear significant or even relevant to your practice, but as will be discussed below, noncompliance may result in significant liability and an unnecessary and inconvenient administrative process. Operating under the presumption that your practice’s Notice of Privacy Practices complies with previous requirements of delineated uses and disclosures mandated for such a policy, the following topics are now required for inclusion: (1) marketing; (2) sale; 3) fundraising; and (4) psychotherapy notes, and each of these shall be addressed in turn.
The 4 Topics for Notice of Privacy Practices
Every Notice of Privacy Practices must have a provision explaining that the medical practice is required to obtain an authorization for any use or disclosure of protected health information for marketing purposes: except if the communication is: (1) face to face; or (2) a promotional gift of nominal value. The Omnibus Rule explains marketing to mean a communication about: (1) a product or service that encourages recipients of the communication to purchase or use the product or service (except refill reminders or other communications about drugs or prescriptions the patient is on) where the covered entity, in exchange for making the communication, is reasonably related to the practitioner’s cost of making the communication; and (2) treatment purposes, case management, or care. In addition, if the marketing involves financial remuneration to the practitioner from a third party, the subsequent authorization must disclose that such remuneration is involved.
Notice of Privacy Practices must have a provision that the practitioner must obtain an authorization should the practitioner sell patient-protected health information and gain from such a sale. Under the new HIPAA rules, a practitioner may sell patient-protected health information without getting authorization if that information is used for research, and the only remuneration is a reasonable cost-based fee to cover the cost to prepare and transmit, and where transmitted for the sale, transfer, merger, or consolidation of all or part of the practice and for related due diligence.
Notice of Privacy Practices must contain a provision addressing that patient-protected health information may be used or disclosed for fundraising, and that during each fundraising communication the patient shall have an opportunity to opt out of future requests.
Notice of Privacy Practices must have a statement regarding the use and disclosure of psychotherapy notes, regardless of whether you the practitioner are creating such notes or you are a practitioner practicing psychotherapy. Every practitioner in any active practice is required to incorporate statutorily mandated language addressing permitted uses without additional authorization of psychotherapy notes, as any patient may have such notes transferred to any practitioner as part of their medical record.
It is important to understand each of these required inclusions in your Notice of Privacy Practices, because each requirement may trigger an additional obligation for a separate authorization prior to the use of patient-protected health information for a particular purpose.
Once your Notice of Privacy Practices has been updated—either through your own efforts or by working with a qualified healthcare attorney or consultant—a crucial step is proper implementation. The updated Notice of Privacy Practices is required to be posted in a clear and prominent location where it is reasonable to expect that patients will be able to view it. The new Notice of Privacy Practices also must be available upon request on or after the effective date of any revision. For practitioners with websites, it is recommended that you post your Notice of Privacy Practices to your website so that patients may access it. It is also advisable to have printed versions available in your waiting room for patient distribution.
Patients are not required to sign your Notice of Privacy Practices, but it is certainly advisable that you require your patients to indicate in the paperwork you distribute that they have had an opportunity to review the Notice of Privacy Practices and that they acknowledge such opportunity or receipt of the notice. Typically, our office incorporates this consent into the document used to confirm appropriate contact points for the patient—ie, whether the practitioner may contact the patient via e-mail and/or phone, and whether the patient authorizes such messages.
For many practitioners, the challenge of the new HIPAA requirements is recognizing an instance where additional protections are necessary for patient-protected health information, because previously such vigilance was not standard practice. That challenge may be best met by not only implementing a modified Notice of Privacy Practices at your office, but by providing education and training to your staff so that they understand the practice’s obligation to identify those instances when an additional authorization may be required, and also know in what form that authorization must be obtained.
The stakes for HIPAA compliance are high, and the likelihood of potential discovery for noncompliance is now even higher. The Office for Civil Rights (OCR), the arm of the federal government responsible for HIPAA oversight, is now required to impose monetary penalties for HIPAA noncompliance; the potential penalties incurred may vary based on the extent of the noncompliance and the intent of any breach. As of September 23, 2013, OCR is also mandated to begin auditing to confirm that practitioners are in compliance. Prior to the new HIPAA rules, OCR would only initiate an inquiry when it received a complaint, minimizing audit exposure for many. Now, OCR is tasked with actively policing HIPAA compliance.
Also disconcerting is that OCR is now authorized to participate in “agency share,” meaning if OCR believes there is an improper procedure taken by the practitioner with regard to HIPAA and suspects that other areas of the practice may not be in compliance, OCR may now refer the practitioner to the Office of Inspector General for Medicare fraud issues, or, potentially, even to the Department of Justice.
The Bottom Line
HIPAA compliance, while previously more of an afterthought requiring little more than basic patient cooperation and certain forms to be maintained on file, should now—with these updated requirements and increased scrutiny by OCR—be considered a major priority. It is imperative for each practitioner nationwide to abide by the new HIPAA rules and to take measures in their practices to conform and to ensure that their employees conform as well. Importantly, while it does mean an additional administrative process, the changes to the HIPAA laws are not overly burdensome, and they begin with a proper Notice of Privacy Practices being implemented correctly and followed accordingly.
This article summarizes the new requirements for Notice of Privacy Practices; however, it does not exhaust HIPAA compliance requirements. To view a free HIPAA webinar discussing the required changes, visit www.practicewebinars.com.
About the Author
Jennifer Kirschenbaum manages Kirschenbaum & Kirschenbaum’s healthcare department, which specializes in representing healthcare practitioners in regulatory compliance, audit defense, licensure, and transactional matters. To discuss your practice’s compliance needs, contact Jennifer at 516-747-6700 x302, or e-mail her at