Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

The new HIPAA regulations: Do you know the rules?

Susan Crawford
Policy
April 27, 2013
Share
Tweet
Share

Even stronger controls have just been set out for HIPAA. They come in the final regulations for the Omnibus Health Insurance Portability and Accountability Act, or the HIPAA rule. The new rules became effective March 26. However, medical offices and business associates have until September 23 to comply.

Mostly, the changes affect patient requests and approvals, breach reporting, and business associates. Along with that, the penalties for noncompliance have gone up. And accompanying the penalty increases is a promise from the government to search out violators with a vengeance.

Three somewhat small changes

First are three relatively small changes that just about all offices will encounter.

  •  Patients can now ask for copies of their electronic medical information in electronic format. Also, with both paper and electronic record requests, the office has only 30 days to produce the information. There’s no more 30-day extension for records that are inaccessible or kept off site.
  • When patients pay for services personally and in full, they can require that the office not share information about the treatment with their health plans.
  • The office can give immunization information to a school if the school is required by law to have it and if the parent or guardian gives written permission.

Guilty till proved otherwise

There’s also a change in how to determine when a breach has to be reported to the government. Until now, offices have followed the harm standard, which said a breach was reportable only if it posed a significant risk of harm to the patient’s finances or reputation.

The new regulations turn that around. They say that any loss or inappropriate disclosure of data is presumed to be a breach unless the office (or hospital or business associate) can show there is a low probability the information will be used improperly.

To determine that, the office has to do a documented risk assessment that covers four elements.

  1. The type of information.  Information about sexually transmitted diseases, for example, could harm a patient’s reputation. Credit card numbers and Social Security numbers could be used for identity theft. Risk is high. Yes, there’s been a reportable breach.
  2. The recipient of the information. If the office doesn’t know who has accessed the information, assume there has been a breach. However, if the other person is a HIPAA-covered entity, misuse probability is low and so is the risk.
  3. Whether the data was actually seen or used. Suppose a stolen computer is recovered and forensic analysis shows the data was never accessed. Risk is low. No breach. Another example: suppose a patient’s record is mailed to the wrong person. If the envelope is returned unopened, risk is low. But if it’s returned opened or not returned at all, risk is high, and the office has to assume there has been a breach.
  4. How well the risk has been mitigated.  The mitigating factor might be that the office gets assurance the information won’t be used or disclosed or will be destroyed. That makes the risk low and probably not reportable. However, who that other party is makes a difference. Assurance from a business associate is probably worth relying on; assurance from an unrelated person or company with no obligation to comply with HIPAA is another story.

HIPAA for business associates too

Business associates are now required to comply with HIPAA just as offices are. They have to have safeguards and policies and procedures for keeping data secure. They have to have business associate agreements with their own subcontractors. And they can get hit with penalties if they don’

That’s a logical move, because some of the greatest breaches to date have involved business associates.

The penalties get higher

The penalties for noncompliance have gone up – way up.

The amount depends on the level of negligence. Previously, the limit was $25,000 per violation; now it’s $50,000, with an annual limit of $1.5 million.

And the Office of Civil Rights, which enforces HIPAA, cautions that it’s looking hard for violations and plans to enforce HIPAA “vigorously.”

ADVERTISEMENT

And three final changes

There are also changes that are of less significance to offices but worth noting all the same.

  • There are more restrictions on getting patient authorizations to use personal information for marketing and fundraising. The same also applies to permissions to sell personal information.
  • The process for getting patient authorization to use health data for research is now simpler.
  • Insurance companies cannot use genetic information for coverage and cost determinations. This does not apply, however, to long-term care plans.

The new HIPAA regulations are found in the January 25 issue of the Federal Register.

Susan Crawford is editor, Medical Office Manager.

Prev

Patients are the most important piece of the medical team

April 27, 2013 Kevin 4
…
Next

It’s time to put the vaccine-autism link behind us

April 27, 2013 Kevin 14
…

Tagged as: Primary Care

Post navigation

< Previous Post
Patients are the most important piece of the medical team
Next Post >
It’s time to put the vaccine-autism link behind us

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

More in Policy

  • How locum tenens work helps physicians and APPs reclaim control

    Brian Sutter
  • Why Medicaid cuts should alarm every doctor

    Ilan Shapiro, MD
  • Why physician voices matter in the fight against anti-LGBTQ+ laws

    BJ Ferguson
  • The silent toll of ICE raids on U.S. patient care

    Carlin Lockwood
  • What Adam Smith would say about America’s for-profit health care

    M. Bennet Broner, PhD
  • The lab behind the lens: Equity begins with diagnosis

    Michael Misialek, MD
  • Most Popular

  • Past Week

    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
    • When did we start treating our lives like trauma?

      Maureen Gibbons, MD | Physician
    • In a fractured world, Brian Wilson’s message still heals

      Arthur Lazarus, MD, MBA | Physician
    • Why U.S. health care pricing is so confusing—and how to fix it

      Ashish Mandavia, MD | Physician
    • How doctors took back control from hospital executives

      Gene Uzawa Dorio, MD | Physician
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • Why shared decision-making in medicine often fails

      M. Bennet Broner, PhD | Conditions
    • My journey from misdiagnosis to living fully with APBD

      Jeff Cooper | Conditions
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
  • Recent Posts

    • Why U.S. health care pricing is so confusing—and how to fix it

      Ashish Mandavia, MD | Physician
    • From survival to sovereignty: What 35 years in the ER taught me about identity, mortality, and redemption

      Kenneth Ro, MD | Physician
    • When doctors forget how to examine: the danger of lost clinical skills

      Mike Stillman, MD | Physician
    • When your dream job becomes a nightmare [PODCAST]

      The Podcast by KevinMD | Podcast
    • Finding healing in narrative medicine: When words replace silence

      Michele Luckenbaugh | Conditions
    • Why coaching is not a substitute for psychotherapy

      Maire Daugharty, MD | Conditions

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

  • Most Popular

  • Past Week

    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
    • When did we start treating our lives like trauma?

      Maureen Gibbons, MD | Physician
    • In a fractured world, Brian Wilson’s message still heals

      Arthur Lazarus, MD, MBA | Physician
    • Why U.S. health care pricing is so confusing—and how to fix it

      Ashish Mandavia, MD | Physician
    • How doctors took back control from hospital executives

      Gene Uzawa Dorio, MD | Physician
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • Why shared decision-making in medicine often fails

      M. Bennet Broner, PhD | Conditions
    • My journey from misdiagnosis to living fully with APBD

      Jeff Cooper | Conditions
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
  • Recent Posts

    • Why U.S. health care pricing is so confusing—and how to fix it

      Ashish Mandavia, MD | Physician
    • From survival to sovereignty: What 35 years in the ER taught me about identity, mortality, and redemption

      Kenneth Ro, MD | Physician
    • When doctors forget how to examine: the danger of lost clinical skills

      Mike Stillman, MD | Physician
    • When your dream job becomes a nightmare [PODCAST]

      The Podcast by KevinMD | Podcast
    • Finding healing in narrative medicine: When words replace silence

      Michele Luckenbaugh | Conditions
    • Why coaching is not a substitute for psychotherapy

      Maire Daugharty, MD | Conditions

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...