Updates to the Health Insurance Portability and Accountability Act (HIPAA) effective March 26, 2013 include a number of provisions that will affect dermatology practices. Practices and other entities affected must be in compliance with the final rule by Sept. 23, 2013.
Among the provisions that affect dermatology practices is one that requires any improper use or disclosure of personal health information to be considered a breach that triggers official notification requirements, unless the organization in question carries out a risk assessment and determines otherwise.
In addition, the final rule:
- Extends the requirements of the privacy and security rules to physicians' business associates and their subcontractors;
- Establishes new limitations on the use of personal health information for marketing and fund-raising purposes;
- Prohibits the sale of a patient's personal health information without specific individual authorization to do so;
- Expands patients' rights to request and receive electronic copies of their personal health information; and
- Broadens patients' ability to restrict, in some instances, disclosure of their personal health information to health insurance plans.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the rules' requirements to protect the privacy and security of health information and must provide patients with certain rights with respect to their health information.
If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that:
- Establishes specifically what the business associate has been engaged to do, and
- Requires the business associate to comply with the rules’ requirements to protect the privacy and security of protected health information.
In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA rules. Under the U.S. Department of Health and Human Services (HHS) definition, "business associates" may include health care data-miners and health information technology service providers.
The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers who transmit health information electronically.
Covered entities under the HIPAA Privacy Rule must comply with the Rule's requirements for safeguarding the privacy of protected health information. Below is a more detailed list of those who fall under the covered entity category under HIPAA. Covered entities can fall into one or more of the following three categories:
*List not inclusive, other vendors may be affected. ”Business associate” refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information.
Notice of privacy practice
The rule also requires covered entities to modify and redistribute their individual notice of privacy practices. The Department of Health and Human Services (HHS) has not released an updated “Notice of Privacy Practices” to include the new Omnibus rule at the time of this publication. Please check periodically for the updated Notice of Privacy Practices. This new information will be available either on form release on this AAD HIPAA Web page or on the HHS website at www.hhs.gov.
The American Academy of Dermatology is developing resources to help members prepare for compliance by the Sept. 23 deadline. Watch for future communications from the Academy as these resources become available and check this page for updates.