HIPAA: Change is coming

Answers in Practice

Rachna Chaudhari

Rachna Chaudhari is the AAD's practice management manager. Her column offers tips in response to common member questions.

Bookmark and Share

As dermatology practices deal with all of the new regulatory changes in health care — including meaningful use, e-prescribing, the Physician Quality Reporting System (PQRS), ICD-10, and health care reform — it can be surprising to learn that even the regulatory programs that were established several years ago continue to evolve and can change significantly. One such program undergoing noteworthy change is the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services (HHS) released a final rule that requires practices to comply with a variety of new HIPAA provisions by Sept. 23, 2013.

As a dermatologist, you are probably wondering what all of these new provisions mean for your practice. It will be the responsibility of your office staff to begin making all of the necessary updates to applicable HIPAA forms and prepare action items for all of the privacy and security requirements. The following FAQs should help your staff prepare for these changes by September.

What has changed with regard to HIPAA?

The new provisions that HHS released in January 2013 address all of the required changes to HIPAA stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH). This Act was passed by Congress in 2009 to not only provide regulations to safeguard electronic health information but also incentivize physicians to adopt electronic health records (EHR) through the meaningful use program. The main changes to HIPAA that dermatology practices need to be prepared for include:

  • Updated notice of privacy practices form
  • Expanded scope of business associate agreements
  • Changes to breach notification requirements
  • Required patient access to electronic medical records
  • Protecting the privacy of self-pay patients’ medical records
  • Marketing requirements
  • Changes in criminal and monetary penalties for violation of HIPAA [pagebreak]

What are the steps I need to take in my practice to comply with these changes?

Step 1: Assign a compliance officer to be in charge of all the required changes if you have not previously done so.

Step 2: Have this compliance officer update your HIPAA policies and procedures manual to address the new changes by Sept. 23, 2013. You can use the Academy’s HIPAA manual as a starting point. If you have an EHR in your office, pay special attention to new policies that will need to be created for electronic protected health information including breach notification requirements, accounting of all disclosures, and the right of patients to access their own electronic medical record within 30 days of their request. Additionally, a new policy will need to be created to address a provision requiring providers to withhold disclosures of protected health information (PHI) to their insurer if a patient requests it and pays for the service completely out of pocket.

Step 3: Begin using your updated notice of privacy practice form for all patients either on or before Sept. 23, 2013. Post a new copy of this form in a visible location in your waiting room. Have all patients sign the updated form even if they are established patients.

Step 4: Have the compliance officer analyze all of your vendors to determine which should be classified as business associates under the revised definition, which includes vendors who have routine access to PHI such as an EHR vendor or server warehouse. Ensure you sign a new business associate agreement in advance of the Sept. 23, 2013 implementation date with each of these vendors as the new HIPAA regulations make business associates directly liable for compliance with the Privacy Rule.

Step 5: Train all clinical and non-clinical staff on the new policies and procedures. If you have an EHR in your office, ensure staff are aware of your breach notification requirements and policies addressing how to protect this information, including how to maintain strong passwords, protect wireless access, and other safeguards. [pagebreak]

How should I comply with the provision requiring my practice to not disclose health information to the payer if the patient pays in full? I don’t want to create two separate medical charts for these types of instances.

A new provision in the HIPAA rule requires that practices not disclose a patient’s medical record to their insurer if the patient pays for the service completely out of pocket and requests this confidentiality. If you do not have an EHR in your practice, you will have to create a log or system that keeps track of these requests and ensure staff are trained to not inadvertently disclose the medical chart containing the confidential information to the insurer. If you have an EHR, speak with your vendor to determine how to flag the confidential information in the medical record and protect it from being disclosed to the insurer. You should also train your front desk staff in identifying patients who could potentially ask for this caveat (such as those who do not provide insurance information when making their appointment). Additionally, revise your financial policy form to include this information and always have your patients pay their full charge up front.

Are small practices being audited? What can I do to mitigate this risk?

Small practices have been audited for HIPAA violations and paid steep fines for their non-compliance. The new rule sets forth a fines structure where practices would pay, based on the degree of their willful neglect, up to $250,000 per violation and face imprisonment for up to 10 years. Your compliance officer should stay abreast of changes and train staff yearly on safeguarding PHI. Your practice should also perform self-audits to catch any potential problems and pay special attention to how your staff are interacting on social networking sites. As these sites have gained in popularity, HIPAA violations related to them have increased, as staff may not be aware that they should not be posting PHI. [pagebreak]

What resources can I use to help me with these steps?

The Academy has developed a new HIPAA manual titled “A Guide to HIPAA and HITECH for Dermatology.” This manual contains a model business associate agreement, model notice of privacy practice form, breach notification requirements, and other guidelines, tools, and worksheets explaining all of the new HIPAA regulations. You can order the manual by calling the AAD’s Member Resource Center at (866) 503-SKIN (7546).

The Academy has also developed a series of educational recordings on HIPAA focused on the new regulations as well as the privacy and security requirements. These recordings are available at www.aad.org/webinars.

You can also visit the Academy’s HIPAA Web page at www.aad.org/hipaa to learn more about the new regulations and any upcoming changes.