HIPAA Final Rule to take effect on September 23! Are you ready?





/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;

September 23rd is Fast Approaching – Are You Ready?


In the August webinar we discussed the significance of September 23, 2013. In case you missed it here is a brief synopsis.

1.      The Federal government published the HIPAA/ HITECH Final Omnibus Rule on January 25, 2013.

2.      The Final Rule gives much clarity to some ambiguity in the previous versions of these two important pieces of legislation.

3.      Expanded definition of Business Associates includes non-workforce of a Covered Entity (that’s you and your dental organization) who are authorized by you to use and disclose Protected Health Information (PHI).

4.      All Business Associates are bound by many provisions of the Privacy and Security Rule in that they are required to have Administrative, Physical and Technical safeguards to protect PHI while it is within their control. What this means (basically) is that they have to have up-to-date virus protection on their computers, password protections and encryption (where appropriate), data backup and they must complete annual risk assessments just like you.

5.      Next, Covered Entities need to ensure they have updated Business Associate agreements in place. The B.A. agreement must outline that the Business Associate comply with HIPAA security requirements, each party’s role in the event of a breach, and that they (and any down line subcontractors they use who have access to your patients’ PHI) notify you in the event of a breach.

6.      Pay close attention to this. If a Covered Entity and Business Associate had a Business Associate agreement in place prior to January 25, 2013 then they have until September 22, 2014 to secure an updated agreement between them. If no B.A. agreement was in place then the deadline is September 23, 2013. Following our webinar we sent a Quick-Start Business Associate Compliance Kit by e-mail to everyone who was registered for the webinar. We will be e-mailing this to our Compliance Advantage Program clients. Use these tools to ensure you are up-to-date.

7.      A breach is any unauthorized access (disclosure) of PHI

8.      Under the Final Rule a Covered Entity is expected to evaluate every breach. From now on it assumed that every breach is a reportable breach until the Covered Entity completes a risk assessment of the breach and then determines it was insignificant or not a breach.

·         Covered Entities can no long sweep breaches under the rug dismissively or the consequences for doing so are far greater than the actual breach and subsequent damages that may occur as a result.

9.      The Required Risk Assessment must address these four factors:

1)     Nature And Extent Of PHI Involved

2)     The Unauthorized Person Who Used The PHI Or To Whom The Disclosure Was Made

3)     Whether The PHI Actually Was Acquired Or Viewed

4)     The Extent To Which The Risk To The PHI Has Been Mitigated

10. Remember our mantra, “If it’s not written it didn’t happen.”

11. Keep your HIPAA breach paperwork together. There is a reporting requirement.

12. Covered Entities and Business Associates are required to notify (in writing) the federal Health and Services – Office for Civil Rights (OCR) within 60 days of the following year of all reportable (significant) breaches that occurred in your practice. This requirement is for breaches involving fewer than 500 patients’ PHI.

13. In the event of a major breach, rather, a breach involving 500 or more people, Covered Entities and Business Associates have 60 days from the ‘discovery’ of the breach to notify not only HHS-OCR, but also the major television and print media outlets in your locale. Every major breach will have it’s day in the news, whether at the time you report or the time you get busted for not reporting it. Neither is desirable, but it is what it is.

14. Your Notice of Privacy Practices must include information to notify your patients of your responsibility to notify them in the event their PHI is affected by a breach. We have implemented this into the Notice of Privacy Practices for all of our Compliance Advantage Program clients, but do double-check our work, as this requirement must be completed by September 23, 2013.

15. As wish HB 300, the Final Rule requires a written authorization signed by the patient to use their information for ANY purpose outside of Treatment, Payment, or Operational reasons. For example, you refer your patient to a specialist you would not need a signed authorization to send the patient’s record to the specialist. Now, if a patient goes for a second opinion (outside of a referral), they change dentists or what have you and they want their records transferred to a different dentist then you would need a written authorization signed by the patient before you send any information to the new provider.

16. The significance of September 23, 2013 is that this is the date that enforcement will begin. Covered Entities, their Business Associates and subcontractors, are required to be in compliance with these latest changes.

17. Some way, some how it appears the OCR will be auditing Covered Entities and Business Associates. Imagine OCR locusts swarming your town in search of violations. Relax, it is not going to happen. The federal government has indicated they will be auditing these groups. However, like most other government functions, many of the violations that Covered Entities and Business Associates will get busted for will be in response to complaints. Health and Human Services has indicated their overall intent when they catch someone out of compliance will be to ensure they actors are brought into compliance and then they will determine how much to fine you. Now that is not to say you should not take this seriously. You had better take this very seriously. Imposed fines for mistakes can cost you from $100 to $10,000. Willful neglect (that would be the dumb things people ‘ought’ to know not to do) will cost $10,000 to “at least $50,000” with an ANNUAL cap of $1.5 million (yes, this includes small providers).

Let us know if you need assistance with any of this. We understand it can be confusing. The worse thing you can do with regard to compliance is an intentional violation. The next worse thing you can do is nothing.

Do something. Stay connected. Pick up your phone and call us if you have questions. That’s why we are here!