While the Health Insurance Portability and Accountability Act (HIPAA) may have been around for some 17 years, it hasn’t stopped making a ruckus. On January 17, 2013, the Department of Health and Human Services issued new privacy regulations. These amendments will be in effect as of March 26, 2013, and by September 23, 2013, significant penalties will apply for non-compliance. According to amednews.com, the changes will have a significant impact on how physicians carry out their current practice, but they could also have a significant impact on how we and our clients conduct business…

If you recall, HIPAA is the federal provision for the protection and use of personal health information (ie, your medical records). In full, it covers the Privacy, Security and Enforcement rules and requires integrity of information, confidentiality and availability. While the full list of modifications can be found on the Office of Federal Register, the following outlines some of the key components that affect physician practices.

The recent modifications to HIPAA:

  • Redefine the terminology business associates, to include contractors of plans, doctors, other professionals and subcontractors; they are now liable for compliance with many of the HIPAA Privacy and Security Rules’ requirements. For example, any contractor who handles patient data (eg, contractors responsible for storage, shredding, benchmarking, etc) can be considered a business associate, and they too are subject to heavy fines associated with violations as outlined in the full list of modifications.
  • Require a revision of notices of privacy practices, to explain any relationships with business associates and their new status; notices are required to be placed in easily accessible areas of the physicians’ office and on the associated website (ie, should the physician/practice have a website). These revised notices will need to be available to all new patients.

While the second bullet may not be directly applicable to us, the redefinition of business associates requires some careful consideration should we and/or our clients work in an environment that involves access to patient-related information. Take the example of a clinical trial, how will the new modifications impact operational processes such as online storage of patient-related information (eg, patient status, patient contact information, etc) and protocols for when patients go missing from the trial? Reading between the lines, it seems that strategies will be needed to ensure HIPAA compliance in such situations.

Annie Kim