Regulatory
By Charlie Colitre, President, Healthcare Compliance Consultants
More Changes to HIPAA
New Requirements as a Result of the Stimulus Act
As mentioned in the September 2009 article, the American Recovery and Reinvestment Act of 2009 (the Stimulus Act) contains a series of new laws that dramatically expand the privacy and security provisions of HIPAA. Known as the HITECH Act (Health Information Technology and Clinical Health Act), it contains significant changes and additional requirements to HIPAA which all practices will need to incorporate into their HIPAA privacy and security written policies.
Patient Requested Restrictions on Disclosures
Under the original HIPAA Privacy Rule, patients could request a Covered Entity (i.e.: physician practice) to restrict to whom the Covered Entity disclosed their Protected Health Information (PHI.) The Covered Entity had the discretion to approve or disapprove the requested restrictions.
The HITECH Act changes this slightly. Under the new rules, a Covered Entity is required to comply if the patient requests a restriction of disclosure to his or her PHI to a health plan;
- for payment or health care operations purposes and;
- the PHI pertains solely to services for which the patient was self-pay.
This change becomes effective on February 17, 2010.
Accounting to Patients for Disclosure of Their PHI
Under the current HIPAA Privacy Rule, a patient generally has a right to an accounting of disclosure of their PHI except for disclosures made to carry out Treatment, Payment or Health Care Operations (referred to as TPO.) This means that a physician practice must keep a record of all non TPO disclosures and make that record available to a patient who requests it for disclosures made during the preceding 6 years.
Under the new HITECH HIPAA Privacy Rules the TPO exception will no longer apply to disclosures including those for TPO made through an electronic health record (EHR.) The look-back period is reduced to the preceding 3 years for such EHR disclosures.
This change becomes effective January 1, 2014 for EHR's created prior to January 1, 2009 and on January 1, 2011 for EHR's created after January 1, 2009.
Two important points to note with this change:
- Practices using EHR's should insure that their EHR system has the capability to generate a disclosure report for each patient should such a request be made. If yours does not, contact your vendor and discuss this HIPAA requirement now to insure you are in compliance by the deadlines.
- This new TPO disclosure rule DOES NOT, in any way, change a provider’s ability to exchange PHI for TPO purposes that are allowed under the original HIPAA Privacy Rule.
This article is not intended to render legal advice of any kind. Practices with specific questions should contact the writer or their healthcare attorney. Future articles will explore other aspects of the HITECH Act.
Charles E. Colitre, President, Healthcare Compliance Consultants, PO Box 19164, Akron, OH, 44319. 330.753.6131 complianceconsultants.biz
About
Us || Client
Profile || Consultant
Profile || Newsletters || Contact
Us
Credentialing || Practice Management || Managed
Care || Education & Training
Billing & Reimbursement || Strategic
Planning || Events || Mailing List
Site Designed and Maintained by MEC
Systems, ©2008
|
