Don't get popped by HIPAA

Wednesday, October 17, 2012

GWCC – If you haven't updated your HIPAA policies and procedures lately, it's time to get your ducks in a row, says attorney Denise Fletcher.

That's because the HITECH Act of 2009—which still hasn't been finalized—increases enforcement efforts and penalties when patient health information (PHI) is breached.

"As a DME provider, rarely do you get requests from patients for their medical records," said Fletcher, an attorney with Brown & Fortunato, during her session, "HIPAA: The Silent Compliance Issue.” "But, if you don’t have policies and procedures in place, you are going to get popped on that."

One big change: HIPAA applies not only to covered entities, like providers, but also to business associates, such as a consultants helping you prepare for an audit, Fletcher says.

"As your business associate, the Office of Civil Rights (OCR) can investigate me and I am subject to the same civil and criminal penalties," she said.

Other changes include when the provider has to notify patients of a breach, and the steps to take when that breach happens, Fletcher says.

"Before, you only had to notify the patient if they asked," she said. "Now you have to go to the patient and tell them you messed up."

Fletcher says such notification must be made within a 60-day window in writing. The notification should include, among other things, a description of what happened; the steps the patient must take to protect themselves; and what steps the provider will take to investigate, mitigate and protect against future problems.

It's important to understand that the HITECH Act applies to unsecured data only, Fletcher says.

"The HITECH Act describes unsecured data as not secured through technology and there's a lot of flexibility there," she said. "Encrypt."