HIPAA changes: ‘They are looking for issues’
WASHINGTON – New regulations governing patient privacy go into effect Sept. 23, and industry stakeholders say many HME providers aren’t ready.
In January, the Department of Health and Human Services issued a final rule modifying the Health Insurance Portability & Accountability Act (HIPAA) to increase enforcement efforts and penalties when protected health information is breached.
“It’s no longer a matter of you getting a complaint and mitigating the damage,” said Denise Fletcher Leard, an attorney with Brown & Fortunato. “They are doing audits and looking for issues.”
The biggest change: The rule expands the type of “business associates” who must also comply with the rule.
“It’s almost everybody who has access to personal health information, with the exception of couriers and Internet service providers,” said Mark Higley, vice president of regulatory affairs for The VGM Group. “They have much more scrutiny over subcontractors that were not previously considered business associates.”
While some breaches of security—like the theft of a laptop containing patient data—are obvious, the new rule extends to other areas of a provider’s business, like marketing practices, says Fletcher Leard.
For example, it’s no longer acceptable to include information about another HME provider in patient mailings.
“If you have a pharmacy that does neb meds and a DME that does nebulizers, the DME could send out information on the pharmacy and vice versa—you can no longer do that,” she said. “It’s one of the things that will get you in more trouble than anything.”
Industry associations have ramped up educational outreach on the rule. VGM, for one, has posted a “HIPAA Compliance Toolkit” to its website.
Information is out there if you use a little due diligence, says Higley.
“Most of the information is available from Google and the Internet,” he said. “Most of it is available for free. Enter Sept. 23, HIPAA.”