From: American Medical News
New privacy regulations mean practices face more legal scrutiny and higher fines in case of an information breach.
By Jennifer Lubell
Washington A revised set of federal privacy rules is expected to have a significant impact on the way physicians run their practices.
Revised privacy notices will need to be displayed in prominent areas of doctors’ offices and on practices’ websites. Patients will be able to ask for copies of their electronic health records or restrict the information given to health plans if they self-pay for services. And perhaps most important, practices might be subject to serious fines if any of their business associates cause security breaches.
On Jan. 17, the Dept. of Health and Human Services issued a final omnibus rule to strengthen the patient privacy protections established by the Health Insurance Portability and Accountability Act of 1996. The rules not only expand the individual rights of patients but also tighten federal breach notification requirements under the Health Information Technology for Economic and Clinical Health Act of 2009. The result is that physician practices potentially face more legal scrutiny by the federal government as well as new administrative burdens, said Robert Tennant, senior policy adviser with MGMA-ACMPE, the medical practice management association.
Under the new privacy rules, doctors now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. This raised concerns from privacy advocates that practices shouldn’t have the discretion to determine these matters.
The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. Tennant said the new standard will result in many more official reports of breaches, as well as additional work and costs to physician practices.
A closer look at business associates
HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law’s requirements to these entities, as well as their subcontractors.
For physicians, a business associate may be any firm that handles patient data, such as a storage provider, a shredding company or a benchmarking firm that measures physician performance. With contractors becoming as fully liable as everyone else affected by HIPAA, physicians’ offices are going to take on additional legal responsibilities as well, Tennant said. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate, he said.
“To make matters even more challenging, there are significant potential fines associated with these violations, upwards of $1 million-plus for particularly egregious cases,” Tennant said.
The days of getting a slap on the wrist for a privacy breach are over, he added. “There’s now the potential that the government will be more aggressive in enforcing this.”
Deborah C. Peel, MD, chair of advocacy group Patient Privacy Rights, however, said past fines had been too low and that raising them would help strengthen needed patient protections. The new $1.5 million maximum fine per calendar year for violations is still too low for many corporations, “but it’s better than $25,000 a year,” Dr. Peel said.
There may be some relationships with business associates where the increased risk for liability won’t apply, said Patricia Wagner, an attorney at Washington law firm Epstein, Becker & Green PC, who specializes in privacy issues. An example of this is an accreditation agency, which “can’t be an agent of the entity they’re surveying because they’re supposed to be independent.” Still, doctors will need to spend a lot of time examining all of the contracts they have with various business associates to see if any need restructuring to reduce their own liability risk, she said.
Practices with limited time to tackle this could prioritize the relationships they’re most worried about, Wagner said. These may be the ones that handle the most patient health information or the firms the practice isn’t as familiar with.
Although the rules specify Sept. 23 as the compliance date for the new regulations, health care professionals have an extra year to revise existing business associate agreements to become compliant.
Leave a Reply