Exclusive: ACR Convergence 2024| Focus Rheums

An official publication of the ACR and the ARP serving rheumatologists and rheumatology professionals

Healthcare Providers Must Get Compliant with HIPAA Privacy Practices

  |  Issue: August 2013  |  

Get HIP to Privacy Concerns

ADVERTISEMENT
SCROLL TO CONTINUE
Steven M. Harris, Esq.
Steven M. Harris, Esq.

In my April 2013 article, “Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties,” I noted that as part of the recent changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), healthcare providers are required to update their “Notices of Privacy Practices.”

If you are a healthcare provider (e.g., medical practice, physician, hospital) and either do not have a Notice of Privacy Practices or have not updated your Notice of Privacy Practices in 2013, now is the time to get compliant. Failure to have an updated Notice of Privacy Practices by September 23, 2013 is a violation of HIPAA and could result in fines and penalties.

ADVERTISEMENT
SCROLL TO CONTINUE

Background

In January 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an omnibus final rule (Final Rule) implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule revises HIPAA, and included in that rule are requirements affecting Notices of Privacy Practices.

What is a “Notice of Privacy Practices”?

A Notice of Privacy Practices is a written notice that healthcare providers are required under HIPAA and the HITECH Act to provide to patients that explains the patients’ rights as they relate to their health information and the privacy practices of the healthcare provider. Notices of Privacy Practices are intended to inform patients of their privacy rights, and to encourage patients to have discussions with their healthcare providers about these rights.

What Must Be Included in Notices of Privacy Practices?

Healthcare providers are required to provide patients with a Notice of Privacy Practices that is written in plain language and includes a number of elements.

First, Notices of Privacy Practices must describe how the healthcare provider can use and disclose a patient’s protected health information. A new change imposed by the Final Rule mandates that Notices of Privacy Practices include a description of certain types of uses and disclosures of protected health information that require an authorization. Now, Notices of Privacy Practices must explicitly state that if a healthcare provider will use or disclose a patient’s healthcare information for marketing purposes or in a sales transaction (receipt of remuneration in exchange for patient health information), or if such health information includes psychotherapy notes, then the healthcare provider must first obtain an authorization. Further, the authorization must explicitly acknowledge that remuneration is involved.

Related Articles

    Email & Text in the World of HIPAA

    The world we live in necessitates infor­mation be communicated in a quick and easy manner. This remains true in the healthcare setting. The ability to text or email staff and patients has become a priority for many healthcare entities. However, maintaining patient privacy and confidentiality is essential to ensure we meet compliance standards. Although emailing…

    Up to Date with the HIPAA Privacy Rule

    Throughout a patient’s lifetime, providers are entrusted with their most intimate and personal information, which they expect to be kept private and confidential. Unfortunately, the healthcare system can face serious implications if any part of a patient’s privacy or information is breached. Under the Health Information Portability & Accountability Act (HIPAA) and state laws healthcare…