New HIPAA regs: Proper privacy notices needed
If physicians don’t provide an updated privacy notice as required by new regulations, physicians could be accused of violating the Health Insurance Portability and Accountability Act (HIPAA) by the government or the state attorney general.
"If you or your office has a Notice of Privacy Practices that has not been updated since Jan. 25, 2013, you need to update it," says Nicole E. Stratton, JD, an attorney at Foster Swift Collins & Smith in Lansing, MI.
Physicians are required to distribute these new Notices of Privacy Practices only to new patients. "However, many are distributing their new Notices of Privacy Practices to current patients as well, so every patient has the latest information about their privacy rights," says Stratton.
Everything in prior Notice of Privacy Practices still is required, along with these additional items:
- information related to an individual’s right to notification after a breach;
- descriptions of uses and disclosures requiring authorization (such as psychotherapy notes, marketing, and sale of medical information);
- a statement indicating that individuals have a right to restrict certain disclosures of medical information to a health plan where the individual pays for the service entirely out of pocket;
- a statement that individuals have a right to opt out of fundraising communications.
The final regulations made penalties steeper, with the potential of fines of up to $1.5 million for all violations of the same HIPAA requirement or prohibition.
"Additionally, there is no maximum limit on the amount of fines per year. It all depends on how many different kinds of violations are found," says Stratton. (For examples of the notices of privacy practices that must be furnished to patients, go to http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.)