n
Reimbursement Page By Devon Bernard
More Tips for
HIPAA Compliance Adjust your business practices to comply with changes in patients’ right to privacy and other Omnibus Rule requirements
T
he Department of Health and Human Services’ (HHS) final Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule went into effect March 26 and has a mandatory compliance date of Sept. 23, 2013. Several changes from the Health Information Technology for Economic and Clinical Health (HITECH) Act to the final Omnibus Rule may have an impact on your current business practices and HIPAA policies and procedures. The changes have been divided into four categories. In the April 2013 issue of the O&P Almanac, the Reimbursement Page covered the first two, business associates and business associate agreements, and breaches and breach notifications. This month, we will cover the final two parts of the rule: patients’ privacy and rights, and compliance and enforcement.
Patients’ Privacy and Rights The HITECH Act laid some groundwork for granting patients additional protection and rights in how their protected health information (PHI) could be used, disclosed, or accessed, and the Omnibus Rule now immortalizes those protections. The changes to patients’ privacy and rights 16
O&P Almanac MAY 2013
that may have a direct effect on your facility are outlined here. First, a patient has a right to request that you don’t disclose his or her PHI or notify an insurance company or third-party biller of treatment he or she is receiving from your facility. If a patient makes this request and pays for the service or item in full, then you are obligated to grant the request and not disclose the PHI. Second, the sale of PHI for any reason or purpose is now prohibited, unless the patient provides direct authorization of the sale. A sale is defined as receiving any type of remuneration (financial or otherwise, directly or indirectly) for PHI. Finally, patients have expanded rights in terms of accessing their PHI. A patient has the right to request a copy of his or her PHI in any form. So, if you maintain electronic records and a patient requests an electronic copy of his or her PHI, you must provide an electronic copy. In addition, you must provide a copy of any requested PHI within 30 days; if you cannot provide it within that 30-day timeframe, you may use a one-time 30-day extension. If you are using the 30-day extension, you must provide the patient, in writing, an explanation of the delay.