Have What It Needs To Be In Compliance
The New HIPAA Omnibus Rule by Karson L. Carpenter, D.D.S.
The Omnibus Final Rule was released by the Department of Health and Human Services on January 17, 2013. It was designed to strengthen the privacy and security protections offered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This rule enhances patientâ€™s privacy protections, provides individuals new rights to their health information, and strengthens the governmentâ€™s ability to enforce the law. Here is a summary of this, the latest amendment to the HIPAA regulations. All covered entities must be in compliance with its provisions as of September 23, 2013. 2 Dental Explorer | First Quar ter 2014
Office Compliance 1. Notice of Privacy Practices (NPP) • Doctors/Offices must amend their NPPs to reflect the changes set forth below; Notice of Privacy has to be made available upon request on or after September 23, 2013 to any patient requesting a copy. Additionally, the revised Notice of Privacy has to be posted on the office website, if applicable, and in a prominent location on its premises. New patients who receive treatment for the first time after the modification should be provided a copy of the revised Notice of Privacy. Providers should retain copies of previous versions of the Notice of Privacy as well as any written acknowledgements by patients of receipt of Notice of Privacy. 2. Downstream Responsibility for Business Associates • Providers are not required to enter into Business Associate Agreement with all downstream contractors. They must sign a Business Associate Agreement with the entity with which they do business directly. Providers’ Business Associates are then required to get written “satisfactory assurances” from each of their immediate subcontractors. In the event of a breach, all “downstream contractors” are required to report up the chain to providers. • Business Associates and their subcontractors will need to implement a HIPAA Privacy and Security program if they do not have one. • Business Associates are not permitted to use or disclose Protected Health Information if it would be a HIPAA Privacy Rule violation for a Covered Entity to do so. All disclosures must be in accordance with the Business
Associate Agreement. • Even if a Business Associate Agreement is not yet in place, liability begins immediately when a person “creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity. • Business Associates are liable under HITECH for uses and disclosure that violate the HIPAA Privacy Rule or are in breach of the Business Associate contract. Business Associates are now directly liable under the HIPAA Rules for (1) impermissible uses and disclosures; (2) failure to provide breach notification to the Covered Entity; (3) failure to provide access to Electronic Protected Health Information to either the individual or the Covered Entity; (4) failure to provide requested Protected Health Information to HHS; (5) failure to provide an accounting of disclosures and; (6) not complying with the HIPAA Security Rule. • Business Associates and their subcontractors are now subject to criminal and civil sanctions for HIPAA violations to the same extent as Covered Entities. • Business Associates are required to have Business Associate Agreements with their subcontractors that access or use Protected Health Information on their behalf, and to monitor these Business Associate Agreements. 3. Individual Rights • At the patient’s request, providers may not disclose information about care the patient has paid for out-of-pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the
previous HIPAA Privacy Rule governing patient requests for restrictions on the use or disclosure of their PHI • The Omnibus Rule expands this requirement so that it applies to Personal Health Information (PHI) maintained electronically in one or more designated record sets. Access to such PHI must be provided by the covered entity in the electronic form and format requested by the individual (if readily producible) or (if not readily producible) in a readable electronic form and format as agreed to by the covered entity and the individual. If no agreement can be reached as to electronic format, the covered entity must provide a hard copy of the information. 4. Marketing Communications • The new rules limit when health care providers can provide marketing communications to their patients without written authorization. The only time a health care provider may tell a patient about a third party product or service without the patient’s written authorization is when; (1) the provider receives no compensation for the communication; (2) the communication is face-to-face; (3) the communication is regarding a drug or biologic the patient has been prescribed and the cost is only a “reasonable” amount for the
Dental Explorer | First Quar ter 2014
Office Compliance communication costs; (4) it is a general communication rather than the promotion of a specific product or service; (5) the communication involves a government sponsored program. 5. Emailing of Protected Health Information • The new rule clarifies that health care providers must send PHI via secure encrypted email systems. Unencrypted emails may only be sent if they are sent to the individual patient, they are advised of the risk of unencrypted emails, and they still request that form of transmission. 6. Charges for Copies of e-PHI or PHI • The new rules have modified the charges that may be made to individuals for their PHI to include labor costs and materials cost (paper, USB stick, CD, DVD, etc.). The only exception would be if state law in a particular state sets a lower cost. 7. Breach Notification • The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” • To determine if the risk is sufficiently low, the following must be taken into account; (1) the nature and extent of the PHI involved—how sensitive was the information and can it be re-identified; (2) the identity of the person who used the PHI and those to whom the disclosure was made—do they have an independent obligation to protect the confidentiality
of the information; (3) whether the PHI was actually acquired or reviewed—need to conduct an analysis; (4) the extent to which the risk has been mitigated—such as by obtaining a confidentiality agreement from the recipient. • The new rule clarifies that there is no need to have an independent entity conduct the risk assessment 8. Childhood Immunizations • Under the new rules, physicians may disclose immunizations to schools required to obtain proof of immunization prior to admitting the student so long as the physicians have and document the patient or patient’s legal representative’s “informal agreement” to the disclosure. 9. Decedents • The new rules allow physicians to make relevant disclosures to the deceased’s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death.
10. Enforcement and Penalties • The new rule clarifies the following penalty tiers; (A) Lowest tier in which the health care provider did not or could not reasonably know of the breach; (B) Intermediate tier in which the health care provider knew, or by exercising reasonable diligence would have known” of the violation, but yet they did not act with willful neglect; (C) Highest tiers, which are cases in which the health care provider “acted with willful neglect” and either corrected the problem within the 30-day period, or failed to make a timely correction. • HHS is required to conduct a formal investigation and impose civil penalties in cases involving willful neglect. Penalties may be as high as 1.5 million dollars per violation.
As business owners who create and maintain protected health information, dentists must comply with all aspects of the HIPAA regulations including the new Omnibus Rule. By doing so you will not only protect your patient’s right to privacy, but protect your practice from the considerable financial penalties that could have devastating consequences for your practice.
Karson L. Carpenter practices dentistry in Farmington Hills, MI and currently serves as President and CEO of Compliance Training Partners. He is a graduate of the University of Michigan School of Dentistry, and since 1987 has designed educational programs to bring dental and medical facilities into compliance with governmental regulations.
4 Dental Explorer | First Quar ter 2014
HPTC Luxel®+ X-ray Monitoring Badges Mail-in Program
HPTC HIPAA Compliance System
HPTC OSHA Compliance & Infection Control Manual
The Health Insurance Portability and Accountability Act (HIPA A), passed by the United States Congress in 1996, requires that all healthcare providers adhere to a specific set of electronic transactions, security and privacy standards. Our HIPA A Compliance System provides every thing your of fice needs so that your employees can carry out the law’s mandates. Complete Program includes: • A comprehensive compliance manual • Online staf f training program • Required documents and forms • Online self evaluation exam • 6 Continuing Education units for 3 individuals af ter exam completion (dental Personnel Only) • Toll free technical support • Laminated Wall Chart • upgrade service (1 year) • Cd of all HIPA A regulations Kit........................................................ 3129HIP Ea $506.12
The comprehensive HPTC OSHA Compliance Program covers all aspects of the OSHA Act. Complete Program includes: • Complete writ ten training manual with required documents • Cd of all applicable OSHA regulations and CDC infection control guidelines • Complete Infection Control Program as outlined by the CDC • TB Compliance Program • Workplace Violence Program • Family and Medical Leave Act Compliance • Sexual Harrassment Policy requirements • Exposure control plan • Hazardous Materials Wall Chart • Comprehensive online training program for doctor and staf f • Compliance labelling package • Chemical MSDS • 6 CEU’s for 3 Individuals.
Experts agree that there is no safe level of radiation. Even the smallest dose may cause cancer and genetic damage. Any healthcare facility may be exposing staf f to unsafe levels of radiation. That’s why accurately measuring and recording radiation exposure over the long term is important for your people and your practice. The Landauer Luxel Plus with stateof-the-art Optically Stimulated Luminescence (OSL) technology, has the highest sensitivity available today — 10 times the sensitivity of film badges! Features include: • Fastest reporting in the industry—five day average turnaround • A lifetime exposure record is archived for safekeeping • Personalized badges • Web-based reporting • Automatic renewal program Monthly Badge Service....................3129XXMBM Ea $159.99 Quarterly Badge Service.................. 3129XXMBQ Ea $99.99 Fetal Badge Service (7 months)........... 3129XMBF Ea $116.30
Complete System............................... 3129DCPE Ea $537.40
HPTC Bloodborne Compliance Wall Chart Designed to educate and encourage employee compliance with OSHA’s Bloodborne Disease Standard, this chart employs pictorials and writ ten tex t in a clear and concise format. This laminated poster should be displayed in all workplaces to detail measures taken to protect your employees. 17” x 31” poster............................... 3129BCWC
HPTC OSHA Annual Staf f Retraining
Our staf f retraining program of fers a review of current OSHA regulations and preview of proposed regulations. It is designed to meet OSHA’s annual staf f retraining as well as new employee training requirements. A complete study guide is included with this program. Completion of training exam yields 3 CEU’s for 3 individuals. Staff Retraining.............................. 3129STR-VP Ea $96.88
6 Dental Explorer | First Quar ter 2014
HPTC Nitrous Oxide Monitoring Badges Mail-in Program
Nitrous oxide levels should be maintained below 25 ppm in operating rooms and 50 ppm in dental treatment areas, according to OSHA regulations. Monitoring is recommended at least quarterly. This service provides accurate and af fordable results. Mail-in envelopes and result analysis are included. 1 Unit..............................................3129NOM1 Ea $99.62 2 Units............................................3129NOM2 Ea $183.04 3 Units............................................3129NOM3 Ea $258.42 4 Units............................................3129NOM4 Ea $323.04
3129DCPE 3129HIP 3129STR/VP 3129BWL 3129BISK 3129BCWC 3129V180 3129CHSK 3129CPM 3129ESP 3129EESE 3129LLP 3129RFE 3129FES
3129FSD-VP 3129FASK 3129LBC 3129NUG 3129EXS 3129MSK 3129MVM 3129SHR6 3129NEI/VP 3129NOM 3129IOA-VP 3129RCL 3129FSG 3129SBR6 3129SS1 3129USC2
s (Quarterly Service)
To Learn More About OSHA Compliance Call 1.800.218.5412
Does your Dental Facility have what it needs to be in compliance? by Karson L. Carpenter, D.D.S.