New HIPAA rules require updates. Here’s some tips to implementing them.

With the release of the HIPAA Omnibus Final Rule, practices are required to update their compliance plans, including, but not limited to, Notice of Privacy Practices (NPP). Since HIPAA was first introduced, electronic health records have become a significant way to manage patient information. The Omnibus Final Rule mandates changes to the original compliance plan for your practice in order to include EMR. The time to update this information is now, as compliance with the Omnibus Rule becomes law on September 23, 2013.

The privacy rule provides an individual with the right to adequate written notice of how a covered entity (the practice, in this case) may use and disclose protected health information and the covered entity’s obligations with respect to that information. To simplify, the NPP describes for the patient how the practice will handle patient information, including the patient’s rights regarding his or her information.

Alert Patients

According to the HIPAA Compliance Plan and Guide of 2013 published by The Health Care Group, Inc., it is recommended that a practice, using an EHR product, provide the patient with a laminated copy of the NPP to review prior to being seen by the doctor. The practice should also maintain a supply of paper copies to provide patients who ask for a copy; note the current copy of the NPP is required to be offered only once. Any time changes are made to the NPP that involve changes to permitted disclosure, patient’s rights or other privacy issues, the NPP must be redistributed to each patient going forward at and beyond the effective date of the changes. As before, the NPP must also be posted internally in the check-in area.

If it has been a while since the practice reviewed the NPP, it is time to make updates, regardless of whether or not your practice has EHR. The patient should sign an acknowledgment when the revised 2013 notice has been provided. In addition, if the practice has a Web site, the NPP must be on that Web site.

Key changes for the NPP in the Omnibus Final Rule include:

■ How the patient can get access to his or her health care information.

■ Sharing information for purpose of treatment.

■ Sharing information for purposes of payment (e.g. billing, obtaining permission from payors).

■ Using protected information for purposes of healthcare operations.

■ Sharing information for fundraising efforts that may interest the patient (with right to opt out).

■ Sharing information with disaster relief organizations that seek patient health information (PHI) to coordinate care of the patient or to locate family in the event of a disaster.

■ Sharing information for purposes of marketing the practice.

■ Patient’s rights (regarding the patient’s protected health information:

● The right to inspect and copy information used to make decisions about care or payment.

● The right to a summary or explanation.

● The right to an electronic copy when PHI is maintained in an electronic format.

● The right to get a notice of a breach.

● The right to request amendments.

■ With many ophthalmic practices now using or planning to utilize an electronic record, an inclusion to be aware of is the requirement to provide an electronic copy of the medical record, when the patient wants a copy electronically.

■ If the patient elects to pay out-of-pocket for a procedure, service or visit, and requests that the practice does not disclose this information to a health plan, the practice must accommodate this request, unless required by law to disclose the information.

Business Associates

In addition to changes to the NPP, updating your business associate agreement will be necessary. Particular attention is given to subcontractors of business associates in the Final Rule. Subcontractors of business associates will also need to sign the business associate agreement.

The HIPAA Omnibus Final Rule changes require time and attention from the compliance officer and the September 23, 2013 deadline is looming. A practice can find many resources on the Web. Professional organizations (ASOA, AAOE, MGMA, AHIMA) are always great for assistance with NPP template samples and other HIPAA related documents. With the complexity of the Final Rule, it is a good idea to consult a reputable health-care attorney to review the compliance plan and related documents used by the practice. Many products are now on the market to aid the administrator and the compliance officer in making these changes. OP

Ms. Cook is the Administrator of the Laurel Eye Clinic and the Laurel Laser & Surgery Centers. A Certified Ophthalmic Executive and Certified Administrator Surgery Center, she is a registered nurse and also has a degree in Health Care Administration.