New statements are required under the Notice of Privacy Practices (NPP) which go into effect on September 23, 2013.
In the U.S. Department of Health and Human Services final omnibus rule under HIPAA which implements the Health Information Technology and Clinical Health Act (HITECH), health care providers are required to amend their NPP to comply with the new rule.
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
— Kansas Dental Assoc. (@ksdental) July 18, 2013
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Related: ADA HIPAA kit addresses new rules
Covered entities are required to enter into a Business Association Agreement with any individual or entity that provides services through which they received Protected Health Information (PHI). These agreements must require that the business associate comply with the following:
NPPs must now include a statement that certain uses and disclosures of PHI, such as some related to marketing, require an authorization. NPPs should also be amended to reflect the prohibition on the sale of PHI, breach notification requirements, the right for patients to opt-out of fundraising and the right to restrict disclosure of PHI when paying out-of-pocket.
*a subcontractor is any person or entity to whom a business associate delegates a function, activity or service on behalf of a covered entity.
The omnibus rule can be found on the US Department of Health & Human Services website.
A sample Business Associate Agreement can be found here.