Privacy Rule under HIPAA 2.0: Is it easier to just start over?

Changes to the Privacy Rule under the Omnibus Ruling require ALL CEs update and distribute their Notice of Privacy Practices (NPP).  There is no option, it is stated specifically.  A review of the changes makes it obvious why updates must be done, though.

The original HIPAA Privacy Rule was written in 1996.  Science and technology has grown in leaps and bounds since then.  Consider this:

  • In December 1996, there were 36 million Internet users compared to June 2012 with over 2.5 billion.
  • The Human Genome mapping project was looking for subjects for the mapping to begin in 1996.  Today 99% of the human gene has been sequenced to a 99.99% accuracy.
  • Advances in cancer therapies have changed many cancer diagnosis’ from a fatal disease to a chronic illness just since 1996.
  • In 1996, almost every patient in a HIV clinic was prepared to die within three to five years.  Today they can expect to live well into their ’60s or ’70s with new medication regimes.
  • Surgery in 1996 that might need a 10-inch incision and weeks of recuperation are now done with a small slit for a robotic arm and a few days to recuperate.

All of these advances are fantastic and exciting.  They also mean we are now collecting much more data over longer periods than ever before.  Data is being used for research and testing that has helped moved us forward at such a rapid pace.  It also means there is more data to be abused and stolen.  Medical Identity theft can have implications that are much more serious than simple financial identity theft.  A stolen credit card doesn’t have the potential to lead to loss of your job, your children or your life.

Many small providers could use a complete refresh of all their privacy policies and procedures instead of trying to review what is in place with what needs to change.  The time to check every policy is usually greater than simply purchasing a new template set and starting over.  Many professional organizations have very reasonably priced templates to help you build your own versions.  We generally direct our clients to simply take that approach.  However, you do have to actually review the changes and make sure they are implemented in your practice, or the policies are worthless.

The new Privacy Rules add the following requirements:

  • Patient Right to Electronic Copy of Electronic Health Record, and the right to direct copy to designated 3rd party
  • Prohibition on Sale of PHI without Authorization
  • Marketing Communications Paid for by 3rd Party Require Authorization, with limited exceptions for refill reminders and current prescriptions
  • Easy Way for Patients to Stop Fundraising Communications
  • Right to Restrict Disclosures to Health Plans of Treatments or Services Paid for in Cash
  • GINA Provisions Requires “Genetic Information” to be Treated as PHI
  • Prohibits Health Plans from using or disclosing genetic information for underwriting purposes
  • Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information
  • Student Immunization changes makes it easier for parents to let providers release student immunization records to schools
  • Allows researchers to use single authorization for more than one research purpose and relaxes policy on authorizations for future research
  • Decedent Information protections limited to 50 years after death but eases access to friends and families

Of course, updating the policies is the first step.  Then, you have to figure out your plan for redistribution to all your patients.  Next, is the training plan for the entire staff.  All of the policies should be covered in training.  Training is for a later article.  For now, figure out where you are going with your privacy policies.  These updates can’t be done overnight and the September deadline isn’t likely to move.

Filed under: HIPAA Tagged: Compliance, HIPAA, Privacy Rule, private patient, Small Provider, Training