HIPAA 2013: There are Significant Changes Ahead…Are You and Your Practice Prepared?

Author: Kim Cavitt, Au.D.

The US Department of Health and Human Services (HHS) recently announced new changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that can have a significant effect on audiology practices and the way they handle, manage and disclose a patient’s protected health information (PHI), business associates and an audiologist's responsibilities related to management of the PHI they are provided by the practice, and marketing. It also has strengthened enforcement and fines for non-compliance. The new rules took effect on March 26, 2013 and providers and business associates are required to comply with the applicable requirements by September 23, 2013. The highlights of the new rule are as follows:
  • Business associates (any entity that creates, receives, maintains, or transmits PHI on behalf of a provider who supplied this information to them) and their contractors and subcontractors, are required to comply to the updated HIPAA Privacy and Security Rules, including breach notification;
  • Patients have the right to request that a copy of their electronic medical record be supplied to them in an electronic format;
  • Patients who are paying privately for an item or service have the right to restrict any disclosure about this item or service to their health plan;
  • “Marketing” has been redefined as any patient communication where the provider receives financial remuneration from a third-party whose products or services are being marketed. When “marketing” is being performed using PHI, a patient authorization must be in place prior to sending this marketing communication;
  • The sale of PHI is prohibited;
  • There must be a defined breach notification process where a situation is presumed to be a breach until the provider, business associate, contractor or subcontractor determines that there is a low probability that the patient’s privacy has been compromised. A risk assessment must be performed anytime there is a breach of PHI;
  • Allows for broader use of PHI for fundraising opportunities;
  • Allows for a streamlined authorization process for use of PHI for research purposes;
  • Penalties have increased to up to $1.5 million maximum per calendar (many fines range between $100 and $50,000 per violation and degree of culpability) and up to 10 years in jail.
Important steps all audiology practices must take to comply with this Rule:
  • Audiology providers must have revised, signed business associate contracts with any entity that they disclose PHI or allow accessing PHI. This includes, but is not limited to, hearing aid and earmold manufacturers, cochlear implant manufacturers, document shredding services, your accountant, your attorney, your computer consultant, your office management system provider, your janitorial service providers, or your landlord. These business associate contracts must be updated to reflect the new rule. Revised business associate contracts must be dated after January 25, 2013 and must be completed and signed by September 23, 2013.
  • Audiology practices must update their Notice of Privacy Practices to reflect the provisions of the new rule. Revised Notices of Privacy Practices must be dated after January 25, 2013 and must be completed and signed by September 23, 2013.
  • Audiology practices must have a HIPAA security policy in place, including a HITECH breach notification policy and process.
  • Audiology practices must have a HIPAA process for their practice and a training program for their employees. This training must be documented.
  • Audiology practices must have patients sign a marketing authorization prior to sending any third-party marketing materials to their patients; the most conservative guidance would be that all audiology practices have all of their patients complete a marketing authorization and that, without this authorization, the patient is removed from any marketing communication until this authorization is obtained.
Available Resources:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html

http://www.ama-assn.org/amednews/2013/02/04/gvl10204.htm

http://www.mondaq.com/unitedstates/x/222184/Data+Protection+Privacy/The+New+HIPAA+Omnibus+Rule+Your+Liability+A+Detailed+Review

http://www.jdsupra.com/legalnews/hhs-releases-hipaahitech-omnibus-final-76741/

The Academy of Doctors of Audiology (ADA) has commissioned our legal counsel, Robert Gippin, Esq. and the law firm of Roderick, Linton and Belfance LLP to create HIPAA Compliance documents and forms that can be purchased by our members.

The package includes:
  • 2013 Notice of Privacy Practices
  • Acknowledgement of Notice of Privacy Practices (comprehensive and truncated)
  • 2013 Business Associate Agreement
  • Use and Disclosure form
  • 2013 Marketing Acknowledgement
The complete ADA HIPAA Toolkit is $199 for ADA members and $499 for non-members.

To learn more or to order the toolkit, please go to http://www.audiologist.org/publications20/federal-regulations/hipaa.

ADA also has hosted a HIPAA webinar, where we discuss the details of the 2003 and current HIPAA requirements. You can view the webinar at http://www.audiologist.org/ada-resources/online-webinars.    
Kim Cavitt, Au.D. was a clinical audiologist and preceptor at The Ohio State University and Northwestern University for the first ten years of her career. Since 2001, Dr. Cavitt has operated her own Audiology consulting firm, Audiology Resources, Inc. She currently serves on the Board of the Academy of Doctors of Audiology and the State of Illinois Speech Pathology and Audiology Licensure Board. She also serves on committees through AAA and ASHA and is an Adjunct Lecturer at Northwestern University.