In January 2013, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. Penalties can range from $100 to $1.5 million depending on the violation.
For primary care and other physicians in private practice, compliance will mean:
- Conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;
- Reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;
- Ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);
- Modifying the practice’s electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;
- Having the ability to send patients their health information in an electronic format;
- Reviewing your contracts with any vendors that have access to your practice’s PHI;
- Updating your practice’s notice of privacy practices.
Additional HIPAA resources:
HHS.gov: Health Information Privacy