In January 2013, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing HIPAA patient health information. Penalties can range from $100 to $1.5 million depending on the violation.
For primary care and other physicians in private practice, compliance will means:
- Conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice.
- Reviewing practice policies and procedures for when PHI is lost, stolen, or improperly disclosed. Ensure staff members are trained in policies and practices.
- Ensuring your practice’s electronic PHI is encrypted and cannot be accessed if lost or stolen.
- Modifying the practice’s EHR system to flag information a patient does not want shared with insurance companies.
- The ability to send patients their health information in an electronic format.
- Reviewing contracts with vendors that have PHI access.
- Updating your practice’s notice of privacy practices.
Additional HIPAA resources:
HHS.gov: Health Information Privacy