2006: As a continuous proof that states' laws are changing to comply and match HIPAA law, California introduced AB 3013 (Koretz) Medical Information: Disclosures. This bill strengthens patient confidentiality laws by conforming California law to provisions of HIPAA. It limits the release of patient information, provides the patient the opportunity to prohibit such a release, and permits the health care provider to make judgments regarding releases in emergency situations.
2006: As of mid 2006, about 20,000 grievances, primarily regarding disclosures, have been filed and investigated by HHS. The most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records. So far the feds have been investigating only as a response to filed complaints and do not conduct their own inspections.
2006: As of 2006, the feds continue to take an educational corrective approach to HIPAA in dealing with those who violate the law. As long as there is no clear criminal or malicious intent or intentional disregard for HIPAA law, they seem to work with the violators to fix the problem. HHS would like to see "reasonably diligent efforts to understand and comply with HIPAA rules." Merely stating that one did not know s/he was in violation would not be an adequate defense. As far as clinicians are concerned, basic HIPAA knowledge and basic forms, such as the simple form, HIPAA Notice of Privacy Practices, and basic computer protections (firewall, password, virus protection, etc.) probably provide a basic indication that an attempt to be compliant was made. See below for compliance list.
2007: National Provider Identifier (NPI):
As part of mainstreaming the process of electronic claims, HIPAA mandates that all individual practitioners, who are covered entities, should obtain a National Provider Identifier by May 23, 2007.
The use of standard identifiers is one of HIPAA's key elements, and I recommend that all therapists obtain an NPI.
The NPI is a 10-position numeric identifier for each provider or therapist and is akin to a Social Security Number or an Employer Identification Number.
All insurance companies dealing with therapists will use this single NPI for each therapist.
Psychotherapists in private practice will receive their own NPI, as any other health care provider does. But, practitioners who are employed by clinics, agencies and counseling corporations will use the NPI that the organization has been assigned.
Covered Entities, under HIPAA, will have until May 23, 2007, to obtain their NPI, as they will be mandated to use their NPI in all covered transaction by the 2007 deadline.
Therapists who receive reimbursement from Medicare or other federal or state programs, such as Federal Employee Health Benefit Plans or Victims of Crime, should consider getting an NPI sooner rather than later, regardless of whether they submit claims electronically or by mail.
Any therapist who deals with insurance companies, whether electronically or not, is likely to benefit from having an NPI, which will become the standard identifier for practitioners.
While covered entities must obtain the NPI, a therapist, who is not a covered entity, may also obtain it (in fact is highly advised to do so).
Obtaining an NPI does not turn a therapist, who is not a covered entity, into a covered entity.
Once a therapist is assigned a number it will stay with him/her for life. It would be de-activated only when the therapist retires or dies.
2007: The New HIPAA Enforcement Rule: A new HIPAA Enforcement Rule explains the circumstances under which a therapist could be held responsible for HIPAA violations by their employees, members of their workforce, trainees or business associates, such a billing service or accountant. Some ways to protect oneself is to have good training for employees and other members of the work force and solid Business Associate Contracts with billing services and other business associates. Therapists will not be protected if they are aware that their business associates are violating the privacy or security obligations under their contracts and fail to take reasonable steps to remedy the problem. Generally, being prudent and attentive to HIPAA rules can help avoid the HIPAA wrath even when one makes some understandable mistakes and takes reasonable steps to correct the situation. The entire text of the enforcement rule, including ways that therapists may defend themselves, is available at http://www.hhs.gov.
2008: Stolen Laptops and HIPAA - New HHS Enforcement Effort: In one of the few enforcements of HIPAA by Health and Human Services so far, a Seattle company that provides home health care services has been forced, in mid 2008, to pay a $100,000 settlement because laptops, disks and tapes containing individuals' health records were taken from company employees' cars on 5 occasions in 2005 and 2006. (To read more about the case, click here. The agreement seems to signal that HHS is finally taking a tougher stance toward violations. This may have started a shift from the education approach they have taken so far to an enforcement mode. This HIPAA enforcement action suggests that psychotherapists who carry patient records with them are at risk for security violations and may be held legally and ethically accountable for security and privacy breeches. See also Transporting Confidential Clinical Records in Laptops: Heads up to Psychotherapists & Counselors.
2009: HIPAA, FERPA, and Student Health Records: Due to some confusion among health care professionals and school administrators throughout the country, the U.S. Department of Education and the U.S. Department of Health and Human Services have issued a joint guidance (November 2008) on the application of two federal acts – the Family Educational Rights and Privacy Act (FERPA) and HIPAA in regard to student health records.
2009: Federal Stimulus Plan, Act of 2009 Mandates Changes to HIPAA: The American Recovery and Reinvestment Act of 2009 included changes to HIPAA. The changes affect HIPAA's privacy and security requirements. The various provisions have different effective dates, with some taking immediate effect and others not going into effect until 2010.
The biggest change involves new requirements for breach notification. Covered entities are required to notify affected individuals when a privacy breach occurs. Previously, an entity only needed to try to limit the negative effects of a breach. If the breach affects more than 500 people, the covered entity must also report the incident to HHS and the media. Notification must be given no later than 60 days after discovery of the breach, and if the breach includes 10 or more individuals with insufficient contact information, the covered entity must make a conspicuous posting on its website or provide notice in print and broadcast media. The notification requirement applies only to "unsecured" information, which is defined as protected health information that is not secured by an accredited "technology standard" yet to be defined.
The new rules also expand who is covered by HIPAA to include "business associates" of covered entities. Essentially, a business associate is an entity that wouldn't be covered by HIPAA but for its relationship with a covered entity, such as a third-party administrator who helps an employer administer its health plan. The new rule business associates are subject to the security regulations and privacy requirements of HIPAA.
Another change is the mandatory audits by HHS. Before, HHS was permitted to perform audits on entities covered by HIPAA to make sure they were following the rules. The 2009 Act includes a provision requiring HHS to perform audits, which in turn could increase the amount of enforcement actions.
The new act also provides an expansion of individual rights. Patients are now able to go to a doctor, pay 100% for their procedure and then notify the doctor that they want to limit the disclosure of their information and say it cannot be provided to their health insurer," she explained. Additionally, an employee might choose to keep information such as drug counseling private in this way.
Another change is in regard to the 'Minimum necessary' rule. Previously, under HIPAA, the "minimum necessary" rule instructed covered entities that if they were using or disclosing protected information for any reason, the use or disclosure should be kept to the minimum amount necessary to accomplish the intended purpose. Entities had a good deal of discretion in this area but not according to the new rules. Under the new Act, the disclosure and use of protected information must be limited to a "limited data set" which is largely information with the patients' identifying information removed, "to the extent practicable. " This is another area where HHS is scheduled to issue further guidance.
Another change is an inclusion of a provision that allows state attorneys general to bring HIPAA enforcement actions. The provision allows state AGs to bring a civil action in federal court to enforce both the privacy and security provisions of HIPAA and seek damages on behalf of state residents. Along the same line of thoughts, covered entities that violate HIPAA are now subject to a $1,000 per violation penalty (up from $100 per violation), and the maximum annual penalty has increased to $100,000 from $25,000. Both civil and criminal penalties now apply to business associates as well.
To receive clinical and practice updates, add your name to our confidential e-mail list. CLICK HERE
