How should I comply with the provision requiring my company to not disclose health information to the payer if the patient pays in full?
2013 Changes to HIPAA
The Department of Health and Human Services (HHS) released a final rule that required companies to comply with a variety of new HIPAA provisions by Sept. 23, 2013.
As a DMEPOS provider, you no doubt wonder what HIPAA provisions mean for your company. It is the responsibility of your office staff to make all necessary updates to applicable HIPAA forms and prepare action items for all of the privacy and security requirements.
VGM offers a HIPAA Toolkit complete with policies and procedures and editable templates via VGMU Online Learning. The toolkit contains a model business associate agreement, model notice of privacy company form, breach notification requirements, and other guidelines, tools, and worksheets explaining all of the 2013 HIPAA regulations.
Not a current VGMU Online Learning user? To obtain your HIPAA Toolkit, please contact VGM Education at 866-227-8171.
Current VGMU Online Learning user? If you are a current VGMU user, you can login in to VGMU at www.vgmeducation.com/vgmu. After you are logged in to VGMU, click on the “Courses” tab. Then click on the HIPAA Toolkit.
The following FAQs should help your staff stay current with HIPAA.
The provisions HHS released in January 2013 address all of the required changes to HIPAA stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH). This Act was passed by Congress in 2009 to not only provide regulations to safeguard electronic health information but also incentivize physicians to adopt electronic health records (EHR) through the meaningful use program.
The main changes to HIPAA that home medical equipment companies needed to make in 2013 included:
– Updated notice of privacy practices form
– Expanded scope of business associate agreements
– Changes to breach notification requirements
– Required patient access to electronic medical records
– Protecting the privacy of self-pay patients’ medical records
– Marketing requirements
– Changes in criminal and monetary penalties for violation of HIPAA
Step 1: Assign a compliance officer to be in charge of all HIPAA requirements, if you have not previously done so.
Step 2: Have this compliance officer update your HIPAA policies and procedures manual to address any new updates, including 2013 changes. You can use VGM’s HIPAA toolkit as a starting point. Email [email protected] for access information.
If you have an EHR in your office, pay special attention to 2013 policies need to be created for electronic protected health information (ePHI) including breach notification requirements, accounting of all disclosures, and the right of patients to access their own electronic medical record within 30 days of their request.
Additionally, a new policy will need to be created to address a provision requiring providers to withhold disclosures of protected health information (PHI) to their insurer if a patient requests it and pays for the service completely out of pocket.
Step 3: Use updated notice of privacy company form for all patients. Post a copy of any updated form in a visible location in your facility. Have all patients sign the updated form even if they are established patients.
Step 4: Have the compliance officer analyze all of your vendors to determine which should be classified as business associates under the revised definition, which includes vendors who have routine access to PHI such as an EHR vendor or server warehouse.
Ensure you sign a new business associate agreement with each of these vendors as the 2013 HIPAA regulations make business associates directly liable for compliance with the Privacy Rule.
Step 5: Train all clinical and non-clinical staff on the HIPAA policies and procedures.
If you have an EHR in your office, ensure staff are aware of your breach notification requirements and policies addressing how to protect this information, including how to maintain strong passwords, protect wireless access, and other safeguards.
How should I comply with the provision requiring my company to not disclose health information to the payer if the patient pays in full? I don’t want to create two separate records/charts for these types of instances.
A 2013 provision in the HIPAA rule requires that companies not disclose a patient’s medical record to their insurer if the patient pays for the service completely out-of-pocket and requests this confidentiality.
If you do not have an EHR in your company, you will have to create a log or system that keeps track of these requests and ensure staff are trained to not inadvertently disclose the medical chart containing the confidential information to the insurer.
If you have an EHR, speak with your vendor to determine how to flag the confidential information in the medical record and protect it from being disclosed to the insurer.
You should also train your front desk staff in identifying patients who could potentially ask for this caveat (such as those who do not provide insurance information when making their appointment). Additionally, revise your financial policy form to include this information and always have your patients pay their full charge up front.
Small companies have been audited for HIPAA violations and paid steep fines for their non-compliance. The 2013 rule set forth a fines structure that detailed companies would pay, based on the degree of their willful neglect, up to $250,000 per violation and face imprisonment for up to 10 years.
Your compliance officer should stay abreast of changes and train staff annually on safeguarding PHI. VGMU Online Learning offers three HIPAA courses to help employees understand, work with, and manage HIPAA; the courses are updated regularly with any changes in requirements.
Your company should also perform self-audits to catch any potential problems and pay special attention to how your staff are interacting on social networking sites. As these sites have gained in popularity, HIPAA violations related to them have increased, as staff may not be aware that they should not be posting PHI.
VGM offers a HIPAA Toolkit complete with policies and procedures and editable templates via VGMU Online Learning. The toolkit contains a model business associate agreement, model notice of privacy company form, breach notification requirements, and other guidelines, tools, and worksheets explaining all of the new HIPAA regulations.