| Just when we thought the hullabaloo over the | | | | protections against such disclosures built right in, |
| Health Insurance Portability and Accountability Act | | | | and that your medical billing software and medical |
| (HIPAA) had calmed down and we all figured out | | | | office software was developed by people who |
| what we needed to do in order to comply, along | | | | consider these requirements and keep up with the |
| comes the Health Information Technology and | | | | changes in the law. |
| Clinical Health Act (HITECH), which is part of the | | | | The section of HITECH that grants patients some |
| American Recovery and Reinvestment Act of | | | | additional rights under HIPAA states that |
| 2009 (the "Stimulus Act") signed into effect by | | | | providers may not share information with a |
| President Obama on February 17, 2009. HITECH | | | | patient's insurance carrier, if the patient pays the |
| will make significant changes to HIPAA in five key | | | | full cost of the rendered service and makes such |
| areas, all of which will affect the alternative | | | | a request. Providers were not previously obligated |
| practice to some extent. | | | | to honor such a request. Additionally, a provider |
| The first change will come in the form of business | | | | will be responsible to provide the patient with an |
| associates now being held accountable for | | | | accounting of all disclosures made electronically of |
| protection of protected health information (PHI) | | | | that patient's PHI for the past three years, |
| by adhering to the business associate agreement | | | | although this requirement will change depending on |
| into which they have entered, as well as to | | | | when a practice implements an electronic medical |
| comply with the security rules related to | | | | record system. For instance, if your practice |
| administrative, physical and technical safeguards. | | | | purchased an electronic medical record system on |
| What this means to your practice is that you | | | | or before January 1, 2009, then this provision of |
| need to ensure that your business associates | | | | HITECH will become effective January 1, 2014, |
| understand their role, and further understand that | | | | but if you purchased your EMR system after |
| there are now civil and criminal penalties that can | | | | January 1, 2009, this provision will kick in on |
| be imposed against business associates for their | | | | January 1, 2011, or the date that you buy your |
| failure to comply. Your business associates are | | | | system, whichever is later. Finally, on February 17, |
| any vendors or outside consultants that have | | | | 2010, those providers maintaining electronic |
| access to your patients' PHI. | | | | records will be required to provide copies of those |
| HITECH puts forth a requirement that you notify | | | | records to patients in electronic form. |
| your patients in the event that their PHI has been | | | | The final key point of HITECH deals with how |
| inadvertently disclosed as the result of being | | | | covered entities and others can be penalized for |
| unsecured. The interim final regulations regarding | | | | not adhering to the regulations, and the penalties |
| the security breach provisions of HITECH that | | | | can be harsh. The best way to protect your |
| became effective on September 23, 2009 | | | | practice from ever reaching the point of needing |
| (although they will not be fully enforced before | | | | to know about such penalties is to ensure that |
| February 22, 2010), set out that providers will | | | | you have medical scheduling software, medical |
| need to determine a "harm threshold" for each | | | | billings programs, and/or medical office |
| disclosure of PHI in order to determine whether | | | | management software that comes with built-in |
| or not a notification to the affected party is | | | | safeguards such as role-based logins, and log files |
| necessary. The best protection against having to | | | | that create an audit trail of what information has |
| make such a notification to your patients is to | | | | been where. |
| ensure that your automated systems come with | | | | |