This page contains a Flash digital edition of a book.
The U.S. Department of Health and Human Services (HHS) made compre- hensive changes (known as the Omnibus Rule) to HIPAA that took effect Sept. 23. The regulations expand physicians’ ob- ligation to protect patients’ personal in- formation. They also clarify when physi- cians must report breaches of unsecured information to patients and HHS. That’s why TMA encourages you to


review business associate (BA) agree- ments and notices of privacy practices


(NPPs) and security and breach notifica- tion policies to make sure they meet the new HIPAA rules. HHS defines protected information as “individually identifiable health informa- tion held or transmitted by a covered en- tity or its business associate, in any form or media, whether electronic, paper, or oral.”


It defines a breach of PHI as improp- er use or disclosure of personal infor- mation that “poses a significant risk of


financial, reputational, or other harm to the affected individual.” An example of a breach would be loss or theft of a lap- top containing nonencrypted personal information.


Who is a business associate? When determining if the revised fed- eral HIPAA rules consider an entity one of your business associates, physicians’ mantra is “create, receive, store, main- tain, or transmit,” said Jeffrey Drum- mond, an attorney in the Dallas office of Jackson Walker, LLP. “When reviewing their relationships


TMA’s HIPAA compliance tools


TMA has resources to help physicians and their staff members comply with state privacy law requirements and federal HIPAA regulations. Visit www.texmed.org/HIPAAcourses to access the following on-demand webinars:


• Complying with HIPAA and Texas Privacy Laws teaches compliance officers and physicians and their staff members the ins and outs of federal and state privacy training require- ments. The webinar features a HIPAA risk assessment tool and a sample notice of privacy practices and business associ- ate agreement.


• Complying with HIPAA Security instructs physicians and their employees on the procedures practices must implement to ensure patients’ electronic protected health information re- mains confidential and safe from leaks or hacking.


• HIPAA Training for Medical Office Staff explains modifica- tions to state privacy training requirements and helps prac- tices comply with state and federal privacy laws.


TMA, in conjunction with Jackson Walker, LLP, has updated


the HIPAA privacy and security information in Policies and Procedures: A Guide for Medical Practices. A hard copy of the guide with customizable CD is $295 for members and $395 for nonmembers. The customizable CD alone is $255 for members and $355 for nonmembers. To order the guide, contact the TMA Knowledge Center by phone, (800) 880-7955, or by email, knowledge@texmed.org.


32 TEXAS MEDICINE October 2013


with businesses, physicians will need to enter new BA agreements with those en- tities that create, receive, store, maintain, or transmit PHI on their behalf,” he said. For example, under the new rule, you must consider patient safety orga- nizations, e-prescribing gateways, health information exchanges, and record stor- age companies as business associates. Mr. Drummond encountered one case where a record storage company refused to sign a BA agreement with a medical practice. He advises physicians who run into re- sistance from business associates to take their business elsewhere. The new HIPAA regulations expand the criteria for business associates but give physicians some time to update their agreements. “As long as physicians had an existing


BA agreement in place on the publica- tion date of the rule — Jan. 25, 2013 — that met pre-Omnibus Rule standards, that agreement will be good until Sept. 22, 2014, one year from the compliance date,” Mr. Drummond said. After that date, BA agreements may need to be updated.


He adds one caveat: Any BA agree- ments in place by Jan. 25, 2013, and subsequently modified before Sept. 22, 2014, must comply with the rule upon modification.


In the past, HIPAA Privacy and Se- curity rules focused on health care pro- fessionals, health plans, and insurance claims clearinghouses. The new regu- lations apply many of the old require- ments to business associates of entities that receive PHI. HHS reports that some of the largest breaches of PHI involved


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60