business associates, such as contractors and subcontractors. Compliance with HIPAA regulations is
more important as physicians face steep- er penalties for breaches of PHI security and as the HHS Office for Civil Rights (OCR) cracks down on violations. Federal law increases penalties for
HIPAA violations to up to $1.5 million per violation. Civil penalties range from $100 to $50,000 per violation. Criminal penalties for lying to defraud a victim include a maximum $100,000 fine and up to five years in prison. Anyone who violates HIPAA rules to sell, transfer, or use PHI for commercial advantage, per- sonal gain, or malicious harm faces up to a $250,000 fine and 10 years in prison. Mr. Drummond says you need to scrutinize your HIPAA policies and pro- cedures to make sure you meet your obli- gation to safeguard patients’ information under the rule. “A practice’s policies and procedures need to be specifically adapted to the practice. Employees should be trained on HIPAA compliance, and the policies and procedures should be applicable to the business,” he said. Mr. Drummond worked with TMA to update the HIPAA privacy and security manuals in Policies and Procedures: A Guide for Medical Practices. (See “TMA’s HIPAA Compliance Tools,” opposite page.) The manuals include updated de- tails on HIPAA and Texas’ privacy law, as well as template policies for:
• Staff training on the HIPAA policies and procedures,
• BA agreements that incorporate amendments of the Health Informa- tion Technology for Economic and Clinical Health Act (HITECH), and • Breach risk assessments.
To read the final rule, visit http://1
.usa.gov/Wl60lE. For the latest informa- tion on the HIPAA Privacy Rule, sign up for OCR’s listserv at
http://1.usa.gov/ XRHS8f.
Find the weak spots You’ll likely need to update your breach notification procedures to meet the new requirements. Previously, you didn’t need to report a security violation if it did not harm the patient.
The new rules outline four things you can do to determine if the security of a patient’s personal information is com- promised. Mr. Drummond recommends contact- ing a lawyer to help determine:
1. Whether the PHI was actually ac- quired or accessed;
2. The financial or clinical sensitivity of the information involved and the like- lihood it can be reidentified;
3. The person who caused the breach and whether he or she has an obliga- tion to keep the information confiden- tial; and
4. The extent to which the risk is miti- gated, which may involve obtaining a signed confidentiality agreement from the person who received the PHI.
If you find there is a low probability
of a breach, you do not have to report it. Otherwise, you must report the breach to the patient and to HHS (and the me- dia for certain large breaches). The agen- cy has instructions for submitting notice of a breach on its website,
http://1.usa .gov/ZvNUi. Additionally, you can assign breach notification to business associates and should work with them to coordinate the notification. TMA’s HIT Security Risk Assessment Questionnaire helps physicians and staff
Legal articles in Texas Medicine are intended to help physicians understand the law by providing legal information on selected topics. These articles are published with the understanding that TMA is not engaged in providing legal advice. When dealing with specific legal matters, readers should seek assistance from their attorneys.
October 2013 TEXAS MEDICINE 33
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60