This page contains a Flash digital edition of a book.
make risk management decisions regard- ing reasonable and appropriate security measures to reduce risk to an acceptable level. To access the questionnaire, visit www.texmed.org/SecurityQuestionnaire.


Examine policies, contracts Dr. Murray, past chief medical informa- tion officer for Cook Children’s, says the system has taken steps to conform to the new privacy and security laws. This in- cludes updating BA agreements, privacy notices, and staff training, and remind- ing clinicians and staff about maintain- ing confidentiality and privacy of PHI. “We also added language in our BA


agreements specifying the time frame for notifying the physician network when the business associate identifies a breach of PHI,” Dr. Murray said. He suggests the agreements spec- ify who is responsible for the cost of a breach notification. You may want


to request an attorney’s assistance in reviewing an associate’s risk assessment documents. You should look at your privacy no- tices, as well. Mr. Drummond says the notices must tell patients that most uses and disclosures of psychotherapy notes or information for marketing purposes and sale of information require their approval. Physicians who participate in fundraising need to modify their notices to tell patients they have the right to opt out of those communications. The rule doesn’t specify what “fundraising” means, thus you should check with an attorney for guidance if you think it might apply to you. The new rule also requires you to


agree to a patient’s request not to dis- close information about care he or she paid for in full out of pocket to health plans unless otherwise required by law. Privacy notices must tell patients they


RESEARCH


PHYSICIAN Nationwide Travel


Research corporation needs a physician for an ongoing national health/nutrition study. Individual will be part of a large medical team.


Must be licensed in at least one state. FULL-TIME CONTINUOUS TRAVEL REQUIRED. Fluency in reading, writing, and speaking English is required. Competitive salary is augmented by paid malpractice, meal/travel allowance, holidays, and individual housing/car; subsidized health insurance available.


To learn more about this position and apply, go to www.westat.com/ careers, select “Search Field Data Collection Jobs,” and enter the keyword “Physician.”


EOE www.westat.com 34 TEXAS MEDICINE October 2013


have the right to know about a HIPAA breach. You must post the revised notice and make copies available to all new pa- tients and to others upon request. “The NPP tells patients what they can expect from the medical practice in terms of privacy and security of PHI. It’s important for doctors to follow the NPP,” Mr. Drummond said. To request a sample privacy notice


and BA agreement, call the TMA Knowl- edge Center at (800) 880-7955, or email knowledge@texmed.org.


HHS has developed sample BA agree-


ment provisions, which are at http://1 .usa.gov/2Sk29L.


ments, respectively, in the original law. Howard Marcus, MD, testified on behalf of the Texas Medical Association before the Senate Health and Human Services Committee in support of both bills. TMA and the Texas Medical Liability


Trust asked for these changes to reduce potential red-tape hassles for physician practices. The new provisions took effect in June.


Under SB 1609:


• Practices have flexibility to determine the format of the privacy training re- quired by Texas law. There was some concern that the law’s prior language could have been interpreted to re- quire a more prescribed and formal program, such as attendance at a live- training seminar or webinar.


• New employees must be trained on state and federal law concerning protected health information (PHI) within 90 days of hire. The original law’s requirement was 60 days.


• If a material change in state or fed- eral law concerning PHI affects an employee’s duties, the employee must be trained within a reasonable period, but not later than one year after the date the change in law takes effect. The original law required retraining every two years for all employees regardless of whether there was any material change in law affecting that employee’s duties.


• Practices must retain each employee’s signed verification-of-training state- ment for six years. HB 300 had an unspecified timeline and could have been interpreted as indefinitely.


Legislature lightens state privacy law


Physicians received welcome clarifica- tion of some provisions in the state’s 2011 medical privacy law from lawmak- ers in the 2013 legislative session. Senate bills 1609 and 1610 by Sen. Charles Schwertner, MD (R-George- town), alter the privacy training require- ments and breach notification require-


“We believe these focused amend- ments will improve compliance with the training requirements while preserving the strong protections in existing state privacy law,” Dr. Marcus testified. SB 1610 amends the Texas law that


requires a physician to notify patients if the security of their PHI is breached. The bill:


• Sets a single Texas standard for com- plying with the breach notification law, regardless of what state the patient lives in instead of having to


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60