By W. Patrick Davey, MD, FAAD
Dermatologists can face serious penalties if they do not comply with new Health Insurance Portability and Accountability Act (HIPAA) provisions by Sept. 23, 2013. Practices can be audited for HIPAA violations and pay steep fines for their non-compliance. The new rule sets forth a fines structure where practices would pay, based on the degree of their willful neglect, up to $250,000 per violation and face imprisonment for up to 10 years.
The new provisions that Health and Human Services (HHS) released in January 2013 address all of the required changes to HIPAA stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH). This Act was passed by Congress in 2009 to not only provide regulations to safeguard electronic health information but also incentivize physicians to adopt electronic health records (EHR) through the meaningful use program. The main changes to HIPAA that dermatology practices need to be prepared for include:
- Updated notice of privacy practices form
- Expanded scope of business associate agreements
- Changes to breach notification requirements
- Required patient access to electronic medical records
- Protecting the privacy of self-pay patients’ medical records
- Marketing requirements
- Changes in criminal and monetary penalties for violation of HIPAA
It’s essential to prepare now for the compliance deadline. The following steps are needed to comply with the changes.
Step 1: Assign a compliance officer to be in charge of all the required changes if you have not previously done so.
Step 2: Have this compliance officer update your HIPAA policies and procedures manual to address the new changes by Sept. 23, 2013. The Academy’s HIPAA manual is a great starting point. If you have an EHR in your office, pay special attention to new policies that will need to be created for electronic protected health information including breach notification requirements, accounting of all disclosures, and the right of patients to access their own electronic medical record within 30 days of their request. Additionally, a new policy will need to be created to address a provision requiring providers to withhold disclosures of protected health information (PHI) to their insurer if a patient requests it and pays for this service completely out of pocket.
Step 3: Begin using your updated notice of privacy practice form for all patients either on or before Sept. 23, 2013. Post a new copy of this form in a visible location in your waiting room. Have all patients sign the updated form even if they are established patients.
Step 4: Have the compliance officer analyze all of your vendors to determine which should be classified as business associates under the revised definition, this provision includes vendors who have routine access to PHI such as an EHR vendor or server warehouse. Ensure you sign a new business associate agreement in advance of the Sept. 23, 2013 implementation date with each of these vendors as the new HIPAA regulations make business associates directly liable for compliance with the Privacy Rule.
Step 5: Train all clinical and non-clinical staff on the new policies and procedures. If you have an EHR in your office, ensure staff are aware of your breach notification requirements and policies addressing how to protect this information, including how to maintain strong passwords, protect wireless access, and other safeguards.
The Academy has developed a new HIPAA manual titled “A Guide to HIPAA and HITECH for Dermatology.” This manual contains a model business associate agreement, model notice of privacy practice form, breach notification requirements, other guidelines, tools, and worksheets explaining all of the new HIPAA regulations. You can order the manual by calling the AAD’s Member Resource Center at (866) 503-SKIN (7546).
The Academy has also developed a series of educational recordings on HIPAA focused on the new regulations as well as the privacy and security requirements. These recordings are available at www.aad.org/webinars.
You can also visit the Academy’s HIPAA Web page at www.aad.org/hipaa to learn more about the new regulations and any upcoming changes.
Dr. Davey is currently president of Dermatique, a medical, surgical, and cosmetic dermatology practice in Scottsdale, Ariz. He has served on multiple committees for the American Academy of Dermatology, American College of Mohs Surgery, American Society for Dermatologic Surgery and the Accreditation Association for Ambulatory Health Care(AAAHC). He is currently the vice chairman of the Board of Directors of the Accreditation Association for Ambulatory Health Care, on the Board of Directors of the Institute for Quality Improvement, chairman of the AAD Practice Management Committee, on the SkinPAC Board of Directors and the ACMS Public Policy Committee.