MIAOULIS WRITES: Organizations are in a difficult situation. Lets look at some of the new requirements... This article and this blog are intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances.
BUSINESS ASSOCIATES: Need to take steps to become HIPAA and HITECH compliant.
PATIENT RIGHT TO EHR IN ELECTRONIC FORMAT: I believe organizations should create a plan now for this, watermark the information, secure the information and charge a reasonable fee for providing this. If a consumer asks for it, provide it in some form.
PATIENT RIGHT TO REQUEST RESTRICTION: Individuals have the right to restrict access when paid in full specifically to health plans.
NOTICE OF PRIVACY PRACTICES: So if patient's have new rights, One question left unanswered is should organizations change their notice of privacy practices (NPP), based on what I know, the answer appears to be YES.
MINIMUM NECESSARY: Guidance expected in 6 months (August 18, 2010), however organizations should be taking steps to ensure minimum necessary information. All access to information should be reviewed to determine if to the extent practical information can be limited to a "limited data set" or to the minimum necessary to accomplish the tasks. Limiting, diagnosis, identity theft field information (SSN, Birthday) should also be considered for both internal and external information access.
FUNDRAISING: Opt-out requires language to be clear and conspicuous, although this is not defined, it is important to make this in text at least as large as other text, also it is VERY important that organizations implement controls to ensure that individuals who have opted out are NOT sent additional request.
MARKETING: HITECH prohibits organizations from marketing and defining communications as healthcare operations when the organizations received direct or indirect payment in exchange for making the communication. Basically organizations should only do marketing in limited circumstances such as when sending information about drugs that have been PREVIOUSLY prescribed. This may include information such as refill reminders or educational materials about a drug.
ENFORCEMENT/AUDITS: Although Audits may still be a ways off. Be prepared for an audit, conduct self audits. Do you have a written policy, have you implemented appropriate controls, and can you prove your controls are functioning. See (http://www.hipaasecurityandprivacy.com/2010/02/enforcement-of-hipaa.html)
BREACH NOTIFICATION (SEPTEMBER 23, 2009): Organizations need a policy, a process/procedure for evaluationg breaches and a reporting mechanism. Creating scenarios prior to a breach and decision trees is a solid practice. Remember not all breaches require notification, but a solid analysis is required.
IT IS BETTER TO PREVENT A BREACH, THAN TO REPORT A BREACH.
IT IS BETTER TO DOCUMENT YOUR HIPAA COMPLIANCE THAN BE SUBJECTED TO WILLFUL NEGLECT.