New HIPAA Changes in Place
The "Health Information Technology for Economic and Clinical Health" (HITECH) Act, which was enacted last year and took full effect last month, has added additional privacy and security safeguards to existing HIPAA regulations. The safeguards include new rules regarding, among other things, notifying patients of data breaches, marketing restrictions, the sale and disclosure of protected health information, and the use of electronic health records.  The HITECH Act has also dramatically increased the obligations of business associates, making them directly accountable under HIPAA. As a result, physicians must ensure that they have updated agreements with all of their business associates, including entities such as Regional Health Information Organizations (RHIOs) that were not considered business associates under the prior regulations. Under the new rules, business associates are also subject to the same civil and criminal penalties that physicians, hospitals, and other HIPAA-covered entities face for violations. Previously, business associates that failed to protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties. To help physicians understand and comply with their increased responsibilities under the new HIPAA regulations, CMA has updated many of its HIPAA related On-Call documents which can be accessed here.  This includes an updated sample "Business Associates" agreement and sample "Notice of Privacy Policies." In addition, CMA recently hosted the webinar "HIPAA Overview and Compliance - How to Be Compliant with Recent Changes", a recording of which can be accessed here.