You know a session is probably going to be good when there isn’t a free seat to be found. That was the case yesterday afternoon, when Gerry Hinkley, an attorney, spoke to a packed room about the new HIPAA privacy and security mandates.
Hinkley, who practices with Davis Wright Tremaine LLP in San Francisco, gave an overview of what providers need to do to guard against increased penalties and achieve compliance — an issue that’s extremely timely. “Times are going to get tougher with respect to ARRA,” he said. “The honeymoon we had with HIPAA is over.”
While he covered a lot of ground, some of the key points were as follows:
1. Under the new HITECH rules, self-pay patients can require that covered entities do not disclose protected health information (PHI) to health plans. This, said Hinkley, can get tricky, making it critical that practices have a procedure in place. “It’s going to be a very manual process, regrettably.”
2. Smart providers will get ahead of the game by notifying business associates (BAs) of their legal obligations under HITECH.
3. The requirements surrounding accounting of disclosure are very specific. Providers need to make sure that their EMR vendors can meet the requirements, and should inquire as to how the vendor plans to address them. “This is on the horizon,” he said. “You’ll hear a lot about it in the next year.”
4. The best strategy is to beef up your security so you can prevent breaches from occurring in the first place. “It’s an area that’s going to be ripe for enforcement,” said Hinkley. “Take this very, very seriously.”
5. In a nutshell, providers need to: create a compliance plan; update all policies and procedures; make sure PHIs are secure; put someone in charge of privacy/security who will serve as an expert; provide training for what needs to happen before and after a breach occurs; and conduct a HIPAA tune-up. And, he says, “The time to do this is now, not when someone says, ‘you’ll never guess what happened.’”