Managing a medical practice today is an exercise in the art of juggling. Serving patients is a full-time job. Managing employees is a full-time job. Dealing with insurance companies is a full-time job. In the midst of all of that, there is one more job that needs regular, committed attention: protecting patient privacy.

Beginning in 1996 with the passage of the federal Health Insurance Portability and Accountability Act (HIPAA), national standards for protecting patient privacy have become an essential core element in the day-to-day life of every physician practice.

One key element in the HIPAA requirements is the Notice of Privacy Practices (NPP), which is the document provided to patients verifying the privacy protections in place on the patient’s behalf.

In late 2013, the NPP requirements were revised, and subsequent evolutions have led to further refinements of the essential priorities that physician practices should consider.

This was primarily a result of two major laws: the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Genetic Information Nondiscrimination Act (GINA).

The following are some key points your practice should keep in mind when reviewing your HIPAA compliance policies, and the provisions of your NPP itself:

• NPPs must contain a specific list of situations in which authorization from the patient will be sought prior to disclosure of protected information.
• NPPs must notify patients if your practice intends to forward fundraising communications (for example, if yours is a nonprofit or charitable practice), and also must allow patients to opt-out of receiving those communications.
• NPPs must also contain a statement indicating that you (the covered entity) are required to notify the patient of any breach of her or his information (personal health information, or PHI), including unsecured PHI.

In addition, providers must state in the NPP that if a patient or the patient’s payer have paid for services entirely out-of-pocket, and the individual requests that you not disclose PHI related to those services to a health plan, you must accommodate the request, except where you are required to make a disclosure under the law.

Two other areas worth noting are in regard to genetic information and the definition and compliance management of business associates.

With the increased emphasis on the importance of protecting genetic data about patients, health plans must include in their NPPs that they are prohibited from disclosing or using genetic information for underwriting purposes (there is a limited exception specifically for long-term care policies).

Another key area of importance is the role of your practice in managing information across business associates. As a result of the HITECH Act, the definition and responsibilities relating to business associates were both expanded.

Today, business associates now include entities involved in areas such as patient safety, health information services, e-prescription gateways, etc. Any entity that maintains PHI on behalf of your practice (where you are the covered entity) is now defined as a business associate under HIPAA. This applies throughout the downstream process, so that, for example, a subcontractor two levels down from your practice is still a business associate under HIPAA so long as they are engaged in activities that involve PHI.

What this means, in the end, is that your practice must communicate with all business associates about this, ensure that your associates do the same downstream, and be clear on both the policies and the liabilities associated with failure to comply properly with the law.

It also means that you should amend or revise applicable business contracts to address this as well, so that protecting your patients’ PHI becomes a clear and unequivocal priority across the entire downstream flow of involved organizations.

What are some of the key steps your practice can take to stay compliant with HIPAA and NPP requirements? Here are five valuable steps you can take to begin:

1. Review your relationships with contractors in light of the expanded definition of a business associate under HIPAA.
2. Revise your contracts and business associate agreements.
3. Update and ensure current compliance across your own internal policies/procedures and the NPP you deliver to patients today.
4. Become proactive and engaged in the security and technology issues related to ensuring the privacy and protection of your patients’ PHI.
5. Talk with your legal counsel and insurance carrier about ensuring that your current coverage is adequate to address the expanded liabilities created by HIPAA compliance considerations.

We have not covered all (or even a majority) of the changes made to HIPAA and NPP provisions in the last few years. After reviewing these key points, make sure to sit down with your practice manager, attorney and insurance carrier to perform a full audit and institute appropriate processes to maintain and ensure ongoing compliance, both for the protection of your physician practice – and for the protection of your patients.

NOTE: To see model Notices of Privacy Practices (NPP) for health care providers and health plans to use to communicate with patients and plan members based on the revised requirements, visit here.

Selected Sources:

Do You Need to Revise Your Notice of Privacy Practices?
http://www.troutmansanders.com/do-you-need-to-revise-your-notice-of-privacy-practices-01-25-2013/

HIPAA Omnibus Final Rule Modifies Notice of Privacy Practices Requirements
http://www.mcguirewoods.com/Client-Resources/Alerts/2013/2/HIPAA-Omnibus-Final-Rule.aspx

HIPAA Omnibus Final Rule Modifies Notice of Privacy Practices Requirements for Covered Entities
http://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_1303_kannensohn.html

Final HIPAA Rule Has Sweeping Impact on Covered Entities and Business Associates
http://www.kattenlaw.com/final-hipaa-rule-has-sweeping-impact-on-covered-entities-and-business-associates

Final HIPAA Rule Will Regulate Business Associates, Change HIPAA Breach Notification Obligations
http://www.dorsey.com/eu_htr_hipaa_rule_012513/

How To Catch-Up in a Revised HIPAA World
http://www.smithlaw.com/newsletter-34.html

Image Credit: meddygarnet (Flickr @ Creative Commons)