Digesting the HIPAA Proposed Rule
Dom Nicastro, for HealthLeaders Media
, July 21, 2010
- No protection of PHI for those who have been deceased for more than 50 years. According to the proposed rule, "We believe this will reduce the burden on both covered entities and on those seeking the protected health information of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons."
- Required changes to the Notice of Privacy Practices (NPP). This will require changes throughout all the CEs, Herold says. “The trick will be how to get the wording to a point where the average patient/consumer can understand what it is saying,” she says. “This has been a problem in the past.”
The proposed amendments to the NPP would include:
- Language about the use and disclosures of PHI that would require an authorization under the proposed rule
- Changes to language regarding the CE contacting an individual to provide appointment; contacting the individual for fundraising; or to disclose information to the health plan
- HHS statements on BA compliance. Herold says organizations should note the following passage from HHS in the proposed rule: "In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden. For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards."
- Asking CEs and BAs to step up compliance teaching efforts. The proposed rule “more clearly and explicitly establishes that CEs and BAs must take a more active role in ensuring their associated BAs are in compliance with HIPAA/HITECH,” Herold says, “and that they will be held liable for doing so.”
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.