The HIPAA HiTech Act Final Rule is set to take effect on September 23, 2013. The great challenge of the Health Insurance Portability and Accountability Act (HIPAA) HiTech Act Final Rule on Privacy is to simultaneously accomplish these two objectives: to regulate the use of Personal Health Information (PHI) with the end goal of safeguarding the right to privacy and, at the same time, to allow access to and use of medical data when it is needed for the purposes of health care, medical research, and other purposes which serve a greater good.
It’s obviously a complex standard to define, but that’s what the HIPAA HiTech Act Final Rule is for. Effective in September 2013, it is meant to create a national standard for medical professionals and all covered entities. Here, we shall discuss some of the salient points of the HIPAA HiTech Act Final Rule, and how it has changed the way PHI is handled.
The thing about Personal Health Information or PHI is that it can be easily used to the disadvantage of private citizens. For example, pre-existing conditions or genetic vulnerability to diseases can make a person a very unattractive candidate for a job or promotion. What if employers were given the virtual key to all medical files so that they could identify who among their staff have a predispositions to mental illness? How is this going to affect capable workers who – at the time of the evaluation – are in fact in perfect health? Because of the potential bias it creates, access to PHI must be limited.
The HIPAA HiTech Act Final Rule 2013 is careful to point out, though, that it should not be carried out to the extent that a private citizen cannot fully enjoy the benefit of quality medical services.
For example, under the HIPAA HiTech Act Final Rule 2013, communication from marketers of medical services and products is restricted unless an authorization in writing was previously issued. The HIPAA HiTech Act Final Rule 2013 also expands the definition of marketers such that any entity being paid to make a communication is considered a marketer. However, the rule makes an exception for refills of medication already prescribed. So a reminder to purchase refills for needed medicine is allowed without prior authorization, because such a communication is actually helpful for the individual.
Many types of entities actually have easy access to PHI: companies whose services involve medical billing or transcription, insurance companies, and vendors of pharmaceuticals, just to name a few. The HIPAA HiTech Final Rule 2013 explicitly prohibits the sale of PHI unless this sale is authorized by the individual.
The new rule removes many qualifications so that private citizens today need not prove that some harm was done. For as long as there is unauthorized use of information that is not covered by the exceptions in the HIPAA HiTech Final Rule 2013, a violation of the right to privacy was committed.
Another impactful change to the HIPAA HiTech Act Final Rule 2013 is that it expands the definition of business associates. With or without a legally binding agreement, a third-party entity may be considered a business associate. We look at the nature of the relationship now not the contract.
Under the final rule, business associates are held directly liable for any violation of this privacy law. It doesn’t matter what their contract says. This is significant because it compels all those service providers who have access to sensitive medical information to respect the privacy of the patient. There is little opportunity to use legal technicalities to circumvent the spirit of the HIPAA HiTech Final Rule 2013.
Finally, the HIPAA HiTech Final Rule 2013 requires covered entities to post a Notice of Privacy Practices, which should include several things, including an individual’s right to refuse receipt of fundraising communications. And if a patient pays out of pocket in full, then the patient also reserves the right to refuse disclosure of PHI to health plans.
There are so many amendments that have made the HIPAA HiTech Final Rule 2013 more effective in safeguarding an individual’s right to privacy. If you need to have a better grasp of the final rule, it is best to speak to a legal specialist. At the end of the day, it comes down to the best judgment, and adherence to common codes of ethics.
To set up a free consultation to discuss your Hitech Act Compliance simply click here or Call 908-505-5297.