Physician Lifestyle

HIPAA bears down on medical practices

July 04, 2013

A revised set of federal privacy rules is expected to have a significant impact on the way physicians run their practices.

On January 17, 2013, the Department of Health and Human Services issued a final omnibus rule to strengthen the patient privacy protections established by the Health Insurance Portability and Accountability Act of 1996. The rules not only expand the individual rights of patients but also tighten federal breach 
notification requirements under the Health Information Technology for Economic and Clinical Health Act of 2009. The result is that physician practices potentially face more legal scrutiny by the federal government as well as new administrative burdens, said Robert Tennant, senior policy adviser with MGMA-ACMPE, the medical practice management association.

Under the new privacy rules, doctors now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. This raised concerns from privacy advocates that practices shouldn’t have the discretion to determine these matters.

The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. Tennant said the new standard will result in many more official reports of breaches, as well as additional work and costs to physician practices.

Revised privacy notices will need to be displayed in prominent areas of doctors’ offices and on practices’ websites. Patients will be able to ask for copies of their electronic health records or restrict the information given to health plans if theyself-pay for services. And perhaps most important, practices might be subject 
to serious fines if any of their business associates cause security breaches.

For physicians, a business associate may be any firm that handles patient data, such as a storage provider, a shredding company or a benchmarking firm that measures physician performance. With contractors becoming as fully liable as everyone else affected by HIPAA, physicians’ offices are going to take on  additional legal responsibilities as well, Tennant said. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate.

"To make matters even more challenging, there are significant potential fines associated with these violations, upwards of $1 million-plus for particularly egregious cases," Tennant said.

The days of getting a slap on the wrist for a privacy breach are over, Tennant added. "There’s now the potential that the government will be more aggressive in enforcing this."


Adapted from February 4, 2013 "HIPAA gets tougher on physicians" column by Jennifer Lubell, American Medical News, Copyright © 2013 American Medical Association (AMA). All rights reserved.

 Follow us on Twitter »

Please note:

By clicking "continue" below you will be taken away from the AMA Insurance Agency, Inc. website.

Do you wish to leave this site?

cancel Continue