Health Insurance Portability and Accountability Act
Protecting Patient Privacy
The Health Insurance Portability and Accountability Act (HIPAA) is comprised of two overarching parts - the Privacy Rule and Security Rule. The HIPAA Privacy Rule provides federal protections for personal health information and provides patients an array of rights with respect to that information. However, the Privacy Rule balances patients rights with permissible disclosure of personal health information necessary for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
On January 25, 2013, The U.S. Department of Health and Human Services (HHS) published its Final Rule entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule). There are three (3) specific areas that physicians will need to focus on to comply with the new Omnibus Rule:
- Privacy, Security, and Breach Notification policies and procedures
- Notice of Privacy Practices (NPP).
- Business Associate (BA) Agreements.
The Omnibus Rule became effective on March 26, 2013, with a compliance period of 180 days, requiring all providers to be compliant with the new regulations by September 23, 2013.
*The sample forms linked to below do not constitute legal advice and are for educational purposes only. These forms are based on current federal law and subject to change based on changes in federal law and the content may need to be modified to adhere to state law or subsequent guidance or advisories. Doctors are advised to consult with their state licensing Board or legal counsel.