The Rheumatologist
COVID-19 News
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Ankylosing Spondylitis Resource Center
    • Gout Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Systemic Lupus Erythematosus Resource Center
      • Rheumatoid Arthritis Resource Center
      • Gout Resource Center
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / HIPAA Privacy Rules Bring New Enforcement Guidelines

HIPAA Privacy Rules Bring New Enforcement Guidelines

November 1, 2014 • By Staff

  • Tweet
  • Email
Print-Friendly Version / Save PDF
Compliance with all privacy rules and guidelines is required of all covered entities.

Modifications to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Insurance Portability and Accountability Act (HIPAA) include changes that will affect how providers and payers protect a patient’s personal health information (PHI). The focus of the new enforcement guidelines has shifted from voluntary to punitive. The rule also makes business associates (BAs) more accountable for breaches of PHI, and this comes with the risk of financial penalties.

You Might Also Like
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Up to Date with the HIPAA Privacy Rule
Explore This Issue
November 2014
Also By This Author
  • Optimize Patient Scheduling

The HIPAA Privacy Rule is a set of federal standards created to protect the privacy of patients’ medical records and other health information maintained by covered entities, which include providers, hospitals, healthcare clearinghouses, health plans, the Centers for Medicare & Medicaid Services (CMS), as well as all other governmental health programs, such as the Veterans Health Administration. These standards now provide patients with immediate access to their medical records and with significant control over how their personal health information is used and disclosed.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

CMS specifies that the changes provide the public with increased protection, because penalties are increased for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation. Additionally, the changes strengthen the HITECH breach notification requirements and clarify when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible for the patient’s PHI and extends consequences to more individuals, including small practices, payers and other BAs, such as a practice’s billing services or clearinghouses.

CMS has allowed the new HIPAA rules to expand the rights of all patients. For example, patients can now request a copy of their medical records in electronic form, and if a patient pays by cash, they can instruct the provider not to share any information about their treatment with their health plan provider. The omnibus rule also makes it easier for parents and/or guardians to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to be in compliance.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

The Office for Civil Rights has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. Since the compliance date in April 2003 to the present, the compliance issues HHS has investigated most are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of PHI;
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Uses or disclosures of more than the minimum necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

Protected Health Information

The privacy rule protects all “individually identifiable health information” that is stored or transmitted by a covered entity or its BA, in any form, whether electronic, paper or oral. “Individually identifiable health information” is information, including demographic data, that relates to the patient’s past, present or future physical or mental health or condition; all provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to the patient. This also includes any information that identifies the individual through any of the common identifiers (e.g., name, address, birthdate, Social Security number).

Administrative Requirements

HHS recognizes that there is a wide range of sizes of covered entities, from the smallest provider to the largest, multi-state health plan. As a result, there’s some flexibility and scalability within the rule that allow covered entities to analyze their individual needs and implement solutions appropriate for their environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Privacy Policies & Procedures

It’s important for all covered entities to develop and implement written privacy policies and procedures that are consistent with the privacy rule as designed by HHS.

In-Office Privacy Personnel

All covered entities are required to designate a privacy official responsible for developing and implementing its privacy policies and procedures. There should also be a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Employee Training & Management

All covered entities are required to have training for all of their employees on the privacy policies and procedures, as necessary and appropriate for them to carry out their daily job functions. Covered entities must have appropriate sanctions that must be applied against any employee who violates the organization’s privacy policies and procedures or any part of the privacy rule.

Safeguards for Patient Data

There must be reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI. For example, such safeguards might include shredding documents containing PHI before discarding them, securing medical records with lock and key or passcode, and limiting access to keys or passcodes to only those who need to have them.

HIPAA Enforcement and Penalties

Voluntary compliance with all privacy rules and guidelines is required by all covered entities. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a privacy rule requirement, but the penalty may not exceed $25,000 per year for multiple violations of the identical privacy rule requirement in a calendar year. HHS will also apply criminal penalties if a person knowingly obtains or discloses a patient’s identifiable health information. This violation of HIPAA includes a fine of $50,000 and up to one year of imprisonment. Criminal penalties increase to $100,000 and up to five years of imprisonment if the behavior involves false pretenses, and $250,000 and up to 10 years of imprisonment if the violation involves the intent to sell, transfer or use a patient’s identifiable health information for commercial advantage, personal gain or malicious harm. In cases of wrongful behavior, criminal sanctions will be enforced by the Department of Justice.

Pages: 1 2 | Single Page

Filed Under: From the College, Information Technology, Practice Management, Quality Assurance/Improvement, Technology, Workforce Tagged With: enforcement, Guidelines, HIPAA, Medicare, penalty, personal health information, Safety, TechnologyIssue: November 2014

You Might Also Like:
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Up to Date with the HIPAA Privacy Rule
  • HIPAA Security Standards: What Rheumatologists Need to Know

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2021 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
This site uses cookies: Find out more.