Overview:

The final amendments to HIPAA resulting from the HITECH Act are now in effect and compliance is required by September 23, 2013. The amendments require changes in several areas of operation, including health information management, marketing, fundraising, and security, and many of the changes will require significant effort to implement.

• Every HIPAA Covered Entity is required to have a Notice of Privacy Practices that accurately reflects patient rights and practices at the entity. Because there are new finalized changes to the HIPAA rules, the NPP for every orgainzation having one must be updated. There are new requirements about fundraising activity, new controls on the sale of PHI, new rights of access and restrictions, and the right to be notified if there is a privacy breach. The new areas to be included will be discussed and explained, and areas that no longer need notice will also be discussed.
• The new regulations will be reviewed and their effects on HIPAA Notices of Privacy Practices will be discussed. We will describe the new rights that must be added into your NPP and identify the places where current rights have been modified. In addition, we'll identify typical items that may be removed from your NPP, because it is always advisable to keep NPPs as short and readable as possible while covering all the requirements. We will examine a typical NPP and describe the places where changes might best be made, and discuss the information that needs to be added or removed to meet requirements most efficiently and economically.

• New updates to the HIPAA regulations now in effect contain numerous changes based, for the most part, on The HITECH Act passed in 2009. Some of the most significant changes have to do with changes to individual rights under HIPAA that must be listed in an entity's HIPAA Notice of Privacy Practices. All HIPAA Covered Entities that currently provide a Notice of Privacy Practices must update their NPPs to reflect the changes in individual rights no later than September 23, 2013. Violations are subject to enforcement that can include fines up to $50,000. Changes will be necessary in areas of patient access to records, restrictions of disclosures, marketing, fundraising, breach notification, and more.
• Included are new requirements for the NPP to include notice of fundraising activity and an opportunity to opt out, new requirements for individuals to provide authorization for the sale of PHI, new rights of access to electronic records, new rights to restrict certain disclosures, and rights of notice in the event of a breach. Health Plans also have changes related to the Genetic Information Nondiscrimination Act (GINA) that must be reflected in their NPPs.
• Reimbursed marketing activity that may have been permissible without authorization from the individual under the old rules used to require notice in the NPP. Now all such marketing activity paid for by a third party wishing to promote a product or service will require authorization, and no longer needs to be specifically listed in the NPP.
• The changes are numerous and many are subtle and require an in depth examination of your Notice of Privacy Practices.

• All HIPAA Notices of Privacy Practices should have been updated to meet the new rules by September 23, 2013 The schedule of implementation and scope of the changes will be described
• Notices will need to include mention of the right to be notified in the event of a breach of the privacy or security of their Protected Health Information
• Individuals have a new right to request electronic copies of information held electronically that must be reflected in the NPP
• Individuals have new rights to restrict disclosure of encounter information to an insurer if it is paid fully out of pocket by the individual The NPP must identify this right
• Fundraising activity must be described in the NPP, with an opportunity to opt-out
• You do NOT have to include information about reimbursed marketing activity in NPPs any more, but you do always need to get an authorization
• Health Plans must include in their NPPs new changes pertaining to GINA, restricting the use of genetic information in enrolment
• How you should update your NPP – how do you document it, to whom does it go, and how?

• Compliance Director
• CEO
• CFO
• Privacy Officer
• Security Officer
• Information Systems Manager
• HIPAA Officer
• Chief Information Officer
• Health Information Manager
• Healthcare Counsel/lawyer
• Office Manager
• Contracts Manager