10 Questions Every Practice Should Ask Before September 23rd

posted in: Blog | 0

The September 23rd Health Information Technology for Economic and Clinical Health (HITECH) Act Final Omnibus Rule compliance deadline is less than 3 weeks away!  Below is a brief overview of the major HIPAA changes under HITECH, to help you to determine if your Practice is in compliance prior to September 23rd.

1.      Notice of Privacy Practices (NPP):

  • Has your NPP been updated in light of the HITECH requirements?
  • Is your NPP posted in a clear and prominent location in your Practice?
  • Is your NPP posted on the Practice website?

2.      Breach Notification:

  • Has your Practice updated its Breach Notification Policy & Procedure in light of the new HITECH Breach Notification Standard?
  • Does your Practice understand the new breach notification standard and the analysis it must document, in writing, when examining a potential breach, to determine if notification is necessary?

3.      Business Associate Agreement:

  • Does your Practice understand that a Business Associate is anyone who creates, maintains, transmits, or receives protected health information on behalf of the Practice?
  • Has your Practice identified and entered into Business Associate Agreements with its Business Associates?
  • Does your Practice understand that Business Associates are required to implement administrative, technical, and physical safeguards for electronic protected health information?

–  e.g. Business Associates should have HIPAA policies and procedures.

  • Do you know if your Business Associates sign Business Associate Agreements with their subcontractors?
  • Do you know how long your Business Associate has to report a breach to you?

4.      Electronic Access to Protected Health Information: 

  • Does your Practice know how long it has to respond to an individual’s request for an electronic copy of his or her protected health information?

5.      Authorizations:

  • Does your Practice know when it must obtain patient authorizations before releasing records?

6.      Restrict Disclosure to Health Plans:

  • Does your Practice understand that, unless the disclosure is required by law, the Practice MUST agree to an individual’s request that the Practice restrict the disclosure of protected health information to health plans, if the individual paid for the relevant care, in full, and out of pocket?

–  Can your Practice flag these restrictions within the EMR to ensure that they do not go to the insurance company?

 7.      Marketing:

  • Does your Practice understand the expanded definition of marketing, to mean anytime the Practice receives payment to make the communication?

8.      Fundraising:

  • If your Practice conducts fundraising, does it know what information it is allowed to use? Is the opt-out language clear?

9.      Training:

  • Has your Practice trained its workforce on the new HITECH changes?

10.  Security Risk Assessment: 

  • Has your Practice performed the legally mandated security risk assessment in light of the HITECH rules?
  • Has your Practice documented that risk assessment and assigned appropriate levels of risk?

The HITECH changes require significant revisions to your Practice’s HIPAA documents, policies, and procedures.  If you have questions about updating your HIPAA Manual in light of HITECH. If you need assistance with training or would like a quote on providing the services please feel free to contact us.