New HIPAA Rules Effective September 23, 2013

What You Should Know:

New HIPAA regulations went into effect on September 23, 2013. They require that covered entities (including dental practices) revise their notice of privacy practices (NPPs) and risk assessment procedures in event of a breach.

The AAE talked to attorney Mark Rust, managing partner of Barnes & Thornburg’s Chicago office and head of the firm’s health care department, and he highlighted the key changes that impact providers.

  • Covered entities’ NPP now must contain a statement indicating that uses and disclosures of private health information (PHI) for marketing purposes, and disclosures that constitute a sale of PHI require an individual’s written authorization.
  • Additionally, the NPP must inform individuals of their right to restrict certain disclosures of their PHI to a health plan where an individual pays out of pocket in full for a health care item or service, and their right to be notified of a breach of unsecured PHI where an individual is affected by such breach.
  • Because these changes are considered “material changes,” providers must revise their NPP by the compliance date of, September 23, 2013 in this instance.
  • In response to concerns about printing costs for revised NPPs, U.S. Department of Health and Human Services clarified that health care providers may satisfy their legal obligations simply by posting their revised NPP or a summary thereof in a clear and prominent location at the care delivery site, and by having copies of the full NPP there for individuals to take with them.

Mr. Rust also noted that if “unsecured protected health information” is breached, the covered entity must provide public notice unless a risk assessment determines that there is a “low probability that the protected health information has been compromised.” Previously the standard was that notification was required if there was a “significant risk of harm to the individual” as a result of the breach.

Penalties for non-compliance have also increased from $50 per violation to $100 per violation. For willful violations, penalties start at $1,000 per violation.

The ADA has several resources to assist dentists in HIPAA compliance. These include a one hour CE session on the changes and a revised ADA Complete HIPAA Compliance Kit.