HIPAA compliance and your EHR for small Practice Providers
The compliance date of the HIPAA Final Rule – September 23, 2013 – is approaching. As a small practice or individual health care provider, there are multiple areas of the HIPAA Final Rule that can impact your business and the way you interact with patients.
As a business associate to our EHR users, Practice Fusion has also prepared for the implications of the new rule and how it will impact our organization and customers. The following are some of the changes in the HIPAA Final Rule you should review. For personalized information on the Final Rule as it relates to your practice, it is suggested that you utilize an independent legal professional who can review the regulation’s requirements on your behalf.
Updating your business associate agreements: The Final Rule both clarifies the types of subcontractors who are treated as business associates under HIPAA, as well as updates the provisions required to appear in a business associate agreement (BAA). HHS has posted Sample Business Associate Agreement Provisions that can be incorporated into BAAs. Practice Fusion will be updating our Healthcare Provider User Agreement in advance of the compliance date to include the required updated provisions.
Updating your Notice of Privacy Practices: The Final Rule modifies and expands the content of the Notice of Privacy Practices that a provider is required to maintain and distribute to its patients. After you have updated your Notice of Privacy Practices document, you should make this information readily available to existing patients who request a copy, post the revised notice on your website, if applicable, and post the notice in a prominent location at your office.
Giving patients access to their health information : Providers are now required to grant patients electronic access to health information if it is requested that way by the patient and is maintained electronically. Enrolling your patients in Patient Fusion, the Practice Fusion patient health portal, at each office visit is a great way to ensure that your patients have access to their data electronically.
Training your practice staff: It is important that your practice’s policies are both updated and implemented. Once you have updated your privacy policies, staff members should receive training on any new and revised policies. In particular, management and higher-level employees should be fully trained on the new breach standard, so that, if necessary, they can correctly perform the required analysis.
Understanding the new breach notification standard : The Final Rule provides a more objective standard to determine whether breach notification is merited based on the probability that data was compromised. You and your staff will need to know about the new procedures for reporting incidents.
Understanding the implications of this rule as an individual provider can be daunting. To help educate providers on these topics, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has made available several online resources directed towards health care providers.
In addition, Practice Fusion will be releasing an updated Health Care Provider User Agreement to all of our EHR users that will reflect the required changes under the HIPAA Final Rule.
What has your practice been doing to prepare for the HIPAA Final Rule compliance deadline?