Quadax   
August/September 2010 Newsletter
Table of Contents
Tribute and Transition
Peanut Butter & Chocolate …Xpeditor & Axis
Take Advantage of the Convenience Offered by MyDrBill and MyLabBill
Make the CRS Work for You
Transitioning HARP 1500 Claims to Xpeditor Editing
Input Requested: Proposed HIPAA Modifications
Ohio Medicaid’s New Web Portal
Clarification on PECOS Enrollment Deadline
Investing in Training, Investing in Quality
Sue Langsdale Retires from Quadax
Other News
Bulletins
Newsletters
News Index
  

August/September 2010 Newsletter

Input Requested: Proposed HIPAA Modifications

By: Catherine Sicker, Corporate Compliance Officer

Author's pictureThe Department of Health and Human Services (HHS) released on July 14, 2010 the much anticipated proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH. The purpose of this proposed rule is to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules. Stakeholders have 60 days, until September 13, 2010, to comment on the rule. A final rule is expected before the end of the year. The major points of the draft rule include the following.

HIPAA and HITECH apply to business associates (BAs)

  • Requires BAs of covered entities to be under most of the same rules as the covered entities.
  • Confers BA status to subcontractors working with other BAs.
  • A covered entity is liable for the failure of its BA to perform. They were already liable for the acts of their agents under agency common law.
  • BAs and covered entities are also subject to compliance review by the Secretary of HHS.
  • HHS expects to issue revised BA model contract language, as they did for the Privacy Rule, when the rule is finalized.

Requires changes to the Notice of Privacy Practices (NPP)

  • Adds limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising communications.
  • Prohibits the sale of PHI without patient authorization.

Expands patient right of access

  • Expands individual’s rights to access their information and to restrict certain types of disclosures of PHI to health plans.

Provisions strengthen and expand HIPAA enforcement rule

  • Four tiers of penalty amounts to correspond with levels of culpability.
    • Entity did not know, and by exercising reasonable diligence would not have known, of violation.
    • Violation due to reasonable cause and not willful neglect.
    • Violation was due to willful neglect and was corrected within a certain time period.
    • Violation was due to willful neglect and was not corrected. 
  • Willful neglect is defined as the ‘‘conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Effective dates

  • 180 days after the date HHS publishes the final rule.
  • Parties to existing business associate agreements are afforded a full year following the publication of the final rule to amend or replace existing agreements.

The estimated cost to implementing these changes is $166.1 million. The proposed regulations do not address all of the HITECH changes, such as breach notification, the modified civil money penalty structure, the accounting of disclosure requirement, and the new authority of the State Attorneys General to enforce HIPAA rules.

E-mail the author:

©2012 Quadax | Terms of Use | Security & Privacy | Site Map | Contact Us