The Spirit of Providence • 5
HITECH Changes to HIPAA–Effective September 23, 2013
The following changes to HIPAA were issued through federal regulations known as the Health Information Technology for Economic and Clinical
Health Act (HITECH) Final Rule.
Business Associates
Business associates are our vendors and contractors that perform services for us using Protected Health Information (PHI). The HITECH Final Rule
expands the definition of business associate and requires changes to our business associate agreements. Before sending PHI to a new vendor, check to see
if the vendor is a business associate and has signed a business associate agreement.
Data Breaches
All wrongful uses and disclosures of PHI, and of failures to safeguard PHI, must be reported up to the Privacy Officer (Diana Holub), Security Officer (Jay
Scherler) or the CRO (Karen Richardson. Under the HIPAA Breach Notification Rule, certain breaches of PHI must also be reported to the individuals
affected and to the government. The HITECH Final Rule makes some changes to the Breach Notification Rule. If you suspect a breach or a failure to
safeguard, report it immediately.
Marketing
Under HIPAA, we may not use PHI to market products or services, except in limited circumstances. The HITECH Final Rule tightens up the Marketing
Rule and makes it more restrictive. Before using any PHI to create a marketing-type communication, get it approved!
Fundraising
Under HIPAA, we may use certain types of PHI for fundraising activities. The HITECH Final Rule expands the types of PHI that may be used for
fundraising. The HITECH Rule strengthens the requirement that individuals be provided notice of their right to opt-out of fundraising communications.
Before using PHI to send out fundraising communications, get it approved! If a patient requests to opt-out, direct them to our opt-out process.
Sale of PHI
The HITECH Final Rule prohibits the sale of PHI, which means the exchange of PHI for payment. There are several exceptions to this rule, such as for
public health, research, treatment, corporate transactions, business associate services, to the individual, and when required by law. Before providing PHI
to a third party where payment is involved, make sure an exception applies.
Research Authorizations
The rule permits research authorizations to be combined with other types of authorizations, if certain provisions are in place. If you are working on a
compound research authorization, use our template or get it approved.
Right to Electronic Access
Individuals have always had a right to get a copy of their medical record under HIPAA and under state law. The HITECH Final Rule confirms that
individuals have the right to an electronic copy of their electronic medical record or EMR in their requested format. If the individual requests their medical
record, refer them to the Release of Health Information Department.
Right to Request Restrictions
Under HIPAA, patients have the right to request
certain restrictions on how their PHI may be used
and disclosed. Requests may be granted or denied by
the Privacy Officer. Under the HITECH rule, if the
patient wants to pay for a service in cash for a service
and not have a claim or other information submitted
to their health plan for that service, we must grant
this request. If the patient wants to be a self-pay
patient and does not want a claim submitted to their
health plan, refer them to Patient Accounting. If a
patient requests another type of restriction, refer
them to the Privacy officer
or a manager.
Decedents
As a general rule, we treat decedents’ PHI the same
as living patients’ PHI. The HITECH Final Rule
clarifies that we may disclose PHI to involved family
and friends to the same extent as we could while the
patient was living. This means we may continue to
communicate with a patient’s involved family and
friends after the patient’s death, unless the patient
specified otherwise.
Compliance Corner, continued on page 7...