Updated HIPAA rules now in effect
The compliance date for the new, updated Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is Sept. 23.
Failure to provide the required HIPAA notices or meet standards may result in investigations and possible civil or criminal penalties.
The federal privacy protection rule applies to health care providers, health plans, other covered entities and their business associates. Revisions, announced in March, require covered entities and their business associates to take the following steps:
- Conduct a security risk assessment;
- Revise their existing privacy, security and breach notification policies and procedures;
- Make copies of those revised privacy policies available to patients;
- Amend business associate agreements to reflect the new regulations; and
- Retrain practice staff on the revised policies.
For the first time, the HIPAA privacy and security rules will apply not only to health care practitioners and their business associates but to any subcontractors who provide services to those business associates.
The AOA is providing resources to help you with every step.
What the new rule covers
The new rule prohibits the sale of federally protected patient health information (PHI). It also prohibits the use of that information for marketing purposes without authorization from the patient. In addition, a patient now may request a practice to withhold disclosure of PHI related to a particular service to a health plan if the patient has paid for the services out-of-pocket.
Federal law requires practitioners to provide all patients with notices of the measures taken to protect patient information. This is not optional: Failure to provide the required HIPAA notices or meet standards may result in investigations and possible civil or criminal penalties.
On the new HIPAA Compliance section of the AOA website (member login required to view):
- Updated AOA HIPAA Security Regulation Compliance Manual (available free of charge to AOA members)
- Sample HIPAA Business Associate Agreement
- Sample HIPAA Notice of Privacy Practices, developed by the AOA Office of Counsel for use in optometric practices, which are available in bulk from AOA Marketplace.
On the AOAExcelTM HIPAA page (member login required to view):
- AOA White Paper: Updated HIPAA Regulations-What Optometrists Need to Know, with questions and answers about the privacy regulations
In addition, the U.S. Department of Health & Human Services (HHS) offers resources for HIPAA-covered entities and their business associates.