Ready or not, enforcement of new HIPAA rules set to begin


    Washington’s enforcement of major changes to patient privacy rules starts this week, but many area doctors may not be ready.

    The new HIPAA “mega rule,” as it’s sometimes called, took effect in March and modifies health-care privacy and security requirements.

    Fast forward 6 months, when enforcement kicks in.

    “I’ve had experiences of meeting with physician practices and managers, and they’re so caught up in the day-to-day, they’ll say, ‘What is this rule, what is it?'” said Julie Sheppard, a compliance consultant in Wilmington, Delaware. “Unfortunately, I think physicians right now are faced with so many different regulations, and they’re so busy otherwise doing what we all want them to do.”

    • WHYY thanks our sponsors — become a WHYY sponsor

    The updates expand patient rights, Sheppard said. For example, patients can request electronic copies of their medical records if doctors have them in that form. Patients can also request that doctors never report procedures to a health plan, so long as they pay cash.

    Sheppard said physician offices will have to update their notices of privacy practices, posting them online and in their offices. And it means those privacy forms patients get at the doctor’s office will probably be longer, too.

    Doctors must also beef up their security plans in the case of a breach, according to Angie Haas, a compliance officer based in Harrisburg.

    “One of the big things that’s probably going to be asked for if an auditor comes in, is they want to see your security-risk analysis,” said Haas. “And basically, that is just looking at where you have protected health information in electronic form and how you’re transmitting it from place to place and making sure you have proper security in place.”

    Haas said smaller practices, which don’t necessarily have staff specifically focused on complying with rules and updates, may not have been paying as much attention to the changes.

    “What they really need to do is update any policies and procedures if they have them,” she said.

    But it’s not just doctors. Unlike before, the Health Insurance Portability and Accountability Act rules also now apply to “business associates” or subcontractors, such as billing companies and consultants.

    Haas said penalties can range from $100 to $50,000 per violation.

    WHYY is your source for fact-based, in-depth journalism and information. As a nonprofit organization, we rely on financial support from readers like you. Please give today.

    Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

    Together we can reach 100% of WHYY’s fiscal year goal