New regulations under the Health Insurance Portability and Accountability Act (HIPAA) go into effect on Sept. 23. This final set of rules requires all healthcare practitioners to change their notice of privacy privileges, policies and procedures, and business associates agreements.

Notice of privacy practices
Under the new regulations, patients must be able to opt out of fundraising communications. Additionally, these changes address the patient’s right to restrict disclosures to health plans for payment and healthcare operations. This is specifically designed to address payments made out-of-pocket. Also, under the new regulations, the provider must state that any breach of privacy will result in notification to the patient.

Breach notification
Previously, in the event of a breach of privacy, the regulations required practitioners to notify patients only if significant risk of financial, reputational, or other harm was present. The new HIPAA regulations require patients be notified in all cases—unless the provider can demonstrate that there is low probability “that the protected health information has been compromised based on a risk assessment.” This risk assessment requires an analysis of a range of factors. Although the likelihood of a breach of privacy is low, all providers must provide this new notification to all patients

Business associate requirements
Currently, all business associates of medical practices must have a signed agreement promising to protect the confidentiality of medical information. Business associates can include cleaning personnel, computer technicians, accountants, and anyone a practice hires that might have access to protected information. The new regulations will require implementing new business agreements with business associates including those who store personal health information, even if the vendor does not access the information.

Discussions with descendants
These changes allow providers to provide medical information after a patient’s death to descendants and others who were involved in the patient’s care prior to the death. This change will allow providers the flexibility to speak freely with family members after a death.

Research
This regulation allows for use of a single authorization for a range of research activities.

Immunization records
These new regulations are designed to facilitate communication of immunization records to schools. With these changes, providers can disclose proof of immunizations directly to schools without written authorization. This applies when a school is required by law to collect immunization information, providing the parent or guardian agrees to the disclosure.

These new HIPAA regulations must be implemented by Sept. 23, 2013, and will affect all orthopaedic surgeons. If business associates agreements were in place prior to January 2013, providers will have until Sept. 22, 2014, to make the needed changes.

Thomas B. Fleeter, MD, chairs the AAOS Medical Liability Committee. He can be reached at bonedock@comcast.net

Editor’s Note: Articles labeled Orthopaedic Risk Manager (ORM) are presented by the Medical Liability Committee under the direction of David H. Sohn, JD, MD, ORM editor.

Articles are provided for general information and are not legal advice; for legal advice, consult a qualified professional.

Additional Information

• What You Need to Know about the HIPAA Omnibus Rule
• Final Rule Summary