This week marked the effective date for some new privacy and
security rules that were released by the Department of Health and Human
Services (HHS) in January. The rules, mostly amendments to the 1996 HIPAA law,
took effect on Tuesday, but most have a 180 day compliance window built in.
According to Modern
Healthcare, the new rules
expand HIPAA privacy and security coverage, and direct liability for violations
to business associates of HIPAA “covered entities.” Those contractors might
include vendors of remote-hosted EHRs, office-based physicians, or firms
providing hospitals with clinical and financial data analytics. In addition to
healthcare providers, HIPAA covered entities include claims clearinghouses and
insurance plans.
Another major change under the rule
involves the policies and technologies needed to comply with a patient consent
management provision. Under powers given to HHS under the American Recovery and
Reinvestment Act, a patient who pays out-of-pocket for treatment can ask a
provider not to share a record of that treatment with the patient's health
insurance plan. Providers must comply with that request, presenting a challenge
to EHR systems and staff training.
To tackle this issue, several private
sector developers as well as the Veterans Affairs Department and other federal
agencies, and others have come up with a new software system. This system is
capable of tagging entire patient records or pieces of them to block their
exchange pursuant to this new rule as well as other federal and state privacy
laws.
No comments:
Post a Comment