Is it necessary to be HIPAA compliant? Have you ever wondered why? Although The Health Insurance Portability and Accountability Act or HIPAA may have been in place ever since 1996, medical offices did not start getting fined for non-compliance until just a few years ago. Like any law, HIPAA has been modified several times over the years and, like any law is open to argument, interpretation and yet more adaptation. As HIPAA effects the storage of electronic records, there are certain aspects that need to be changed to the best practices for compliance as technology changes and evolves.
There have been several modifications to HIPAA over the years. They include provisions to include third-party vendors, new regulations about a patient’s right to his own records and new rules affecting those in the mental health care field. It is a good idea to keep apprised of all the new laws and to make sure your employees are aware of them as well.
New rules for business associates.
As of September 23, 2014, business associates of health companies became directly responsible for their own HIPAA compliance. But, healthcare companies themselves would be well advised to make sure any third party they deal with is compliant.
Vendor rules can affect more aspects of your business than might meet the eye. For example; if you contract a food vendor and they are working with your dietician on a patient’s food plan, the food vendor may be privy to a patient’s health information based on the patient’s menus. Hence you would want to make sure the food vendor is HIPAA compliant. If a business associate violates HIPAA, you are responsible for seeing that they correct the violation and if they do not you must stop doing business with them.
Business associates are also responsible for making sure that their subcontractors are compliant with HIPPA regulations. The subcontractors themselves may not be subject to HIPAA regulations, so you may want to ask your business associates how they select and train their subcontractors.
A Patient’s right to his records
The HIPAA Law allows a patient to access and amend his or her own health records whether or not they have been treated by a government-run medical facility or a doctor in private practice. There have been a few modifications over the years.
In 2009 the rule was modified to give patients the right to request electronic access to their health records. A company will want to make sure it is technically capable of allowing patients to access their records and to make sure that they are able to do so in a safe online environment, even if the patient is accessing their information from home. Therefore, it is a good idea to have professional IT help, to work with data encryption codes and other forms of online security.
Modification to strengthen Firearm Background Check System
In response to increasing concerns for the public’s safety President Obama modified HIPAA in January of 2016 to permit certain covered entities the right to disclose to the National Instant Criminal Background Check System (NICS), the identities of people who are prohibited by Federal law from having a firearm due to mental health reasons.
The information that can be disclosed is quite limited and only applies to a small number of patients. If you work in the mental health industry you will definitely want to familiarize yourself with this modification to the law and work with an IT expert to make sure you are technically capable of getting the information to NICS in a way that complies with the law.