How New Health Care Privacy Laws Could Affect Your Business

Sweeping changes have recently transformed the American health-care landscape, forcing many small and medium-sized businesses (SMBs) to scramble to keep up. While the Affordable Care Act, or “Obamacare,” dominates the news cycle, other new regulations like the Omnibus Rule, which amends HIPAA (Health Insurance Portability and Accountability Act of 1996), promise to present even greater challenges for the SMB community.

First, a little background on exactly what the Omnibus Rule is. The American Recovery and Reinvestment Act of 2009, more commonly known as the “stimulus package,” made billions of dollars available to accelerate the adoption of electronic medical records. The stimulus also tacked on another amendment to HIPAA — the HITECH (Health Information Technology for Economic and Clinical Health) Act, which proposed expansion of existing HIPAA Privacy, Security, and Enforcement rules that govern the release of protected health information (PHI) and the process of reporting information breaches. As of September 23^rd, those proposed expansions are now cemented under the Omnibus Rule.

What does this mean for SMBs? Well, the most important change is to whom HIPAA applies. In the past, HIPAA rules were aimed primarily at Covered Entities (CEs) — hospitals and other direct health-care providers — while the third-party Business Associates (BAs) who handled or processed PHI were bound by contract but didn’t face direct enforcement. Now, under the Omnibus Rule, BAs — legal, accounting, financial, claims processing, or billing — are also “on the hook” to follow HIPAA’s newly beefed up regulations. What do those regulations do?

• Strengthen limitations on the use and disclosure of PHI
• Prohibit the sale of PHI without individual authorization
• Expand individuals’ rights to receive electronic copies of their PHI
• Adopt enhanced rules about breach notification
• Increase civil and criminal prosecution, along with monetary penalties, as a result of breaches

Here are examples of HIPAA-related questions to determine whether the new rules apply to your business:

• Does your company have a properly trained employee knowledgeable with HIPAA compliancy?
• If you handle electronic health records (EHR) or protected health information (PHI), are they encrypted and protected?
• Are your vendors, agents, and subcontractors compliant?
• Have your IT solutions been audited to guarantee that they’re HIPAA compliant?
• Are your solutions right-sized for your small business?
• Do you have best-practice policies in place to address all of the above elements?
• Do you have policies in place to handle privacy or security breaches?
  

Sound confusing — and even scary? CMIT Solutions is here to help. As a trusted technology advisor that focuses on excellence in business operations, we’re implementing specifically tailored HIPAA Compliant Managed Services™.