HIPAA Y2K13: 2013 HIPAA Changes for Audiology Practices

Editor's note: This article is a transcript of a webinar - please download supplemental course materials.

Introduction

There are some new things coming forward in the re-imagination of HIPAA.  HIPAA, for those who do not know, is the Health Insurance Portability and Accountability Act of 1996, which was introduced under the administration of President Clinton.  To learn more about HIPAA, you can visit https://www.hhs.gov/ocr/privacy/hipaa/administrative/.  HIPAA carries both civil and criminal penalties.  It covers the standard transaction and code sets, the national provider identifier, the national employer identifier, HIPAA 5010 about how claims are supposed to be electronically submitted and in what format, HIPAA security, HITECH or breach notification, and HIPAA privacy.  We are going to talk about each one of these individually.  When it was originally passed in 1996, the effective date was April of 2003.  As of January of 2013, there have been some significant updates.  Other than 5010, which was not an update for providers but more of an update for systems, this is going to be the most drastic update.  I felt it was very important that we partner with AudiologyOnline to get this information out to you.

Standard Transaction and Code Sets

Let's take each aspect of HIPAA separately.  First are the standard transaction and code sets.  This aspect of HIPAA requires that the following code sets be utilized for documenting and billing all medical items and services to all payers.  First is the Current Procedural Terminology (CPT).  These are the 92 codes that we use to bill procedures.  Next is ICD-9, which will become ICD-10 on October 1, 2014. These are the codes we use for diagnosis.  HCPCS, the Healthcare Common Procedure Coding System, are the V codes that we use to bill for hearing aid, cochlear implant, and BAHA related items and services.  Some state Medicaid programs and many state Worker’s Comp programs are still allowed to utilize their own codes.  An example is Medi-Cal in California.  They still utilize their own codes.  All commercial payers and Medicare utilize the standard procedures and code sets of CPT, ICD-9, and HCPCS. 

National Provider Identifier

The second aspect of HIPAA is the National Provider Identifier, or NPI.  This requires that each individual provider utilize their own unique, individual provider identification number for all payers.  This number is going to stay with you as you move from employer to employer or if you work for multiple entities at the same time; this is still your NPI regardless of where you are working.  The NPI is managed by the National Plan and Provider Enumeration System, or NPPES.  You can access this at https://nppes.cms.hhs.gov/NPPES/Welcome.do  Your NPI is placed in box 24J of the HCFA 1500 claim form or its electronic equivalent.  That is where your number will always go. 

National Employer Identifier

Next we have the National Employer Identifier, or the EIN.  The EIN requires that each individual practice or facility utilize its own distinct practice or facility identification number for all payers.  This is a number for your clinic, not for you as the provider.  This is required for every practice or facility, except a sole proprietorship.  The EIN is issued by the Internal Revenue Service.  Each practice also needs a facility or practice NPI.  Again, you can get your facility NPI from NPPES.

HIPAA 5010

HIPAA 5010 was a systems update that went into effect January 1, 2012, and enforcement began on March 31, 2012.  It required a systems updates to allow for the transition to ICD-10.  It affected software vendors, payers, and clearinghouses much more than it did providers.  You had to ensure that any office management or billing system you were using had been updated to HIPAA 5010.  They needed to allow for the increased digits that are going to be required of ICD-10.  ICD-10 is a seven-character code which is going to be markedly different than the six character code we have now. 

Protected Health Information

As a reminder, with HIPAA, there are 18 pieces of protected health information (PHI).  It is much more extensive than people realize.  What is PHI?  PHI is anything governed by HIPAA that requires you to use or disclose that information with specific authorization, whether that is for healthcare operations, treatment, or payment.  PHI includes the following 18 things: 

• Patient name
• Patient street number, street name, city, and last two digits of patient’s zip code
• Dates directly related to the patient, specifically date of birth or date of eligibility that is unique to that patient
• Patient phone number
• Patient fax number
• Patient e-mail address; you cannot share e-mail addresses with a third party without a patient’s authorization.
• Social security number
• Medical record number or any medical identification numbers that are unique to your facility
• Health insurance member identification number that is unique to the patient
• Patient account numbers that are internal to your practice, but they can be traced back to the patient
• Certificate or license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers; this could be related to hearing aid or cochlear implant serial numbers that are unique to the patient
• URLs or individual Web sites or web addresses for the patient
• IP addresses
• Biomedical indicators such as finger, retinal, or voice prints
• Photos of the patient
• Any other unique identifying number, characteristic, or code

HIPAA Security

Now let's talk about HIPAA security.  This is one area where I am finding that audiologists are lacking in knowledge and adherence.  The security rule is an extension of the privacy rule.  It encompasses how you protect those 18 pieces of PHI.  It went into effect April 20, 2005.  It applies to electronic formats only.  While privacy applies to all paper and electronic formats, security only applies to electronic formats.  Providers need to have administrative safeguards, physical safeguards, and technical safeguards.  You also need to have policies and procedures related to how your security policy is managed and the documentation of training and any breaches.  For more information, you can visit https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf

We are going to talk more specifically about these.  Every practice that submits or stores anything electronic needs to have a security policy.  This needs to be in effect.  It should have been in effect for the last eight years.  If you do not have a security policy, it needs to be created.  Security policies are difficult to buy packaged or templated.  You can go out and research some options, but they are so specific to your facility, your systems, and your access that it is very hard to find a prepackaged version of a security policy.  As stated directly from the Health and Human Services Web site, covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI (electronic protected health information) that you create, receive, maintain, or transmit;  
•  Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated impermissible uses or disclosures;
• Have mechanisms in place in the event of a natural disaster where information can be lost;
• Have protections in place in the event that your database is hacked; things should be password-protected, and access to your systems must be restricted and documented as to who has access;
• Have policies and procedures in place as to how documents and information are destroyed or stored.

Security Rule

All of this revolves around the security rule.  You need to ensure that your staff complies with your security policy, that they are trained and that that training is documented.  Any non-compliance of a security policy is dealt with in a significant manner.  For more information, you can visit https://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Risk Assessment

Let's start with the first thing in the security rule, a risk assessment.  A risk analysis process includes, but is not limited to the following activities.  First is to evaluate the likelihood and impact of potential risks to electronic PHI.  If you have a flood, lightning strike, tornado, earthquake, hurricane, or fire, who has access to the building?  If a person has access, do they have access to the systems?  How and where are things stored?  How is your database backed up?  How is information destroyed?  How do you access your information if a natural disaster does happen?  How do you protect against external threats like hacking or things of that nature?  Do have safeguards in place?   Do you have software in place?  All of this needs to be documented in your security policy.  If something bad happens, how do you notify the affected patients?   You need to find out how you are going to evaluate the likelihood and impact of a potential risk.

Implement appropriate security measures to address those risks that you identify in your risk analysis.  Document your chosen security measures and, where required, the rationale for why you decided that those measures were important.  For example, I live in Chicago.  I do not need a measure about earthquakes or hurricanes because we do not have those, but I do need something in there about a tornado.  That could happen in my area.  If my systems were destroyed, I would need to state that the data is backed up on an external server, where that server is housed, and how we can access that information.  You must maintain continuous, reasonable, and appropriate security protections. For more information on this topic, you can go to https://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html or https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf

Administrative Safeguards

You need to have security measures to reduce the risks of breaching PHI.  It is most important that you have a password-protected system, that you have anti-virus and anti-hacking protections in place, and that things are externally backed up in the event of any sort of disaster or breach.  You are going to need a security officer.  Just like you needed a privacy officer for the privacy protections, you need a security officer.  Who is ultimately responsible for the maintenance of your security policy and the compliance of that policy?  Who holds staff accountable?  It is typically an owner, manager, director, or some senior staff person, but that needs to be documented, because they are the ultimate responsible party. 

You need information access management.  You need to regulate who has access to your computers and your servers.  It needs to be minimally-necessary access.  You should not give full access to everyone.  All those people should be documented, and the reason for their access should be documented.  Also very important is training and accountability.  Who is authorized to access PHI?  You need to train your staff on your policies and procedures.  More importantly, you need to sanction staff members who are noncompliant.  You can visit https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

Physical Safeguards

There are physical safeguards.  You have to limit and control people's physical ability to touch your facility systems.  The minimal number of people possible should be allowed to access your computers and software.  Workstation and device security is the proper use and access to workstations and electronic devices.  This is not just computers anymore; it can be phones or tablets, or NOAH patient platforms.  Everything that is contained in NOAH would all be protected.  It is very important to document who has access to this.  You need a policy and procedures related to the transfer of information from one device to another, in terms of backing up or removal.  How do you dispose of information from your system that you no longer need to maintain?  HIPAA's requirement for maintenance of health records is six years.  Many state laws and third-party contracts can extend that past six years.  You need to read both your state law and any third-party contracts you sign to determine how long you need to maintain those records.  If you are buying a used computer or a used piece of equipment, how is everything reused and maintained?  See https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

Technical Safeguards

There are technical safeguards to consider.  Control of access includes passwords to protect access.  You need to have audit safeguards to record and examine your access.  How do you audit to make sure that all your safeguards are functioning accordingly?  Integrity control ensures that people cannot go in without alerting the security officer to improperly alter, change, or destroy anything that is entered electronically.  Electronic health records should not be modified.  It is very important that you have those protections in place.  Transmission security includes protections against hacking.  For more information, visit https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Policies, Procedures and Documentation  

You must develop policies, procedures and documentation that comply with the security rule.  Those need to be in writing.  They need to be accessible to all your staff.  When you bring on new staff, they need to be trained, and that training needs to be documented.  Anytime you change your policies, you need to retrain and re-document that training.  Again, those policies need to be in writing, and you need to document staff training, actions, activities, and all your risk assessments.   

An offshoot of security is the HITECH breach notification.  Its effective date was September 17, 2010.  Let's first define what a breach is.  A breach is an impermissible or unauthorized use or disclosure of PHI.  That means you got hacked, a chart got lost, someone broke into your office, et cetera.  There has been a breach in your security in the protections of the health information.  You need to notify affected patients of breaches within 60 days of the occurrence of the breach.  Whether it was due to hackers, a fire or other natural disaster, you need to have a mechanism of finding out who those individuals are, and you need to notify those affected patients within 60 days. 

Providers and business associates have the burden of proof that notifications have been made.  A business associate is anyone to whom you disclose patient’s protected health.  Let me give you an example.  A hearing aid manufacturer would be your business associate.  You give them a patient’s name when you order a hearing aid.  Because they are your business associate, you are responsible for any actions they take with regard to the health information you gave them.  When there is a breach, you need to make sure that you have significantly documented that you have notified the affected patients.  If a business associate has a breach, they must notify you of that breach so you can notify your patients accordingly.  If a breach affects more than 500 people, you need to post that in the media, television or newspaper.  You will need to send it out on the Web site.   Also, if your breach is more than 500 individuals, you must notify the Department of Health and Human Services.  That size of a breach needs to be researched and documented.  You can find more information here: https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Let’s go back.  We talked about civil and criminal penalties.  What happens when breaches are accidental?  For example, there was the very unfortunate bombing in Boston.  Let’s say your office building was on Boylston Street.  If your building was in an explosion and papers started flying out, that would have been a breach.  That was something that you could not foresee or prevent.  That would be a breach where you would alert the media because it would probably affect more than 500 patients.  If you had a breach where you did not secure the access of your systems and a service that had access to your building was able to easily come in, turn on your computers, and access all the patient's health information because it was not password-protected or secure, that type of breach could carry a civil or criminal penalty.  You had not put in reasonable safeguards to secure the health information.  It is very important that you have proper security and breach identification policies in place and that you have reasonable steps of notifying patients in the event of a breach. 

I always tell people to imagine the shoe were on the other foot.  You want your health providers to protect your information.  You owe your patients the same courtesy.  This affects all providers: audiologists, hearing aid dispensers, anyone who does electronic transactions or has patient's demographic information.  The security policy only applies to the electronic format, but breach notification of privacy applies to both electronic and paper format.  All of us who keep patient information, regardless if we are an audiologist or a hearing aid dispenser, must abide by HIPAA, no matter the size of your practice.

Let's go to the privacy rule.  The privacy rule has protections for patients’ health information and protected health information.  It affects both paper and electronic records.  I do want to add a little caveat to something I just said.  If you are a small practice that does not do any transactions electronically, you may not have to abide by HIPAA.  There is a very good decision matrix that you can access to help you determine if you need to abide by HIPAA privacy.  The vast majority of providers, both hearing aid dispensers and audiologists, must abide by HIPAA privacy.  It protects against individually identifiable information, which is information that includes demographic data that relates to the individual’s past, present, or future mental health or condition.  This also says that the patient's medical records test results are also protected in addition to those 18 pieces of identifiable information.  It relates to the provision of health care to the patient, and the past, present, or future payment of the provision of healthcare.  You need to protect your financial records as they relate to the patient and those 18 pieces of identifiable health information.  Privacy relates to the patient's chart, whether it is electronic or paper, and all the contents within it. 

Privacy Rule

There are some specifics about privacy rule.  You need to keep disclosures to a necessary minimum.  For example, you do not need individual authorization or a use and disclosure that is related to treatment in order to send results to an ordering physician or to send information related to payments.  You may have to send patient information about what occurred in the test sequence to their payer or health care operations.  This includes anything revolving around your facility's ability to operate your practice by sending things to a clearing house or to your office management system.  You would not need a disclosure for that because it is about healthcare operations.  You do need to have security and privacy protections in place for those systems.  They need to be secure, but you do not need the patient's authorization to send things for those specific means.  The disclosures do need to be used at a minimum.  You do not want to send patient records to entities of which the patient did not request. 

You need a privacy officer.  This is the person in your practice that is ultimately responsible for privacy and privacy protections.  It is the person to whom a patient can reach out, to restrict disclosures, to add disclosures or to file a complaint.  You need to train all your staff on privacy.  Another great word for privacy is confidentiality of patient information.  Everyone needs to be trained on this, and it needs to be documented. 

You must have a patient complaint process so that if a patient feels like their health records have been compromised, they can restrict to whom you send their records.  For example, say a patient has Blue Cross/Blue Shield but they do not want you to file a claim with Blue Cross/Blue Shield for an item or service you provided, even though you are in network.  They have the right to restrict you from disclosing information about a procedure they had done, for which they paid privately.  Patients have the right to restrict that kind of disclosure.  You need a mechanism for them to complain if things were not followed as they requested. 

You must have record safeguards for storage, disposal, and access.  Are your records secured?  Can they be locked up at the end of the day?  Who has access to patient charts and systems?  How are the records disposed?  Are you formally having them shredded?  Is that shredding documented by a reputable agency where you know what happens to the shredded materials after the shredding?  Those things all need to be documented.  Who has access to patient charts?  Access can be a janitorial service, computer service, even subcontracted outside vendors.  That all needs to be documented, and they need to agree to your security and privacy policies. 

Authorization

There are three situations with certain limits that do not require specific authorization: treatment, payment, and health care operations.  Any other disclosure requires authorization, and a patient can, at any time, limit or require a report of who you have disclosed things to, even if those reportings have been for treatment, payment, or health care operations.  A patient has a right to know those disclosures.  When this might happen?  If a patient’s identity was stolen and they are going through identity theft mechanisms, they may be coming to you to determine if their identity was compromised and stolen from your site.  It is important that they if they ask for a reporting of their disclosures that you have the ability to supply that.  See https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html

A disclosure is something also very similar to the old release of medical records.  If this were my practice, at the initial intake, I would have the patient document where they wanted copies of their test results to be sent.  I would want that documented in writing from the patient.  If a patient wants records sent to themselves or to any other entity that is not documented on the original intake form, I would have the patient sign a use and disclosure form indicating what records they want disclosed and who specifically they want them disclosed to, and for which specific dates of service.  I would not be using a medical release form.  I would be using HIPAA language on a HIPAA use and disclosure form.  It is very important that any disclosure made is one that the patient authorizes.  For example, would you necessarily need the patient to authorize the disclosure to a hearing aid company?  It would be part of healthcare operations and treatment.  But again, you need to make sure that that hearing aid manufacturer, on the other end, has a business associate agreement in place with you to protect that health information just as you would.  Additional disclosures beyond treatment, payment, and health care operations need to be authorized by the patient. 

Marketing

The privacy rule defines marketing as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” (https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html) We need to ask ourselves when we are sending, mailing, or disclosing marketing to patients, “What is our purpose?”  If our purpose is to educate, you would not need a disclosure.  If our purpose is to drive them to purchase something through a discount or promotion, you need an authorization from the patient, even if that marketing is just coming from your office.  This also applies if you are giving their information to a third-party insurer or vendor.  If you are sending patient information to a vendor so they can send marketing materials on your behalf, you must have that patient’s authorization to do so.   I cannot stress this enough. 

The marketing provision became noticeably stricter and more straightforward in the Omnibus rule that goes into effect in September of 2013.  It is vital that every provider, audiologist and hearing aid dispenser have an authorization to market to their patients before they do so.  Again, marketing is an “arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity for the entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.”   Ask yourself if your purpose is marketing.  If so, you need an authorization.  If you do not trust what I am telling you, this is clearly documented at this Web site: https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html

Business Associate

“A business associate is a person or organization, other than the member of a covered entity's workforce, that performs certain functions or activities on behalf of or provide certain services to a covered entity or provider that involve the use and disclosure of individually identifiable health information.  Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.  Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation or financial services.” (https://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html)

Providers are responsible for the actions of their business associates.  If your janitorial service breaches patient information to which they been given access, you are ultimately responsible, even though they are the ones who initiated the breach.  You are ultimately responsible because they are your business associate.  You are both on the hook.  Some examples of business associates in audiology or hearing aid dispensing are hearing aid manufacturers, ear mold manufacturers, cochlear implant or osseointegrated device manufacturers and assistive listening device manufacturers where a patient name is associated with the purchase order, your janitorial service, your accountant, your lawyer, your software vendor, your computer consultant, and your landlord, if they have keys to your suite.  Business associates include others in your office space who are separate contractors from the landlord, as well as your equipment calibration and maintenance people, especially those who can access NOAH or computerized audiometers.  Anyone who could touch patient information would be a business associate if they are not in your employ. 

You need to have an agreement between you and the business associate so that you have protections for their actions.  They sign that they are accepting responsibility for protecting patient health information.   There is a sample business associate agreement available on the Health and Human Services Web site.  The business associate is something that I have seen available at no charge from national association Web sites.  Some national audiology associations do have packaged HIPAA materials, with the exception of security policies, because they are so specific your systems.  You can buy these packaged.  You would just need to reach out to your national association to see what they have available.

Omnibus Rule

Now let's go into the new HIPAA.  This is the Omnibus rule that became effective on September 23, 2013.  This means you must update your HIPAA material by September.  Business associates are any entity that creates, receives, maintains, or transmits protected health information on behalf of a provider who supplied this information to them.  Any contractors and subcontractors of that business associate are required to comply with the updated HIPPA privacy and security rules, including breach notification.  You must have 2013 business associate agreements created and re-signed.  Those of you who never had a business associate agreement in place, make sure you get them done.  Those of you who already have gone through the HIPAA process of having business associate contracts signed, you need to have them completely redone.  There is no addendum.  They need to contain all the language that is required for the Omnibus rule and breach notification.  They need to be completely updated to the new Omnibus rules and re-signed if they were signed before March 23, 2013.

Also in the Omnibus rule, patients have the right to request that a copy of their electronic medical record be supplied to them in an electronic format.  If you have an electronic medical record (EMR) or an office management system where things are stored electronically, the patient has the right to receive that information electronically either in an e-mail on a flash drive or disk.  They need to receive that in electronic format.  Patients who are paying privately for an item or service have the right to restrict any disclosure about this item or service to their health care plan.  Let's say a patient buys hearing aids privately, and their health plan wants to see records.  They have the right to restrict their health plan from seeing records of things for which they paid privately. 

Marketing has been redefined as any patient communication where the provider receives financial remuneration from a third-party whose products or services are being marketed.  When marketing is performed using PHI, a patient authorization must be in place prior to sending this marketing communication.  In other words, as I have said before, you must have an authorization from a patient.  You can get this authorization up front at intake.  Fill out your marketing authorization accordingly and put any potential vendors or entities you might utilize for third-party marketing, such as Vistaprint, Constant Contact, Sycle, et cetera, and maintain that on file. 

The sale of PHI is prohibited.  You cannot sell patient e-mail addresses.  That is distinctly prohibited.  There must be a defined breach notification process where the situation is presumed to be a breach until the provider, business associate, contractor, or subcontractor determines that there is a low probability that the patient's privacy has been compromised.  A risk assessment must be performed any time there is a breach of PHI.  Let me give you a common example.  You cannot find a chart.  If you cannot find a chart, that is a breach.  That patient needs to be notified in writing that their chart was lost, that you have protections in place, and that you think it was a low-probability breach, but you do not know.  You need to have protections in place.  This is why you do not let people take charts home; you are responsible for the chart that has left your office.  It is very important that you consider a missing chart a breach and that you go through a risk assessment on that breach.  All of that needs to be documented.  The patient should also be notified if you do not find the chart.  You do not know if someone may or may not have stolen it.  It is very important that you take these things seriously.  An identity thief does not have to steal 10 charts; they could steal one.  They could steal one every day for a week and you may never notice it.  That is why it is so important that you have all the security and privacy protections and safeguards in place, business associate agreements signed and documented, and training signed and documented. 

The Omnibus rule allows for broader use of PHI for fundraising opportunities.  If you work for a non-profit and you want to fundraise through your database, I strongly advise that your organization secure the assistance of legal counsel to determine how you can fundraise without specific authorization.  It allows for a streamlined authorization process for the use of PHI for research purposes.  If this is something where you are a research entity or a research institution, I strongly advise that you have counsel look into how it affects your specific research scenario and facility.  Have them advise you accordingly about how you can use PHI to locate research subjects.  You may need authorization; you may not.  For example, you may just need one authorization for a patient be contacted for 10 or 100 different studies.  It depends on your specific situation, which is why I strongly advise you to consult legal counsel for both research and for fundraising activities.

Penalties have increased to up to $1.5 million maximum per calendar year, but many fines range around $150,000 per violation and degree of culpability.  By degree of culpability, we mean how many safeguards did you have in place?  What were your policies?  Were your policies followed?  Were things documented?  Was your staff trained?  Did you have business associate agreements in place?  Where those protections in place?  Did you have an updated privacy policy?  With all of those things in place, your degree of culpability will be lower, thus your fine will be lower.  If you do not have a security policy or business associate and you get hacked, you could be in some very significant trouble.  It does carry a criminal penalty of up to 10 years in jail.

What Every Practice Needs

Let's talk about what every practice needs in 2013.  Any practice that submits, stores or transmits anything electronically or a practice of a certain size will need to make sure they have several things in place.  You will need a revised Notice of Privacy Practice as of March 2013 or after, a March 2013 or newer revised and signed Business Associate Agreement, a March 2013 or newer Breach Notification Policy that has to be added to your security policy, a March 2013 or newer Patient Marketing Authorization.  If patients have signed privacy policies prior to March 2013, your privacy policy needs to be redone and you need a new receipt of notice.  If a patient signed a marketing release prior to March of 2013, you need an updated marketing authorization, and it needs to be re-signed by the patient.  If you have a business associate agreement that was signed and updated prior to March 2013 or signed after March 2013, you need to have those redone with an updated business associate contract that is signed after March 23, 2013. 

Every facility needs an NPI and every individual provider needs an NPI.  You need a use and disclosure form.  This form takes the place of the old medical release forms.  This form needs to be in HIPAA language, and it needs to follow all the regulations required by HIPAA for uses and disclosures.  You need an Acknowledgement of Receipt of Notice of Privacy Practices.  It can either be a freestanding form or it can be a box-and-initial statement on your patient registration form.  Your Acknowledgment of Receipt of Notice of Privacy Practices is the only thing that can be reduced or truncated.  You cannot reduce a notice of privacy practices, a business associate agreement, or a marketing authorization.  They have very specific requirements and, as a result, they cannot be shortened. 

You need a security policy and process.  You need a breach notification policy and process.  You need a risk assessment process.  How do you determine the risks that exist in your practice related to protections, both electronic and physical patient PHI?  If you utilize the services of an independent contractor or you are an independent contractor, you need an independent contractor agreement in writing that includes HIPAA protections and language.  It is extremely important when you enter into an agreement with a third party to provide services that you have an independent contractor agreement in writing that has been created by your own legal counsel to protect you, if you are the independent contractor. 

You need documentation of staff training and the dates, including signatures by the staff acknowledging that they were trained.  Staff training should occur at least once a year and any time you have a new hire.  You need every employee to sign a confidentiality agreement that you created with legal counsel that protects you in the event that you have an employee leave.  There are many horror stories of the employee leaving and going to a competitor, and taking patient names and e-mails or phone numbers with them.  That is a significant HIPAA breach, and that is a criminal action.  It is very important that you have employees sign these agreements to protect you if they do this type of action, especially an employee that has been afforded access.  It is very important that you have a legally binding agreement between you and every one of those employees that have access, to protect you in the event that they purposefully or negligently breach patient records.

Summary

We have gone into a very encompassing view of HIPAA today.  The moral of the story is you need to update almost everything for 2013.  It is the most significant change in HIPAA since HIPAA first came to be 10 years ago.  If you have questions or you would like to see what materials are available, please reach out to the audiology professional associations of which you are a member.  If you Google “HIPAA materials” you will find many vendors available that can help you with materials and templates.  You may also choose to utilize your legal counsel to help you get updated and stay HIPAA compliant.