HIPAA/HITECH Update. By LYNDA M. JOHNSON Friday, Eldredge & Clark. HITECH Act – Privacy and Security. Extended the reach of the HIPAA Privacy and Security Rules to business associates (BAs) Imposed breach notification requirements on HIPAA covered entities (CEs) and BAs
LYNDA M. JOHNSON
Friday, Eldredge & Clark
Security Rule Compliance
Necessary steps for Security Rule compliance:
Conducting a formal security risk assessment;
Implementing written policies and procedures with respect to Security Rule standards;
Providing security training to workforce members;
Amending BAAs to include provisions required by the Security Rule; and
Appointing a Security Officer to oversee Security Rule compliance efforts
Each downstream subcontractor BAA must be at least as stringent as the primary BAA between a BA and the CE
“Protected health information” is defined to exclude information about a person who has been deceased for more than 50 years.
Covered entity must agree to an individual’s request to restrict disclosure of PHI to a health plan if:
If compound authorization conditions treatment on participation in research, must clearly identify conditioned components and give individual an opportunity to opt in to the unconditioned research activities.
On February 6, 2014, CMS published a final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports upon request of the patient or the patient’s personal representative.
At the same time, this rule eliminates the exception under the HIPAA Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory.
While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.
Under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives can see or be given a copy of the patient’s protected health information, including an electronic copy, with limited exceptions.