This article was reprinted with permission from Michael Volkov’s Corruption Crime & Compliance.
Everyone old enough to remember will recall Y2K – the year our world was supposed to end in a catastrophic transition from December 31, 1999 to January 1, 2000. Instead, since we are still here, we all recall what happened: nothing.
September 23, 2013 was the day when the new HIPAA regulations for covered entities came into effect. Despite all the whining and predictions of disaster, we all continue to exist and the world did not end. What happened? A lot has happened.
The regulations gave all covered entities 180 days to comply with the new HIPAA requirements, which impose new and significant obligations on covered entities to revise their HIPAA policies. Covered entities should have updated their HIPAA compliance policies and procedures, their notices of privacy practices and their business associate agreements for protecting sensitive health information from disclosure.
The key areas to change included:
Patients’ authorizations or restrictions on protected health information (PHI) disclosures: Covered entities have to: (1) honor patients’ requests to restrict disclosure of PHI to a health insurance plan when a patient pays for the service out-of-pocket; (2) obtain patient approval to sell the patient’s PHI, which includes direct or indirect payments from other parties for PHI; (3) obtain patient authorization to cover all treatment and health care communications where the covered entity may obtain money from a third party (e.g., a drug or device company) and (4) permit patients to obtain an electronic record of their PHI.
Breach notification: Covered entities have to notify patients of a breach of their PHI, including an impermissible use or disclosure of PHI (unless the covered entity demonstrates that there is a low risk that PHI was compromised).
Fundraising notices: Covered entities have to give patients an opportunity to opt out of receiving fundraising notices.
Training: Covered entities should have updated their HIPAA training programs.
Notice of privacy practices: Documentation must be updated and redistributed to reflect the changes to privacy and security practices. The NPP has to explain to patients that: they will be notified if their PHI is subject to a breach, they may opt out of fundraising communications, their PHI may be communicated to a health plan and any uses and disclosures beyond those described in the NPP require patient authorization, including any “sale of PHI.”
Covered entities must make the NPP available upon request, distribute the modified notice to new patients, and display the NPP at the office, including on the website.
Finally, with respect to business associate agreements (BAA), covered entities were required to review all vendor relationships to ensure compliance with new regulations. Each vendor who creates, receives, maintains or transmits PHI must have a BAA in effect.
The covered entity has until September 22, 2014 to amend BAAs entered into prior to January 25, 2013. Updated BAAs must include provisions requiring the business associate to share responsibility for breach notifications and the protection of PHI. The BAA also must require the obligation to secure similar protections from its subcontractors.
Michael Volkov is the CEO of The Volkov Law Group LLC, where he provides compliance, internal investigation and white collar defense services. He can be reached at email@example.com. His practice focuses on white collar defense, corporate compliance, internal investigations, and regulatory enforcement matters. He is a former federal prosecutor with almost 30 years of experience in a variety of government positions and private practice.
Michael maintains a well-known blog: Corruption Crime & Compliance which is frequently cited by anti-corruption professionals and professionals in the compliance industry.Michael has extensive experience representing clients on matters involving the Foreign Corrupt Practices Act, the UK Bribery Act, money laundering, Office of Foreign Asset Control (OFAC), export controls, sanctions and International Traffic in Arms, False Claims Act, Congressional investigations, online gambling and regulatory enforcement issues.
Michael has assisted clients with design and implementation of compliance programs to reduce risk and respond to global and US enforcement programs.
Michael has built a strong reputation for his practical and comprehensive compliance strategies.Michael served for more than 17 years as a federal prosecutor in the U.S. Attorney’s Office in the District of Columbia; for 5 years as the Chief Crime and Terrorism Counsel for the Senate Judiciary Committee, and Chief Crime, Terrorism and Homeland Security Counsel for the Senate and House Judiciary Committees; and as a Trial Attorney in the Antitrust Division of the U.S. Department of Justice.
Michael also has extensive trial experience and has been lead attorney in more than 75 jury trials, including some lasting more than six months. His clients have included corporations, officers, directors and professionals in, internal investigations and criminal and civil trials. He has handled a number of high-profile criminal cases involving a wide‐range of issues, including the FCPA and compliance matters, environmental crimes, and antitrust cartel investigations in countries all around the world.