01-15-14 
 
MG Logo + What and How
 
The information we provide is our opinion and does not constitute legal advice.
  
We hope you find this column useful. Please let us know.
  
The MalvernGroup Team
MalvernGroup on Twitter
.
Did you know that we post our alerts on Twitter? You can access prior alerts on Twitter here. Retweet us! 
 
HIPAA Checkup
  
Notice of  Privacy Practices

 

This is the 4th in the HIPAA Checkups focused on the Office for Civil Rights (OCR) recently published Guidance documents that address the changes the within the Omnibus Rule.

 

The Omnibus Rule, published in January 2013, modifies the section in the Privacy Rule that is focused on the Notice of Privacy Practices (Notice). [See 45 CFR 164.520 Notice of privacy practices for protected health information].                             

 

Changes to the Notice, under the Omnibus Rule, affect the required statements that must be made in the Notice and affect requirements for provision of the Notice for Health Plans. In the Preamble to the rule OCR stated that many of the changes are material changes. In other words, the changes are major and will mean that you will have to update your Notice document.

 

Significant changes about Notice statements include:

  • Clarification of what uses and disclosures require an authorization
  • A new statement that uses and disclosures that are not described in the notice require an authorization
  • If applicable, a statement that an individual has the right to opt out of receiving fund-raising communications
  • If applicable for health plans (see the Rule for specifics), a statement that use or disclosure of genetic information for underwriting purposes is prohibited
  • Clarification that a request for restriction of disclosure must be agreed-to if an individual self-pays in full for a provider's services
  • Clarification that the covered entity is required to notify affected individuals following a breach of unsecured protected health Information.

 

For material changes to a health plan's Notice:

  • A health plan that posts its Notice on its web site must post the changes by the effective day of the material changes and use its next annual mailing to provide information about the changes and how to obtain the revised Notice.
  • There are no changes for provision of the Notice, if a health plan does not post its notice on its web site.

 

Click here for access to model notices developed by OCR and ONC.

 

As usual OCR has provided frequently asked questions within their guidance. For Notice of Privacy Practices FAQs, click here

 

Over the years, in our consulting engagements, we have seen Notices that were difficult to read and frequently following the exact language of the rule. In both our consulting and personal experiences we have observed providers who do not post the Notice; and in some cases support staff who don't know where to find the Notice! And in most cases, staff members do not know the purpose of the Notice nor understand the content.

 

What to do now:

  • If you have not revised your Notice, review the model notices (see the link above) to get some ideas about what could work well for your covered entity
  • Revise your notice
  • Train your client-facing staff so that they understand the new notice and how to provide it on demand
  • For providers, post your updated Notice where it is visible to all patients and visitors
  •  For health plans, post your updated Notice on your website and notify members in your next annual mailing. 
In Case You Missed Last Week's Checkup click here

Next Alert's Checkup Topic
CLIA Delay   
  
       
 
  Here are this week's alerts
 
Data Breach at Phoebe Putney Memorial Hospital Affects 6,700
 
Click here for the beckershospitalreview.com article

Click here for the notice
  
Laptop stolen from N.M. Oncology and Hematology Consultants
 
Click here for the healthitsecurity.com article
  
WA: Fire Department Medical Response Records and Personnel Information Hacked
 
Click here for the phiprivacy.net article
  
Mock Cyberattacks Coming to Healthcare
 
Click here for the healthcareitnews.com article
  
IRS Seizes 60M Medical Records for Massive Tax Fraud Investigation
 
Click here for the healthcareitnews.com article
  
NY Court of Appeals Rules Employer Not Liable for Actions of Employee Acting Outside Scope of Employment
 
Click here for the phiprivacy.net article
  
CMS AND Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs
 
Click here for the OIG report
  
ONC Announces The Blue Button Innovation Challenge: Boston
 
Click here to learn more
  
Why Training Doesn't Mitigate Phishing
 
Click here for the govinfosecurity.com article
  
A Standard Model For Evaluating Return On Investment From Electronic Health Record Implementation
 
Click here for the healthaffairs.org article
  
Breach Law: Kentucky the 47th State?
 
Click here for the govinfosecurity.com  article
  
7 Security Mistakes People Make With Their Mobile Device  
 
Click here for the csoonline.com article
  
Mapping HIE Governance
 
Click here for the hiewatch.com article
  
Why 2013 Was The Year of The Personal Data Breach
 
Click here for the pcworld.com article
  
KPMG: Health Care Organizations Unprepared for Switch to ICD-10
 
Click here for the ihealthbeat.org article
  
5 Insights From Digital Health CEOs at JP Morgan Healthcare Conference
 
Click here for the medcitynews.com article
  
New Ransomware, More Insidious Than CryptoLocker, To Go On Market
 
Click here for the scmagazine.com article
  
Many Feds Take Security Risks With Laptops, Smartphones and Tablets
 
Click here for the nextgov.com article
  
Internet of Things and Principal Cyber Threats
 
Click here for the securityaffairs.co article
  
Pressure to Protect Health Data Intensifies
 
Click here for the healthcareinfosecurity.com article
  
ONC Issue Brief: Using Health IT to Put the Person at the Center of Their Health and Care by 2020
 
Click here for the healthit.gov issue brief
  
Mass. Providers Can Now Query Patient Data
 
Click here for the hiewatch.com article

Click here for the boston.com article
  
HIE Privacy, Security Best Practices: A review
 
Click here for the healthitsecurity.com article
  
A Busy Doctor's Right Hand, Ever Ready to Type
 
Click here for the nyt.com article
  
2014 Top Tech Predictions from IEEE Computer Society
 
Click here for the healthdatamanagement.com slide show
  
The Insider Threat - How Privileged Users Put Critical Data at Risk
 
Most of this vendor's white paper is informative and contains both management and technical content.

Click here for access to the sponsored white paper
  
In Case You Missed It
  

New NPRM: "Administrative Simplification: Health Plan Certification of Compliance
Click here for the NPRM

4-year Long HIPAA Breach Uncovered
  
Click here for the healthcareitnews.com article
  
Barry University Informs Patients of Malware-Caused Data Breach
  
Click here for the beckershospitalreview.com article

 

Judge Dismisses HIPAA Claims Arising From Omnicell Laptop Theft
  
Click here for the article
Featured Product: Breach Response Policy and Procedures for Covered Entities
 
Click here to see why you need this product
 
About Us

MalvernGroup and its Team Members provide HIPAA privacy, security, and business continuity consulting services. MalvernGroup and Susan A Miller J.D. publish this email newsletter, a weekly commentary on healthcare news and events, comprehensive regulatory analysis, briefings, and how-to documents. Click here for additional information

 Click here to tell us what you need

 See prior MalvernGroup Alerts on twitter

 Thank you for your continued interest

 The MalvernGroup Team