Medical practices and other entities covered under the Health Insurance Protection and Portability Act of 1996 (HIPAA) are required to provide notification following a breach of unsecured protected health information. Because the Department of Health and Human Services’ (HHS) “Interim Final Rule” has never been finalized,anesthesiologists and other providers should refresh their knowledge of the breach notification requirements.
The September 23, 2009 Interim Final Rule on Breach Notification – Still in Effect
It is this regulation, which may be read in detail here: http://www.anesthesiallc.com/publications/ealerts/276-hipaa-privacy-rule-update-for-anesthesiologists– that continues to govern providers and their business associates.
Who is covered: HIPAA covered entities and their business associates [BAs] that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information (PHI).
What is required: Following a breach of unsecured PHI, covered entities such as anesthesia practices must provide notification of the breach to affected individuals, and – if the breach affects more than 500 individuals – to the Secretary and the media. In addition, BAs must notify covered entities that a breach has occurred.
There are exceptions, and, most important, a safety zone for PHI that has been “rendered unusable, unreadable, or indecipherable to unauthorized individuals” through the use of a technology such as data encryption specified by HHS. The Interim Final Rule appears to be one of the less onerous regulations to come out of HHS. An anesthesiology group that cannot prevent members or employees from keeping PHI on their laptops – a common source of security breaches – can at least arrange for encryption.
Despite the subjectivity of determining that disclosure has caused harm and thus warrants notification, HHS received 45 reports of such breaches occurring during the approximately three-month reporting period in calendar year 2009 (September 23, 2009, to December 31, 2009) and 207 reports in calendar year 2010, the first full calendar year for reporting, according to the HHS Office for Civil Rights’ (OCR) Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2009 and 2010. This Report contains numerous examples of breaches that will show physicians how easy it is to lose control of data.
A final rule on another proposal, to require specific accounting for PHI disclosures under HIPAA, is expected later this year.
About Anesthesia Business Consultants
ABC, established in 1979, is one of the largest billing and practice management companies dedicated to the complex and intricate specialty of anesthesia and pain management. It is both an American Society of Anesthesiologists Practice Management Supporter, and an Anesthesia Quality Institute Preferred Vendor. ABC employs industry leaders, operates under proven efficient processes, and utilizes technology advances to easily adapt to the ever-changing regulatory environment.