HHS Extends Interim Final Rule's Expiration Date
Even though a final rule on Health Insurance Portability and Accountability Act (HIPAA) enforcement actions won't appear for another six months, violators won't be completely safe from civil monetary penalties (CMPs).
The Department of Health and Human Services (HHS) has delayed its final rule that establishes procedures for the Secretary to impose CMPs on covered entities (CEs) that violate HIPAA's Administrative Simplification standards, according to an interim final rule that HHS published in the Sept.14 Federal Register.
To avoid disruption of ongoing enforcement actions and allow HHS more time to review public comments on the rule, HHS has extended the final rule's expiration date from Sept.16, 2005 to March 16, 2006. With HHS' six-month extension of the interim final rule, covered entities (CEs) that violate HIPAA standards will face CMPs and other actions in the meantime.
To read the rule in the Federal Register, go to http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-18254.pdf.
Lesson Learned: HHS has put off the HIPAA enforcement final run but providers are still subject to CMPs.
HIPAA Privacy Requirements May Change In A Disaster
While you work hard to adhere to the Health Insurance Portability and Accountability Act's (HIPAA) strict privacy standards, you could see more relaxed requirements after a natural disaster.
The HHS Office for Civil Rights (OCR) issued special HIPAA compliance guidance on Sept. 9 for providers and insurers responding to individuals affected by Hurricane Katrina, which also translates for other natural disaster situations.
Health plans and providers can disclose health information to health care providers at shelters and facilities aiding hurricane evacuees, OCR says. Your business associates (BAs) can also disclose such health information, according to the HIPAA privacy rule.
Example: "A business associate agreement may broadly permit the business associate to make disclosures the covered entity is permitted to make, or may otherwise permit the business associate to make treatment or other disclosures as permitted by the Privacy Rule," OCR explains. You can amend your BA agreement if it doesn't allow such disclosures as well.
Health care providers can share individuals' protected health information (PHI) to provide medical treatment or to locate, identify and notify an individual's relative. You may also be safe from civil monetary penalties in situations where you are unable to comply because of the natural disaster, OCR says.
For further explanation of your HIPAA privacy requirements, go to http://www.hipaadvisory.com/regs/Regs_in_PDF/Katrina_HIPAA2.pdf.
Lesson Learned: The HIPAA privacy rule allows you to make health information disclosures to provide medical care to victims of a natural disaster.