Home Health & Hospice Week

Using electronic health records may cut costs and reduce errors, but they also can increase your compliance risks -- and scrutiny from the feds.

Wake-up call: You are accountable for compliance even if a third party installs and maintains your records system. Providers will still be responsible for ensuring the same privacy protections as if they did have their own IT department, points out Jim Sheldon-Dean with Lewis Creek Systems in Charlotte, Vt.

The American Recovery and Reinvestment Act (ARRA) intensified HIPAA requirements, and Congress has allocated more HIPAA security compliance enforcement dollars to the Centers for Medicare & Medicaid Services and the HHS Office of Inspector General, points out Wayne J. Miller, a health care attorney with the Compliance Law Group in Los Angeles.

Use this breakdown of the new HIPAA regulations to update your policies and procedures:

Stricter notifications: Under ARRA's HITECH provisions, you must notify patients "without unreasonable delay" and in no case later than 60 calendar days after you discover that unsecured electronic health information was improperly "accessed, acquired or disclosed." Guidance suggests that this notice targets breaches of unencrypted data, says Miller.

If the data breach affects more than 500 people, you must also notify prominent media outlets in your state or jurisdiction and report the incident immediately to the Department of Health and Human Services.

Enforcement shift: For the first time, ARRA extends liability for HIPAA violations directly against business associates and forces them to comply with the same security standards as providers, explains Miller.

You will likely need to modify your business associate agreements as a result, he suggests. Not everyone you do business with, however, qualifies as an associate -- for instance, a credit card company that processes your transactions would not be a business associate under ARRA. But a billing company or any other entity that keeps records for you would qualify, explains attorney Michael C. Roach of Meade and Roach and the Aegis Compliance & Ethics Center in Chicago.

Eye on disclosures: In addition, you are required to restrict all third-party protected health information (PHI) disclosures to a "limited data set" or the "minimum necessary," including those disclosures you make to health plans, said attorney Steven J. Fox at Post & Schell in Washington, D.C., during a recent Fierce Live webinar.

"Limited data set" and "minimum necessary" are defined in the original HIPAA regulations, so providers should look to the law's text when setting disclosure guidelines, Fox tells Eli. Also, expect to account for all disclosures you make from EHRs, including those for treatment, payment, and health care operations.

Marketing crackdown: The stimulus bill places new restrictions on the sale of PHI and marketing practices as well, added Fox.