Pediatricians and medical offices have been wrestling with the Health Insurance Portability and Accountability Act (HIPAA) for more than a decade. The aspects of HIPAA most relevant to physicians, health clinics, hospitals, and other Covered Entities are the Privacy and Security Rules for protected health information. First implemented in 2000, and updated in 2013 via the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAA has dramatically changed how patient health information is kept private and secure. Practices that have not updated their HIPAA compliance materials and daily office operations since 2009 in order to comply with HITECH need to do so right away.
With new rules on what to do if a patients' health data are breached, additional requirements for business associate agreements, enforceable fines and penalties, and potential HIPAA audits, pediatricians are well-advised to keep their HIPAA policies and procedures up-to-date and incorporated into daily practice operations.
Pediatricians and practice managers can stay abreast of HIPAA/HITECH issues and updates via AAP News articles and other resources found on this website.
Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.
HIPAA Privacy and Security Compliance Manuals
HIPAA requires all covered entities, such as physicians, health clinics, hospitals, laboratories, and pharmacies, develop and implement HIPAA Privacy and Security Compliance Manuals. Because this is no small task, template manuals have been developed for pediatric practices. AAP members may download them for free.
A brief overview on the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and its implication on the privacy provisions of HIPAA.
Because pediatricians and pediatric practices are considered Covered Entities, they must know and meet all the relevant requirements under HIPAA. Understanding what it means to be a Covered Entity is essential to being HIPAA compliant, and particularly important now that HIPAA is being more rigorously enforced.
HIPAA requires pediatric practices and other Covered Entities to identify its Business Associates--other people or entities that are involved in the use or disclosure of protected health information on behalf of the Covered Entity. These Business Associate Agreements have been around since HIPAA was first implemented, but must be revised to comply with additional provisions imposed by the HITECH Act.
Breaches of Protected Health Information
A major change to HIPAA compliance is the significant toughening of data breach of protected health information notification laws, which now not only impose larger fines and require more extensive public notifications when data is lost, but also apply to a health care provider's Business Associates.
Parental access to their child's or adolescent's protected health information is a complex issue. Pediatricians and relevant medical office personal need to understand these complexities and take appropriate steps to incorporate these factors in HIPAA policies and procedures and day-to-day operations.
Failure to comply with HIPAA can result in civil and criminal penalties. Under new enforcement provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act, enforcement provisions have been strengthened. Not only are physician offices and other Covered Entities being subjected to HIPAA investigations by the Office for Civil Rights (OCR) from health care consumers lodging complaints, other events can trigger OCR action.
Destruction of Protected Health Information
This article provides guidance on the destruction of health information for all healthcare settings including medical offices.