The new HIPAA rule brings a few significant changes for covered entities. It is important to remember that doctors, clinics, psychologists, dentists, and chiropractors that transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard are considered covered entities.

Along with increasing the ability for HHS to impose fines in higher amounts, the new rule states additional provider obligations. These changes involve the request of electronic copies of records, the request to restrict disclosure, and the burden of proof on providers in the event of a disclosure.

1)The new rule decreases the time allotted to providers for fulfilling a request for electronic copies of records. The allocation period has been decreased from 60 to 30 days from the time the patient makes the request. However, there is an option for a one-time extension of 30 days.

2)Patients have a right to request restrictions regarding disclosure of PHI to their health plans. Keep in mind that they are required to fully pay for the healthcare service out of pocket to request this restriction.

3)An automatic presumption of breach challenges providers. The old standard found a breach reportable if it posed “significant risk of financial, reputational, or other harm” to an individual. Now the provider must prove through a risk assessment that the likelihood of harm from the disclosure is low or it is presumed a reportable breach.

It is more important than ever to take proper compliance measures. Reduce your risk by encrypting data, keeping policies and procedures up to date, and providing ongoing training for your staff.