The Department of Health and Human Services (HHS) released a final rule that requires companies to comply with a variety of new HIPAA provisions by Sept. 23, 2013.

The Department of Health and Human Services (HHS) released a final rule that requires companies to comply with a variety of new HIPAA provisions by Sept. 23, 2013.

As a provider, you are probably wondering what all of these new provisions mean for your company. It will be the responsibility of your office staff to begin making all of the necessary updates to applicable HIPAA forms and prepare action items for all of the privacy and security requirements. The following FAQs should help your staff prepare for these changes by September.

What has changed with regard to HIPAA?

The new provisions that HHS released in January 2013 address all of the required changes to HIPAA stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH). This Act was passed by Congress in 2009 to not only provide regulations to safeguard electronic health information but also incentivize physicians to adopt electronic health records (EHR) through the meaningful use program. The main changes to HIPAA that home medical equipment companies need to be prepared for include:

  • Updated notice of privacy practices form
  • Expanded scope of business associate agreement
  • Changes to breach notification requirements
  • Required patient access to electronic medical records
  • Protecting the privacy of self-pay patients medical records
  • Marketing requirements
  • Changes in criminal and monetary penalties for violation of HIPAA

What are the steps I need to take in my company to comply with these changes?

Step 1: Assign a compliance officer to be in charge of all the required changes if you have not previously done so.

Step 2: Have this compliance officer update your HIPAA policies andprocedures manual to address the new changes by Sept. 23, 2013. You canuse VGM’s HIPAA templates as a starting point. (Email

If you have an EHR in your office, pay special attention to new policies that will need to be created for electronic protected health information including breach notification requirements, accounting of all disclosures, and the right of patients to access their own electronic medical record within 30 days of their request. Additionally, a new policy will need to be created to address a provision requiring providers to withhold disclosures of protected health information (PHI) to their insurer if a patient requests it and pays for the service completely out of pocket.

Step 3: Begin using your updated notice of privacy company form for all patients either on or before Sept. 23, 2013. Post a new copy of this form in a visible location in your facility. Have all patients sign the updated form even if they are established patients.

Step 4: Have the compliance officer analyze all of your vendors to determine which should be classified as business associates under the revised definition, which includes vendors who have routine access to PHI such as an EHR vendor or server warehouse. Ensure you sign a new business associate agreement in advance of the Sept. 23, 2013 implementation date with each of these vendors as the new HIPAA regulations make business associates directly liable for compliance with the Privacy Rule.

Step 5: Train all clinical and non-clinical staff on the new policies and procedures. If you have an EHR in your office, ensure staff are aware of your breach notification requirements and policies addressing how to protect this information, including how to maintain strong passwords, protect wireless access, and other safeguards.

How should I comply with the provision requiring my company to not disclose health information to the payer if the patient pays in full? I don’t want to create two separate records/charts for these types of instances.

A new provision in the HIPAA rule requires that companies not disclose a patient’s medical record to their insurer if the patient pays for the service completely out of pocket and requests this confidentiality. If you do not have an EHR in your company, you will have to create a log or system that keeps track of these requests and ensure staff are trained to not inadvertently disclose the medical chart containing the confidential information to the insurer. If you have an EHR, speak with your vendor to determine how to flag the confidential information in the medical record and protect it from being disclosed to the insurer. You should also train your front desk staff in identifying patients who could potentially ask for this caveat (such as those who do not provide insurance information when making their appointment). Additionally, revise your financial policy form to include this information and always have your patients pay their full charge up front.

Are small companies being audited? What can I do to mitigate this risk?

Small companies have been audited for HIPAA violations and paid steep fines for their non-compliance. The new rule sets forth a fines structure where companies would pay, based on the degree of their willful neglect, up to $250,000 per violation and face imprisonment for up to 10 years. Your compliance officer should stay abreast of changes and train staff yearly on safeguarding PHI. Your company should also perform self-audits to catch any potential problems and pay special attention to how your staff are interacting on social networking sites. As these sites have gained in popularity, HIPAA violations related to them have increased, as staff may not be aware that they should not be posting PHI.

What resources can I use to help me with these steps?

VGM offers templates upon request.   This manual contains a model business associate agreement, model notice of privacy company form, breach notification requirements, and other guidelines, tools, and worksheets explaining all of the new HIPAA regulations. You can order these by emailing