Briefings on HIPAA

On July 8, HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.

The HITECH Act includes new privacy requirements that allow for stronger individual rights to access electronic health records (EHR) and restrict the disclosure of certain PHI.

Incidents involving paper records and desktop computers are second and third most common on the growing list of privacy breaches reported on the OCR website. (The No. 1 reason for privacy breaches re-mains the loss or theft of laptop computers and other portable devices. Briefings on HIPAA looked at ways to prevent those types of privacy breaches in the June issue.)

Electronic health information exchange (HIE) has become the center of attention for most states, and many healthcare organizations want to tap into available stimulus dollars and new electronic health record (EHR) incentives. 

Q. Must patients receive a paper copy of our Notice of Privacy Practices during every encounter at our facility?

A major privacy breach can carry a heavy price for a healthcare organization, and its response can indicate how big a price it ultimately pays.

Because of the high risk that laptop computers and other portable devices create for a potential privacy breach, healthcare organizations should consider creating an easy-to-understand training guide that describes staff members’ responsibilities.

Q. We are an MRI facility, and our services are referral- based. Faxing MRI reports to referring providers after radiologist review is our standard procedure. Patients can schedule follow-up appointments with referring providers to obtain results of their MRI scans. Patients regularly request a copy of the report at the time of their MRI scans or within several days of the scan when they pick up a copy of MRI films. 

Does HIPAA require us to provide patients a copy of the report even when the provider has not interpreted the report and image?