How Does HIPAA Affect My Business?

HIPAA was enacted to protect the privacy of an individual’s health information. The vast majority of HIPAA requirements apply to covered entities and business associates. A covered entity is an organization that transmits or produces protected health information. A business associate is an organization that carries out the functions of covered entities or otherwise receives health information from covered entities, for example, a billing company.

If you are a covered entity or business associate then you are subject to the HIPAA Privacy Rule which governs the use and disclosure of protected health information. You are also subject to the HIPAA Security Rule which governs how health information should be safeguarded.

Even if your company is not a covered entity or business associate there are certain aspects of HIPAA that you should be aware of. If your company offers employment benefit plans or health plans or otherwise has health information on your employees, then you should make sure that this information is not disclosed without the express permission of the employee. You should also make sure that this information is safeguarded and not allowed to be accessed by unauthorized personnel.

Finally, you should check state law as states are allowed to supersede certain parts of HIPAA and apply them towards your business.

© 2014 Parsonage Vandenack Williams LLC

For more information, contact us

PVW Law Article: HIPAA Final Rule

We posted a new article on our website regarding the HIPAA Final Rule.

For more information, check out our videos on Business Associates and Business Associate Agreements, as well as HIPAA Compliance Audits:



The HIPAA-HITECH Omnibus Rule: What’s New?

New rules released under HIPAA require physicians to make several major changes over the next six months. These changes are complex and they will have a direct impact on how physicians do business, so physicians need to start planning now.

Business associate (BA) agreements must be reviewed. The new rules require physicians to use reasonable diligence in overseeing business associates. BAs should also take notice, because they may now be directly liable for breaches. The definition of who counts as a BA has expanded. So, any company working with a physician needs to figure out whether the new rules apply to it.

Physicians also need to prepare new NPPs to account for new patient rights. Patients will soon be able to limit disclosure if they pay for services in full. They will also be able to request machine-readable copies of EHR. Last, they will have to give written approval before the physician can use third-party marketing.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact

Final HIPAA/HITECH Rule Released

HHS has recently released final rules modifying HIPAA under the HITECH Act. The rules make several changes for both providers and business associates. First, the regulations expand the definition of business associate. Thus, businesses need to figure out whether they are now subject to HIPAA. Business associates may face up to $1.5 million in fines per year if they do not comply with the new rules.

Providers will have to make several changes as well. The new rules give providers less flexibility to decide when to report a breach and restrict when PHI can be used for marketing. Providers must provide patients with records in electronic form on request. Also, they must revise their Notices of Privacy Practices. If providers do not comply, they will face harsher fines and new enforcement tools. Providers should start revising their business associate agreements, NPPs, and other policies to comply by September 23.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact

Final HIPAA/HITECH Regulations Delayed

Publication of the HIPAA/HITECH Act Omnibus Final Rule has been delayed. The Office of Information and Regulatory Affairs, the department responsible for reviewing the regulations, has requested an extended review period for the rules. This extended review period will last for 30 days, and requires special approval for further extension. Commentators anticipate that a decision on the rule should be issued by July 23.

The proposed rule is expected to modify several components of HIPAA, including the Breach Notification Rule, the Enforcement Rule, and the Privacy and Security Rules. Furthermore, the proposed rule will expand the scope of HIPAA provisions to cover business associates of entities subject to HIPAA. Healthcare professionals should be aware of these changes and proactively plan to comply with the revised HIPAA regulations.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

HIPAA Audit Protocols Released

This year, 115 audits will take place under a new pilot program designed to ensure compliance with HIPAA.  Any entity subject to HIPAA is subject to audit, and the program will likely expand substantially in 2013.  As a result, all healthcare professionals need to be concerned about HIPAA audits.

Beginning in 2013, DHS will include business associates in their audit procedures.  This means that businesses engaged in service contracts with healthcare entities should evaluate their potential eligibility for audit.

DHS has recently released its HIPAA audit protocol (available here).  The audit protocol is highly comprehensive and addresses the full spectrum of HIPAA concerns. It includes modules to measure compliance with seven separate requirements under the Privacy Rule, as well as requirements for technical, physical, and administrative safeguards under the Security Rule.  The protocol also includes modules designed to measure compliance with the requirements of the Breach Notification Rule.  Healthcare organizations should regularly engage in “practice” audits to ensure that they comply with all of these requirements.  The release of these protocols will be a valuable tool in ensuring that practice audits are sufficiently rigorous and focused to provide meaningful results.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

Reviewing Procedures for Breach of PHI

Despite clear compliance plans, annual training, and limiting access, there is still a chance your practice could experience a breach of protected health information (“PHI”).  A “breach” means the use or disclosure of unprotected information that is not permitted by HIPAA and compromises the security and/or privacy of the PHI.  Most practices allocate considerable resources towards preventing breaches, but it is a good idea to review procedures in case a PHI breach should occurs.

  •  When a breach occurs, first gather information.  Determine what type of PHI was disclosed, who accessed it without authorization, and the number of patients exposed.
  •  Next, make every attempt to mitigate the damage.  Can you ensure that the breached PHI has been destroyed or will be returned?
  •  Third, provide the necessary notifications.  Patients must be notified no later than 60 days from when your practice knew or reasonably should have known of the breach.  To help expedite the notification process, make sure that your patient contact information remains current.
  •  Finally, review your practice’s compliance plan, training schedules, and access to PHI to help prevent a similar breach from occurring again.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

CMS Issues HIPAA Standard for Electronic Funds Transfers

CMS has issued a new rule that adopts standards for electronic funds transfers (“EFT”) under HIPAA.  The standards could reduce costs for providers by streamlining electronic payments from a health plan to a provider.  The rule requires the use of a trace number that automatically matches a remittance advice (“RA”), or notice of payment, and an EFT payment.  Currently, health plans often send RA’s separately from the EFT payment making it difficult to match up the bill and corresponding payment.  By requiring the trace number to match up the RA and EFT payment, the rule will save providers time by not having to manually reconcile the notice of payments from the EFT payment.  The regulation is effective January 1, 2012.  Covered entities must use the health care EFT standards by January 1, 2014.

The rule can be accessed at:  Adoption of Standards for Health Care Electronic Funds.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

Are You Ready for HIPAA 5010?

On January 1, 2012, covered entities will be required to conduct the current HIPAA electronic transactions using the upgraded 5010 version.  Such transactions include claims submission, remittance advice, eligibility, claims status, referral authorizations, and others.

In order to successfully implement the 5010 transactions, covered entities should take the following steps if they have not already been completed.  This will help to avoid rejected claims and cash flow interruptions.

1. Review the details involved in the upgrade and assess the impact the change to HIPAA 5010 will have on your business operations and systems.

2. Contact your vendors for specific information regarding the installation of upgrades to your system. Also, contact your clearinghouses, billing service, and payers for preliminary information on when they expect their upgrades will be completed and they will be ready to accept the 5010 transactions.

3. Have your vendor install the necessary 5010 upgrades. Remember that the timing of the system upgrades will depend on your vendor’s readiness, both with respect to product development and scheduling.

4. Once the upgrades are completed, internally test your systems to make sure you can generate the 5010 transactions. Allow extra time to resolve any issues that may arise and work with your vendor to address these.  It is important to make sure that staff members are properly trained on the 5010 transactions as part of this process.

5. Contact your clearinghouses, billing service, and payers to conduct external testing with them. This will help to ensure that you can send and receive the transactions properly.

6. After you have completed external testing, you may switch to using only the 5010 transactions. You are permitted to begin using the 5010 transactions prior to the compliance date, as long as you and the other organization are in agreement with the early conversion.

Important Dates to Keep in Mind:

January 1, 2012 – Covered entities must use only 5010 transactions as of this date.  The 4010 transactions will be rejected.

January 1, 2012 to March 31, 2012 – The first 90 days is a period of discretionary enforcement.  A covered entity generally will not receive penalties for failing to comply with HIPAA 5010 as long as it is making reasonable efforts to follow the requirements.

October 1, 2013 – The industry switches from the ICD-9 to the ICD-10 diagnosis and procedure code sets.

© 2011 Parsonage Vandenack Williams LLC

For more information, contact


HIPAA Business Associate Audits May Be On The Way

Business Associates (“BA’s”) may be audited, in addition to covered entities, in 2012 audits by the Office for Civil Rights (“OCR”).  OCR has a three step audit program in progress. If the initial program “goes well” (whatever that means), then OCR will implement a full range of onsite audits and an evaluation process. BA’s come into contact with significant amounts of protected health information.  Because approximately 20% of HIPAA breaches involve BA’s, consideration is being given to including BA’s as audit targets.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact