There are some big HIPAA updates coming up in 2023 that you need to be aware of. But don’t worry…
We haven’t copied and pasted the complicated legal text for you to digest on your own.
We took a look at all the changes that will affect you as a small healthcare practice. Then, we put together short, simple nuggets of information that are easy to understand. Finally, we give you actions you can take now to ensure you’re prepared and compliant.
HIPAA is changing. Let’s figure out what that means for your practice.
Here are the changes to the HIPAA Privacy Rule that you need to consider if you’re a small healthcare practice. There are more changes, which you can read about here. This is the official document, and it’s quite lengthy. A quick search for 2023 HIPAA changes will pull up various articles containing summaries.
If you’re a small healthcare practice, these are the changes that are most likely to affect you:
They’ll be able to:
Before, practitioners had 30 days to respond to a request with the possibility of a 30 day extension.
You’ll need to:
What’s a Notice of Privacy Practices (NPP)?An NPP is a document that clearly states your clients’ rights regarding their health information. It explains how health information can be used and disclosed, how your practice protects it, and how your clients can access it. 👉 Learn more: Notice of Privacy Practices (NPP): What Small Healthcare Practices Need to Know |
Once the final rule is published, you’ll have a grace period in which to make the required changes. At this time, it sounds like that period will be 180 days, but that could change.
Enter your information below, and we’ll send you an email as soon as the new Privacy Rule goes into effect.
Here’s what you can do now to make sure you’re prepared.
Your clients will need to be able to take photos and notes of their protected health information (PHI) comfortably. Think through the process of how this might work in your office. Your clients need privacy, but you may also want to be present during the review. Records may need to be separated or redacted, and you’ll need to figure out how to do that in a timely fashion. All practices are unique. Going through possible scenarios now will allow you to troubleshoot the process before the rule is in effect.
You’ll need to handle requests for information in a timely manner. Fifteen days is plenty of time to reply to clients’ record requests if you’re organized and have a process in place. Write out a plan so you can send your records out with time to spare.
Here’s a simple plan that you can use to get started:
Although there are individual state laws governing how to determine your fees, HIPAA has the final say on the matter. HIPAA requires that your fees must be reasonable and cost-based. You can read more about what this means here.
|
It’s a good idea to review your NPP annually. And you can add planning for updates to the process. Wait to make your changes, but go ahead and draft what you plan to include and decide where you’ll put it.
The changes you’ll need to make are relatively simple, but don’t underestimate the education involved. If you have office staff, they’ll need to be informed of how to help clients request and view their records. This could be as simple as explaining three things:
The final rule is expected to be published in the first quarter of 2023. You don’t want to miss that important announcement!
Enter your information below, and we’ll send you an email as soon as the new Privacy Rule goes into effect.
When you make changes to how your practice handles PHI, you should consider the risks. This is an actual process required by HIPAA called “risk analysis.”
The process is pretty straightforward, especially for a small practice. You identify the sensitive information that comes through your practice. Then you figure out how that information might be at risk. For example, could your computer be stolen? Or are you sending emails through a service like Gmail that isn’t very secure?
After you determine where your sensitive information is and how it might be harmed, you figure out how to protect it. For example, you could sign up for a HIPAA-compliant email service.
|
Conducting a risk analysis before the updated Privacy Rule goes into effect will help identify compliance gaps that you can fix now. This will make it easier for you to apply the 2023 changes when the time comes.
Believe it or not, it’s in the interest of making your administrative tasks easier. The HIPAA Privacy rule requires a lot and there have been many requests from practitioners to make it less burdensome. The U.S. Department of Health and Human Services (HHS) has been sorting through these requests for the past few years. They drafted changes, sought additional feedback, and now they’re about to publish the updated Privacy Rule.
Some of these changes might make things easier for you, but some might make them more difficult, at least in the short term.
The best thing to do is learn about the changes now so you have plenty of time to prepare.
There are a few other HIPAA adjustments to consider. They could directly impact you if you're a small to medium size practice.
The telehealth exception that was put in place during the COVID pandemic is remaining in place for now. This is the exception that allowed practitioners to use telehealth platforms even if they weren’t traditionally HIPAA compliant. It will remain in effect until the Secretary of the HHS declares the public health emergency is over. Then, you may be penalized for using platforms like Zoom or Facetime to provide care. Be sure to follow HHS news so you don’t miss this announcement.
If you experience a data breach, you may qualify for a “safe harbor” if you’ve done your best in the past year to protect your clients’ information. Investigators will consider evidence that you’ve implemented security best practices in the last year and possibly reduce or waive fines.
What’s the HIPAA Safe Harbor Act?This law says that the HHS will consider your best efforts to protect your clients' health information if there's a data breach. Penalties may be reduced or waived and audits may be shortened. |
As you likely already know, HIPAA laws require reliable tools. The changes to the HIPAA Privacy Rule are no exception. Fortunately, numerous organizations make it their business to help you comply. One is Hushmail for Healthcare, which provides secure email and web forms for small to medium-sized practices. Here’s how Hushmail can help you meet the new HIPAA requirements.
Once you receive a records request, those 15 days will go by fast. You need a secure way to send the records to your clients, but the US postal service isn’t referred to as “snail mail” for nothing. Your best option is to send them electronically, but they must be sent through a HIPAA-compliant service. And that’s Hushmail for Healthcare.
Hushmail also allows you to get all of your practice forms filled out, signed, and filed away in one place so they’re easily accessible. This helps cut down the admin time it takes to prepare health records to send out.
Hushmail is one reliable safeguard you can put in place to help you qualify for the safe harbor consideration. If you still need to get secure email and forms in place, start now. The law only applies if you can show that you’ve made efforts to secure your clients’ information for the last 12 months.