Your Online Practice Partner

Your Online Practice Partner
Advertise Subscribe

The new HIPAA law: Immediate actions you need to take

Ty Talcott, DC, CHPSE

new HIPAA law

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has significantly updated the HIPAA Privacy Rule, effective June 25, 2024.

This new HIPAA law, aimed at enhancing the protection of patient reproductive health information, requires immediate attention. Covered entities, including DCs, must swiftly understand and comply with these changes by December 23, 2024.1

Urgent updates needed

Complying with these changes includes updating many aspects of your HIPAA compliance program, especially those involving reproductive rights. However, changing your HIPAA compliance program requires having a program in the first place.

In addition to the urgency of the changes, the OCR recently announced it is commencing random HIPAA audits immediately, intending to audit every doctor’s office nationwide. DCs should act swiftly to ensure compliance. Even if you see this after the 23rd has passed, there’s still time to become compliant if you’re reading this before an audit begins. Simply put, the best time to become compliant is right now.

What steps do you need to take to comply with the new HIPAA law?

Federal laws are full of lengthy and complicated language, often requiring legal education to navigate them well. However, that is not usually the main problem when complying with HIPAA. The most significant source of stress is that even though you may think you have a HIPAA compliance program, it may not be strong enough to pass an audit or hold up under investigation. This reality is particularly concerning, as the past 15 years have shown noncompliance may result in severe penalties, such as substantial fines, legal actions and harm to your professional reputation.

Update your policies and procedures immediately to reflect the new restrictions on disclosing reproductive health information under the new law. This action is necessary to protect patient privacy and the future of your practice.

Your top priority as a DC should be ensuring compliance and that your compliance program is “defensible.” A defensible HIPAA compliance program is one that can withstand an audit or investigation. It should be comprehensive, up-to-date and aligned with the latest HIPAA regulations. Your program should clearly demonstrate you have taken all necessary steps to comply with the law and protect patient privacy.

Policy changes to make now

  1. Change your business associate agreement (BAA) and ensure all your business associates, anyone you have given access to any of your private patient data, have the latest version of this new document. The BAA is a crucial element of HIPAA compliance, as it delineates the responsibilities of your business partners in safeguarding patient information. Do you have a BAA in place, ready to change?
  2. Revise the language in the HIPAA policies in your compliance manual, particularly regarding reproductive rights.
  3. Ensure you and your staff have done and documented the training regarding the new requirements, including the content of the training as required by law. This documentation should include:
    • All changes to your annual HIPAA training
    • The training you are required to provide all new employees within 45 days of hire
    • Any security reminders issued to your staff to fulfill the existing federal requirement to “Issue periodic security reminders to your workforce.”

Bonus: If you do not currently provide training and security reminders to your new and existing team members, you will almost certainly be deemed noncompliant in the event of an audit or investigation.

  1. Create a new form authorizing the release of private health information related to reproductive rights by you, the DC.
  2. Stay informed about required modifications to the notice of privacy practices (NPP) provisions of the law. The NPP is an important document you provide every patient and post on your website to inform patients about their rights regarding their health information and how your practice can use it. The new HIPAA law requires compliance with changes to the NPP, which must be made by Feb. 16, 2026.

Bonus: If you are unfamiliar with this NPP form or do not use it daily, you do not have a defensible HIPAA program right now.

Many of the issues this new law aims to address are already standard components of a comprehensive HIPAA program. Did you know a typical office should have more than 100 pages of policies in its manual covering these issues?

Points to keep in mind

It is critically important to know that the new HIPAA law changes the time frame for reporting a security breach that could expose private information:

  • You must report any breach within 15 days.
  • Your breach policy, typically one of the hundreds of pages required in a chiropractic office, must be fully updated to reflect this.

The new law also strengthens aspects already covered in current HIPAA law. These reiterated inclusions may provide advance notice of the areas, items and policies of focus in upcoming random audits scheduled to commence now. Are you ready if a random audit comes your way?

The new HIPAA law highlights the following recurring vital points for your office:

  • Encryption requirement: The new law requires encrypting patients’ protected health information (PHI) at rest and during transmission. Update your policy today to reflect this. While this has always been a recommended part of a HIPAA policy, it is now an explicit requirement.
  • Access controls and authentication: Physicians must implement robust access controls and authentication mechanisms.
  • Security risk assessments: Already required. Based on our extensive experience assisting numerous offices with compliance, we have found a copy of this risk analysis is always necessary when you are audited or investigated. The OCR has explicitly stated that failure to produce it will lead to maximum fines.
  • Security updates and patch management: Already required. Do you have a good technology plan or expert advisers to help you with this continuously?
  • Staff training: Make sure all staff members receive training on the latest changes in the law. Instead of waiting for the annual HIPAA training, ensure all staff members receive a security reminder containing the updated information from the HIPAA program. It’s essential to confirm that everything is in place and understood by every team member before Dec. 23, 2024, to successfully comply with the changes in the law. 

Bonus: We recommend creating a document for both staff and DCs to sign, confirming they have received, reviewed and discussed the above changes as part of their ongoing training. The document should be distributed as a “security reminder” immediately after completion instead of waiting until the regularly scheduled annual training. Remember to keep the document and the signed attestation in your HIPAA manual.

 A crucial reminder about records requests

According to existing and future HIPAA regulations, when a patient requests information, you must provide it within 30 days. The OCR may approve a one-time extension of 30 days in certain highly exceptional cases. It is important to note the 30-day time frame is a maximum limit, not a recommended time frame. If you take longer than a few days to complete a request, you must provide well-documented reasons for the delay. Don’t get caught on your heels by dragging your feet on records requests.

It is highly recommended you have an attorney on your extended team to review all final documents used in the business to ensure documents and procedures are compliant and defensible.

Final thoughts

While this is not an exhaustive list of new HIPAA law changes, we will undoubtedly learn more as enforcement begins and lawsuits around it settle. Above all, remember to familiarize yourself with the new HIPAA law and take immediate action to comply with its requirements before the end of the year. Until next time, stay compliant and keep your head up!

TY TALCOTT, DC, CHPSE, is a highly respected healthcare compliance professional and a licensed doctor of chiropractic. As the CEO of HIPAA Compliance Services and Power Strategies Inc., Talcott has participated in the national cybersecurity symposium in Washington, DC, and has guided numerous healthcare practices through webinars, live events and practice management consulting. He is dedicated to protecting the chiropractic profession and empowering innovative doctors to safeguard their practices against complaints, errors, cyberattacks and government audits. For more information, visit drtythecomplianceguy.com, email ty.talcott@gmail.com or call 469-371-8804.

Reference

  1. HIPAA privacy rule to support reproductive healthcare privacy. 89 FR 32976. Federal Register. 2024;89(82). https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy. Accessed October 20, 2024.

Related Posts

8430 Enterprise Circle, Suite 200

Lakewood Ranch, FL 34202

Phone 800-671-9966

CONTACT US »

Privacy Policy | Terms of Service

Copyright © Chiropractic Economics, A Gallagher Company. All Rights Reserved.

SUBSCRIBE TO THE MAGAZINE

Get Chiropractic Economics magazine
delivered to your home or office. Just fill out our form to request your FREE subscription for 20 issues a year,
including two annual Buyers Guides.

SUBSCRIBE NOW »

Proud Sponsor of the Foundation for Chiropractic Progress