Revised NPP Template
The Office of Civil Rights (OCR)—an agency under the aegis of the U.S. Department of Health and Human Services (HHS) and the entity that enforces the HIPAA requirements—issued a final rule for the confidentiality of substance use disorder (SUD) patients, along with a revised template for Notice of Privacy Practices (NPP). You’ll recall that an NPP is the document that advises patients of their privacy rights, as well as the responsibilities of the entities covered under HIPAA (hereinafter, “covered entities”).
The revised NPP amends the prior template and incorporates required verbiage about the confidentiality of SUD records.“Okay, so what does that have to do with me,” you may ask.
Covered entities are required to provide these HIPAA-related NPPs to their patients. This includes anesthesia groups as they, too, are considered covered entities. Many anesthesia groups may not give this requirement much thought because they rely on their facilities to issue a joint NPP on behalf of the facility and the anesthesia group. However, a joint NPP can only be issued by a facility on behalf of an anesthesia group if the following two requirements are met:
- There is documentation between the facility and the anesthesia group supporting the existence of an Organized Healthcare Arrangement (OHCA), AND
- The NPP states that it is issued for the benefit of the facility and the anesthesia group (or on behalf of the facility and its “medical staff”).
Hospitals usually have an OHCA in place with the anesthesia group, but surgery centers (ASCs) sometimes do not. If you are unsure if your facility has an OCHA with your group, we recommend you obtain a copy of the facility's NPP and see if it states that it is issued on behalf of the facility and your group or medical staff. If the NPP does not state that, then the group providers must issue an NPP to the patients they treat to avoid being in violation of HIPAA.
Having said that, the entity issuing the NPP—whether the facility on behalf of the group or the group itself—must ensure that the NPP complies with the revision as outlined in the recent final rule. The revision specifics can be reviewed by going to the following HHS link: Model Notices of Privacy Practices | HHS.gov.
Pain practices disseminate their own NPPs. Under the OCR’s final rule, the pain practice’s NPP must be amended to include the new verbiage about SUD privacy.
Ignorance Is Not Bliss
Providers should be aware that violations of any HIPAA rule can be expensive. For example, a pain practice in Florida recently paid a $1.19 million fine for a self-reported violation. The practice previously hired a contractor who was given access to the practice’s billing records. After the contractor's job was completed, the contractor accessed the pain practice's EHR on 3 separate occasions and downloaded the billing records of over 34,000 patients. The OCR determined that the pain practice did not terminate the contractor's access to its EHR after the contractor's job was finished.
The HIPAA rules require the immediate termination of EHR access for every prior employee and prior contractor. Group practices must not let this slide as it can lead to hefty fines.
Remember also that any contractor accessing a pain practice’s EHR should sign a Business Associate Agreement (BAA). Groups should consider including within that BAA an indemnification clause. According to one prominent healthcare attorney, “the law allows you to make your business associates indemnify you for improperly accessing PHI.” So, if this Florida pain practice had required the contractor to sign a BAA containing an indemnification clause, the practice could have recovered from the contractor the $1.19 million it paid to HHS/OCR.
The attorney also recommends securing cyber insurance if you don’t already have it. Typical medical malpractice policies only cover up to $50,000 in HIPAA defense costs; so, a separate cyber policy for cases like the one described above can help mitigate the financial hit.
Again, in addition to all the other rules with which providers must scrupulously comply, they should not forget about their obligations under HIPAA.