You're bracing yourself for the permanent Recovery Audit Contractor program, and scrambling to keep revenue at viable levels all while trying to track and implement the latest notifications from your carrier. You probably don't want to hear that the government is beefing up the privacy and security portions of the Health Insurance Portability & Accountability Act (HIPAA) and now allowing the states to enforce it, with brand-new, harsher penalties.
Sorry to be the bearer of bad news.
The American Recovery & Reinvestment Act (ARRA) contained more than incentives to invest in an electronic health records system (PBN Office Technology Report 6/8/09). Over the next few years you'll have to make some changes to your HIPAA policy in order to stay in compliance. For example, changes to HIPAA that will kick in this September will require you to inform patients and the government - and in some cases, the media - if unauthorized people get access to protected health information.
HHS is also currently hammering out its definitions of destroyed, unreadable and unusable as they apply to patient data. Why? According to HHS, if a provider renders patient information unusable by an outside source, it won't count as a breach. For example, if your office is burgled and thieves make off with computers that hold patient data, that would probably constitute a breach. However, if the computers are protected by an adequate encryption, you won't have to report the event to anyone but the police and your insurance company.
You can read more about HIPAA's privacy rules here. If you want help keeping track of how, what, why and when you need to change your HIPAA policy or need to know how to respond to a data breach, check out these two audio conferences offered by sister publications Medicare Compliance Alert and Compliance Officers Report: "How to comply with HIPAA's new tougher privacy and security rules" Tuesday, June 9 and "Who let the health care data out: 10 steps to handle a security breach" Thursday June 11.