HHS’ Mega-Rule Highlights PHI Protection, Patient Access

February 4, 2013 – In The News
Medical Practice Compliance Alert

With the HHS 'mega-rule' in place, providers will have the responsibility of proving when a breach-notification is or is not warranted.

Providers must now report data breaches to HHS' Office for Civil Rights (OCR) unless they can prove the unsecured PHI wasn't compromised through a four-pronged risk assessment, said William Maruca.

The rule now adds new language requirements to notice of privacy practice form, which Maruca said: All practices have to include language saying the patient has the "right to restrict disclosures for services the patient paid for out of pocket."

The particular regulation is aimed at larger providers and hospitals that sell list of patients, such as diabetics, to pharmaceutical companies, said Maruca.

The new rule also prohibits health plans from using patient genetic data for underwriting. Maruca says if your practice does any underwriting, include a section in your notice of privacy practices form that says you won't disclose any genetic information to third parties.