Latest HIPAA Standards Include New Breach Notification Rule

Social workers are being encouraged to review the latest Health Insurance Portability and Accountability Act standards as a new federal breach notification rule for patients' medical data went into effect on Sept. 23.

Earlier this year, the NASW Legal Defense Fund issued the report "HITECH HIPAA for Social Workers." It outlines how the latest Health Information Technology for Economic and Clinical Health Act promotes the use of electronic health records while reinforcing the need to protect the privacy of personal health information.

A vital component of the HITECH Act that affects health care providers such as social workers is a federal breach notification rule. It requires those who are subject to HIPAA standards to notify clients of an unauthorized release of their private health records. The rule includes potential criminal and civil penalties for those who fail to comply with the breach notification requirements.

There are ways to avoid such penalties, however. If the data breached is encrypted and unusable after its release, there is no HIPAA requirement for a breach notification, said Sherri Morgan, associate counsel for the NASW Legal Defense Fund.

"This is a good reason why members who abide by HIPAA standards need to invest in data encryption for their electronic client records," Morgan said.

Breaches of client data commonly occur from theft of a computer laptop or other portable electronic device, she said. "There is no mandate to encrypt client data, but there is a requirement to put policies in place to prevent and identify a potential breach of client information and respond promptly with the required notifications and mitigation," she said.

Some social workers may also use a third-party vendor to handle client information such as billing. That information is also subject to HIPAA standards. In contracts with any third-party vendor, social workers need to outline the vendor's responsibility to send out individual client notifications in case of a breach.

In addition to reviewing the report "HITECH HIPAA for Social Workers," Morgan suggested social workers who operate their own practice:

  • Develop a system to detect breaches and an outline of how a violation would be handled internally, including steps to report it to the office of the Secretary of Health and Human Services.
  • Have a breach response plan in place.
  • When revising business associate agreements, include specific breach notification responsibility.

Revisions to HIPAA regulations on HITECH Act implementation were continuing at this story's deadline. Morgan said more federal regulations related to the act are expected to become effective by early 2010.