On January 17, 2013, the federal Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued the long-anticipated final omnibus amendments to the Privacy, Security, Breach Notification, and Enforcement Rules under the Health Insurance Portability and Accountability Act (HIPAA). These amendments became effective as of March 26, 2013, and compliance with applicable requirements generally must be made within 180 days―by September 23, 2013 (with important exceptions for existing business associate arrangements). Significant penalties apply for non-compliance. This article is a very brief synopsis of the new HIPAA requirements. The actual federal document is 136 pages. In addition, because some of the amendments do not apply to most practices, for example, those pertaining to fundraising and the Genetic Information Nondiscrimination Act of 2008 (“GINA”), we have not mentioned these topics in this article. Here are the highlights and areas that need your immediate attention.
Expansion of Rule’s Application: Definition of Business Associate
The new amendments greatly expand the definition of a “business associate” and thus the application of HIPAA. The new definition of business associates include their subcontractors who create, receive, maintain, or transmit PHI in performing a function, activity, or service delegated by the business associate to a subcontractor. A covered entity must obtain satisfactory assurances in the form of a written contract or other arrangement from each business associate, and in turn, each business associate must do the same with regard to each subcontractor that handles PHI on its behalf. Your responsibility is to be certain that your Business Associates Agreements (BAA) are in place. You are not responsible for making certain that subcontractors of your Business Associates have the appropriate assurances. It would be a good time now to review your business relationships to make certain that current BAAs are in place with those associates covered by HIPAA.
Broader Definition of Who Is a Business Associate
The new amendments expand the business associate definition to include an entity that “maintains” PHI (in addition to creating, receiving, or transmitting it). This then includes organization such as health information organizations (HIOs, more commonly known as Regional Health Information Organizations “RHIOs”; vendors of personal health records; and others that facilitate data transmission). If you are participating in a RHIO, make certain that you have a BAA in place.
Covered entities and business associates (including their subcontractors) must ensure compliance, including by entering into written agreements, by September 26, 2013.
The new changes modify the definition of breach (of PHI or EPHI). Under the new definition, PHI is presumed to be a breach when there is an impermissible use or disclosure of PHI, unless it can be demonstrated that there is a low probability that PHI has been compromised. The determination of compromise is based on a 4-part risk assessment that takes into consideration:
If the risk-assessment evaluation fails to demonstrate that there is a low probability that any PHI has been compromised, breach notification is required. Furthermore, the new amendments require covered entities to notify each affected individual whose unsecured PHI has been compromised. Even if the breach is caused by a business associate, the covered entity is ultimately responsible for providing the notification (although the covered entity may delegate the breach-response notification to the business associate). Moreover, a business associate’s and its members’ knowledge of a breach will be imputed onto a covered entity. If the breach involves more than 500 persons, OCR must be notified; under certain circumstances, the breach must be made public through local media. The HIPAA-covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach, and must maintain supporting documentation, including documentation pertaining to the risk assessment. Since HIPAA became law over 10 years ago, we have witnessed a number of low-level breaches of PHI in medical practices. Most of these were unintentional, but are potentially harmful to the practice. Routine retraining of staff on the importance of following the rule of law with HIPAA is a must.
Changes to the Notice of Privacy Practices (NPP)
Although the new update does not require the NPP to include all situations requiring authorization, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures, and sale of PHI do require prior authorization. It must also state the right of the individual to be notified in case of a breach of unsecured PHI. OCR clarifies that distribution by covered entities of new NPPs to individuals is required because the changes to the NPP requirements are material.
Patients’ Right to Restrict Disclosures; Right of Access
With the backing of the HITECH Act, the Privacy Rule was amended to require a covered entity to restrict, upon request, the disclosure of an individual’s PHI to a health plan, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which the individual has paid the covered entity in full. In the new Amendments, OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restricted healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan. Furthermore, the new HIPAA regulation has a rule requiring that a covered entity provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be provided to the individual if it is readily producible. However, OCR clarifies that covered entities need only provide individuals with an electronic copy of their PHI, and not with direct access to their electronic health record systems. The amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable and cost-based, and must identify separately the labor for copying PHI (if any). The timeliness requirement for providing this information to a patient has decreased from up to 90 days to 30 days, with a one-time extension of 30 additional days