By Robert M. Portman, JD, MPP and Amita A. Sanghvi, JD, MHA, May 01, 2013
The U.S. Department of Health and Human Services (HHS) unveiled its long-awaited final omnibus rule that implements privacy, security, and enforcement measures under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Genetic Information Nondiscrimination Act (GINA) on Jan. 17. A copy of the rule is available at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
Leon Rodriguez, HHS Office for Civil Rights Director, noted in a press release that the new rule:
... marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. [pagebreak]
The effective date for the new rule was March 26, 2013, and organizations must be in compliance with the new rule by Sept. 23, 2013 (with the exception that existing business associate agreements must be revised by Sept. 22, 2014). Between now and September, health care providers will need to focus on the following three tasks:
- Revising HIPAA policies and procedures, including breach notification procedures.
- Modifying Notices of Privacy Practices and patient authorization forms; and
- Updating and/or executing new business associate agreements.
Below we have summarized specific changes required by the new rule.
HIPAA policies and procedures
The new rule will require providers to revisit and modify their HIPAA policies and procedures in some of the following areas:
The obligation to notify patients if there is a breach of their Protected Health Information (PHI) has been clarified under the new rule. The subjective “harm” standard in the interim final rule has been eliminated. Under the “harm” standard, a breach did not occur unless the access, use, or disclosure posed “a significant risk of financial, reputational, or other harm to an individual.” Now, any acquisition, access, use, or disclosure of unsecured PHI not permitted under HIPAA is presumed to be a breach unless it is determined that there is a low probability that the PHI has been compromised based on a four-factor risk assessment: [pagebreak]
- The nature and extent of PHI involved;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed; and
- The extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third parties that the information was destroyed).
Access to e-PHI
Individuals have a right to access and to obtain a copy of PHI within 30 days of their request. Under the new rule, if an individual requests a copy of PHI that is maintained electronically, the provider must, with limited exception, give the individual access to the PHI in an electronic format.
Disclosures to health plans
At an individual’s request, a health care provider may not disclose the individual’s PHI to a health plan, if the disclosure is not required by law, the request relates to payment or health care operations, and the individual has paid for the item or service out of pocket in full. If an individual makes such a request, providers will want to document the request and ensure that the patient understands that no claims will be submitted by the provider to the patient’s insurer. Providers will also need to employ some method to flag medical records with respect to the PHI that has been restricted.
Under the new rule, providers may disclose PHI to family members of a decedent who were involved in the person’s care prior to his or her death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. [pagebreak]
Sale of PHI
The new rule requires providers to obtain an individual authorization for the sale of PHI, with some exceptions, including disclosures for payment or treatment or permitted disclosures to patients in exchange for a reasonable fee.
In any fundraising materials sent by a provider, the provider is required to give individuals the opportunity to opt-out of receiving further fundraising communications.
The new rule permits a provider to combine an authorization for the disclosure of PHI for research purposes that requires the signing of that form for the patient to be treated with an authorization for the use of PHI for other purposes that does not include the same conditions, provided that the authorization allows the individual to opt in to the unconditioned activities, and the research does not involve the use or disclosure of psychotherapy notes. These authorizations may also encompass future research, which was not permitted under the existing rules. [pagebreak]
The definition of “marketing” has been modified to encompass communications by a provider for purposes of treatment and health care operations about health-related products or services if the provider receives financial remuneration for making the communication from or on behalf of the third party whose product or service is being described. A provider must obtain an individual’s written authorization prior to sending marketing communications to the individual.
Notice of privacy practices
As a result of the new rule changes described above, providers must revise their notices of privacy practices to advise individuals of their rights regarding breach notification, fundraising opt-outs, and marketing and sale of PHI; as well as their right to restrict disclosures to health plans in certain instances.
The new rule also eliminates requirements to include information on communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in the notice, but the rules do not require that such information be removed. Providers will have to post the revised notice in a clear and prominent location, and have copies available at their office to give to patients upon request. If a provider maintains a website, the notice must be updated on the website. [pagebreak]
The new rule expands those entities that are considered to be “business associates” and confirms that business associates are directly subject to the HIPAA privacy and security rules. A business associate is an individual or entity that provides a service or function on behalf of a covered entity and receives PHI from or on behalf of the covered entity. The rule adds “subcontractors” to the definition of “business associate.” As a result, all downstream entities that handle PHI for a business associate will also have direct liability under HIPAA. Other examples of business associates added by the new rule include:
- patient safety organizations;
- health information organizations (including health information exchanges), e-prescribing gateways, and document storage entities that receive PHI; and
- entities that offer personal health records to patients on behalf of a covered entity.
HHS has published a sample business associate agreement provisions on its website at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. The sample provisions are merely recommendations. Such agreements must be carefully crafted to ensure liability is not unnecessarily imposed on the covered entity or business associate. New business associate agreements must be updated for compliance with the new rule by Sept. 23, 2013. Existing business associate agreements do not need to be modified until Sept. 22, 2014.
With so many changes and the potential for such high penalties, providers will need to develop a HIPAA compliance strategy in a timely fashion. Look for tips on doing so in next month’s Answers in Practice column in Dermatology World. [pagebreak]
AAD resources available to help with HIPAA
The AAD offers a variety of resources to help members handle HIPAA compliance by the Sept. 23, 2013 deadline. A significant body of knowledge on the topic is available on the AAD website at www.aad.org/hipaa.
The AAD will also offer A Guide to HIPAA and HITECH for Dermatology, which outlines new HIPAA compliance obligations for the privacy, security, and breach rules, and much more. The manual includes information about:
- New obligations and liabilities of business associates and subcontractors
- New breach notification requirements
- What happens if protected health information is disclosed through an EHR
- Stronger enforcement of HIPAA/HITECH violations and imposition of penalties
- Updated privacy practice form
To learn more, visit www.aad.org/store.
Members will also be able to purchase the HIPAA webinar series. These three pre-recorded webinars will each offer a certificate of completion and will cover the topics below:
- Webinar 1 - HIPAA Omnibus Rule
- Webinar 2 - HIPAA Privacy Rule
- Webinar 3 - HIPAA Security Rule
To learn more, visit www.aad.org/webinars.