HIPAA Final Rule Compliance Deadline
HIPAA Final Rule Compliance Deadline is Approaching
Quickly for Health Care Providers and Health Plans
By: Dawn Snow Mattox
On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) published the much anticipated final omnibus rule implementing the Health Information Technology for Economic and Clinical Health Act (HITECH) under HIPAA. The final HITECH rule modifies the Privacy Rule, Security Rule, Breach Notification Rule, Genetic Information Nondiscrimination Act of 2008 Rule (GINA), and the Enforcement Rule for covered entities and business associates handling protected health information (PHI) on their behalf.
If you are a health care provider who transmits any health information in electronic form in connection with a covered transaction, you are a covered entity for purposes of the HIPAA Rules. If you are an employer that has a group health plan (including insured and self-insured plans) that provides and pays for medical care to employees or their dependents, you are a covered entity for purposes of the HIPAA Rules. As a covered entity, you should already have a HIPAA compliance program in place. The following is a brief summary of some of the major features of the final HITECH rule (the â€œFinal Ruleâ€) that will go into effect on September 23, 2013.
Business Associates and Business Associate Agreements. Under the prior rules, business associates were not directly governed by the Privacy or Security Rules. Rather, business associates' obligations arose out of business associate agreements with their covered entity clients. Some of the most significant changes in the Final Rule are those affecting business associates. The Final Rule makes a business associate directly liable for:
â€¢failing to comply with the Security Rule (business associates must implement administrative, physical, and technical safeguards along with policies and procedures as required by the Security Rule);
â€¢impermissibly using and disclosing PHI (e.g., uses or disclosures not permitted or required by the applicable business associate agreement or by law);
â€¢failing to use, disclose, or request the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, as required by the minimum necessary standard;
â€¢failing to enter into business associate agreements with subcontractors that create, receive, transmit, and maintain PHI on the business associate's behalf;
â€¢failing to provide a breach notification to a covered entity as required by the Breach Notification Rule;
â€¢failing to provide access to a copy of PHI to either the covered entity, the individual who is the subject of the PHI, or the individual's designee (whichever is specified in the applicable business associate agreement); and
â€¢failing to disclose PHI where required by the Secretary of HHS to investigate or determine the business associate's compliance with the rules.
The Final Rule also expands the definition of â€œbusiness associateâ€ to cover certain organizations, some of which have only indirect relationships with the health care industry. Specifically, the Final Rule expands the definition of business associates to encompass health information organizations, personal health record vendors, patient safety organizations, and e-prescribing gateways (or others providing data transmission services with respect to PHI to a covered entity that requires routine access to PHI). As a result, the Final Rule may affect organizations that have only an indirect relationship with the health care industry and lack a full appreciation of their new compliance obligations.
Notice of Privacy Practices (NPP). The Final Rule requires that NPPs include a statement that certain kinds of uses and disclosures (e.g., marketing) require an authorization. The Final Rule also adopts the requirement for health plans that perform underwriting to include in the NPPs a statement that they are prohibited from using or disclosing PHI that contains genetic information about an individual for underwriting purposes. With respect to health plans that post their NPPs on their websites, rather than requiring the health plan to provide the NPP to individuals within 60 days of a material change, the Final Rule allows such health plans to post the revised NPPs on their websites by the effective date of the change and then notify individuals in their next annual mailing. However, notice and a separate statement informing the individual will be necessary if the covered entity desires to disclose PHI to the sponsor of a group health plan, health insurance issuer, or HMO. In addition, if an entity is a health plan, notice of an intention to disclose for underwriting purposes is required.
Restrictions on Disclosures to Health Plans. The Final Rule requires covered entities to comply with an individual's request to restrict disclosures of PHI to a health plan for the purposes of payment or health care operations if the information pertains solely to items or services paid out of pocket and in full.
Right to Access PHI. The Final Rule provides individuals with a right to request a copy of information maintained in their electronic health record in an electronic format. The covered entity must provide access in the particular electronic form or format requested if it is readily producible in the requested form or format. If the PHI is not maintained in the requested form or format, the entity must provide the individual with the PHI in a readable electronic form and format agreed to by both parties. In addition, covered entities must act on an individual's request for access to his or her own PHI, whether in paper or electronic form, within thirty (30) days following receipt of the request, regardless of whether the PHI is maintained onsite. No longer will off-site storage or inaccessibility warrant a 30-day extension of the customary deadline under the Privacy Rule.
Marketing. Regardless of whether a communication is for a treatment or health care operations purpose, all such communication will require an authorization from the patient/participant if a covered entity receives financial remuneration from a third party whose product or service is being marketed. By treating all communications as marketing communications, implementation is simplified for covered entities because they will not need to develop two processes based on the purpose of the communication. Instead, all marketing communications which involve financial remuneration require the covered entity to obtain a valid authorization from the individual before using or disclosing PHI. Further, the authorization must disclose the fact that the covered entity is receiving financial remuneration. The permitted disclosure is limited to the scope of the authorization given, which may be revoked at any time. The Final Rule also adopts additional exceptions to the authorization requirement. Most notably, refill reminders or other communications regarding drugs or biologics which are already prescribed for the individual do not require individual authorization. To fall within this exception, the financial remuneration received in exchange for communications about a drug currently prescribed to an individual must be â€œreasonable in amount,â€ meaning that it must be reasonably related to the covered entity's cost of making the communication. The commentary clarified that permissible costs are those that cover the costs of labor, supplies, and postage to make the communication. Where the financial remuneration generates a profit or includes payment for other costs, it would not be considered â€œreasonable in amount.â€ The other exceptions from the authorization requirement include communications that promote health but do not promote a product or service from a particular provider and communications about government and government-sponsored programs.
Sale of PHI. The Final Rule prohibits the sale of PHI without an authorization from the subject of the information. The Final Rule includes certain exceptions such as (1) disclosures of PHI for public health, research, treatment, and payment purposes; (2) disclosures in connection with the sale of all or part of the covered entity and related due diligence; (3) disclosures to or by a business associate in accordance with its duties to the covered entity; (4) disclosures to the subject of the information; (5) disclosures required by law; and (6) any other permissible purpose, as long as the remuneration received by the covered entity is limited to the costs required to prepare and transmit the PHI.
Genetic Information under GINA. The Final Rule modifies the Privacy Rule to: (1) add definitions for the GINA-related terms of â€œfamily member,â€ â€œgenetic information,â€ â€œgenetic services, â€œgenetic test,â€ and â€œmanifestation,â€ or â€œmanifestedâ€: and (2) make technical corrections to the definition of â€œhealth plan.â€ With respect to the GINA-related terms, the Final Rule adopts definitions that are generally consistent with the definitions of such terms in the GINA Proposed Rule. The Final Rule applies the prohibition on using or disclosing PHI that is genetic information for underwriting purposes to all health plans that are covered entities under the Privacy Rule effective as of September 23, 2013, regardless of when or where the genetic information originated. The Final Rule also adopts a conforming change to clarify that an authorization cannot be used to permit a use or disclosure of genetic information for underwriting purposes.
Breach Notification Rule. The Breach Notification Rule requires notice to affected individuals, HHS, and possibly media outlets in the event of a breach of unsecured PHI. A reportable â€œbreachâ€ generally means any acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule. Under the prior version of the Breach Notification Rule, a breach occurred only if the acquisition, access, use, or disclosure of PHI posed a significant risk of financial, reputational, or other harm to the individual (the â€œharm standardâ€). OCR abandoned the harm standard in favor of what it believes to be a more objective presumption of a breach requiring notification. This presumption of a breach requiring notification is rebuttable upon the demonstration by the covered entity or business associate that a low probability exists that the PHI has been compromised. OCR established four primary factors that covered entities and business associates must consider as part of this risk assessment. At a minimum, each factor must be assessed to constitute a risk assessment under the Final Rule. The factors are:
â€¢the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
â€¢the unauthorized person who used the PHI or to whom the disclosure was made;
â€¢whether the PHI was actually acquired or viewed; and
â€¢the extent to which the risk to the PHI has been mitigated.
Covered entities and business associates should implement policies and procedures for conducting and documenting the risk assessment for potential breaches of unsecured PHI described above. The risk assessment cannot be taken lightly. OCR expects covered entities and business associates to conduct thorough risk assessments in good faith and expects their conclusions to be reasonable.
Covered entities must notify affected individuals of breaches without unreasonable delay, but no later than 60 days from the discovery of the breach. A covered entity is deemed to have discovered a breach as of the date the breach is known to any of its workforce or agents (which may include some business associates based on the federal common law of agency ) or the date it would have been known had reasonable diligence been exercised. Business associates must notify only their affected covered entities of breaches within that same time frame. Covered entities also must notify HHS, either within 60 days of the end of the calendar year in which the breach occurred or, depending on the number of affected individuals, at the same time the individuals are notified. Covered entities also may be required to notify the media depending on the number of affected individuals.
Enforcement. The Final Rule establishes four categories of violations that reflect increasing levels of culpability and four corresponding penalty tiers that increase the possible civil monetary penalties (â€œCMPsâ€). The outcome of the four penalty tiers turns largely on the defined terms â€œwillful neglectâ€ and â€œreasonable causeâ€ and whether the covered entity or business associate corrects the HIPAA violation within 30 days of discovering it.