On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “Omnibus Rule,” which is a final set of regulations that enforces various provisions of Health Information Technology for Economic and Clinical Health (HITECH) Act which in turn is designed to enhance the Health Insurance Portability and Accountability Act (HIPAA). In general, the new rules expand the obligations of physicians and other health care providers to protect patients’ protected health information (PHI), extend these obligations to who has access to PHI, and increase the penalties for violations.
There are basic areas providers will need to comply with:
- Privacy, Security, Breach Notification policies and procedures:
- Makes business associates and their subcontractors directly liable for monetary damages covered by HIPAA
- Strengthens the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without the patients permission
- Expands patient’s rights to receive electronic copies of health information and to restrict disclosures to a health plan concerning treatment for which the patient has paid the entire charge out-of-pocket
- Increases civil monetary penalties for security breaches under the HITECH Act.
- Clarifies the definition of a privacy breach.
- Notice of Privacy Practices (NPP)
- Business Associate (BA) Agreements.
The new rules will likely require changes to your HIPAA policies and procedures in the following areas:
- Breach notification requirements – The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” The physicians must consider all of the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
- Reportable breach -- Any non-authorized use or disclosure of PHI is presumed to be a breach. Unless the CE or BA can prove a low probability the PHI has been compromised. Importantly, the CE or BA has the burden of proof to show that all notifications were provided or that an impermissible use or disclosure did not constitute a breach, and maintain documentation sufficient to meet that burden of proof.
- Disclosures to health plans – At the patient’s request, physicians may not disclose information about care the patient has paid for out-of-pocket to health plans. This change will have the greatest impact on practice workflow both in terms of documentation and follow up to ensure the restriction is adhered to.
- Sale of PHI – The new rules clarify that the prohibition on the sale of PHI without the patient’s written authorization.
- Decedents – The new rules allow physicians to make relevant disclosures to the deceased’s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary.
- Emailing PHI – Physicians must also consider transmission security, and may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission.
Enforcement and Penalties:
- Lowest tier – cases in which the physician did exercise due diligence and didn’t know of the breach. Penalties are between $100 and $50,000 for each violation
- Intermediate tier – cases in which the physician knew, or by exercising reasonable diligence should have known of the violation, but the physician did not act with willful neglect. Penalties are between $10,000 and $50,000 for each violation
- 2 Highest tiers – cases in which the physician “acted with willful neglect” and either corrected the problem within the 30-day cure period, or failed to make a timely correction. Penalties are not less than $10,000 per violation and will not exceed $1.5 million in a calendar year.
Required changes to NPPs must include the following:
- Authorization is required for uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI.
- A statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual to whom the PHI relates.
- A statement that individuals who pay out-of-pocket in full for a healthcare item or service have the right to restrict disclosures of PHI to their health plan.
- A statement that individuals will be notified following a breach of unsecured PHI.
Business Associates (BAs)
Under the Omnibus Rule, BAAs must include the following:
- BAs are now responsible for their subcontractors.
- BAs must comply with the Security and Breach Notification Rules.
- Physicians are liable for the actions of their BAs who are agents, but not for the actions of those BAs that are independent contractors.
- Business associates must comply, where applicable, with the Security Rule with regard to electronic PHI.
- Business associates must report breaches of unsecured PHI to covered entities.
- Business associates must ensure that any subcontractors agree to the same restrictions and conditions that apply to the business associate.
Physicians have until September 23, 2014, to revise all BA agreements with the new rules. It’s important that you make the necessary changes.