HIPAA Update: Omnibus Rule Finalized

Published on: July 14, 2013

The federal government has published its final regulations implementing the “Health Information Technology for Economic and Clinical Health (HITECH) Act,” which modified and expanded the existing HIPAA Privacy and Security Rules, and other statutes. An interim set of guidelines has been in place since 2010, and MIEC provided guidance at that time on complying with the interim rule; therefore, you may have already implemented many of the required changes (such as data-breach notification requirements) into your HIPAA policies and procedures. The following summarizes key points from the Interim and Final Rules, and includes action items for updating your HIPAA policies and procedures. Unless otherwise noted, Covered Entities (CE) must comply with the final rule by September 23, 2013.

Business Associates

The definition of Business Associates (BA) has been clarified to include Patient Safety Organizations, health information exchanges, records storage facilities, cloud-based back-up and commercial data centers. Business Associates have the same responsibilities as covered entities to protect PHI, including abiding by HIPAA Privacy and Security Rules, and are liable for the conduct of their subcontractors.

Action Items:

• Review the entities that use or maintain PHI on your behalf and determine if any should be added to your list of Business Associates.
• Ensure that BA agreements reflect the data breach notification requirements (these have been in place since 2010 and should already be included in your agreements)
• If your current BA agreements don’t comply with the HITECH interim rule requirements, or no BA agreement yet exists, you must execute compliant agreements by September 23, 2013. If existing contracts are compliant with pre-omnibus rule provisions, Covered Entities have until September 23, 2014 to bring BA agreements into conformance with the new rules.

Privacy Changes

• Patients have expanded rights with respect to how their protected health information (PHI) is used, accessed, and disclosed:
• Patients who pay in full, out of pocket, for treatment can request that information regarding the treatment not be disclosed to their health plan; providers must comply with these requests.
• Physicians may disclose immunizations to schools required to obtain proof of immunization prior to admitting the student so long as the physicians have and document the parent or guardian’s “informal agreement” to the disclosure.
• Physicians may make disclosures to a decedent’s family and friends under the same circumstances such disclosures were permitted when the patient was alive. In addition, HIPAA protections for PHI are eliminated 50 years after the patient’s death.
• Physicians must produce copies of ePHI in the electronic form and format requested by the individual if the records are “readily reproducible” in that format. Physicians will now have 30 days to respond to a patient’s written request for his or her PHI with one 30-day extension, regardless of where the records are kept (eliminating the longer 60-day timeframe for records maintained offsite).
• Physicians may send copies of medical records via unencrypted e-mails only if the requesting individual is advised of the risk and still requests that form of transmission. The covered entity will not be held responsible for unauthorized access of PHI while in transmission to the patient based on the patient’s informed request. NOTE: This protection only applies to situations in which the patient requests copies of their medical records via e-mail; it does not apply to general e-mail exchanges in which PHI is involved.
• You may charge the patient to produce copies: cost is limited to a reasonable, cost-based fee including labor and supply costs including cost of any portable media (e.g., USB memory stick, CD).

There are some changes regarding the sale of PHI, marketing to patients, and fundraising from patients.

Action Items:

• Implement a consent form for patients who request copies of medical records via e-mail, including the potential risks of communicating in this fashion.
• Update your Privacy Policy and Notice of Privacy Practices (NPP); sample language is available thorough MIEC HIPAA forms.
• Post updated NPP in the office and on your web site.
• Determine with input from all affected departments how you will comply with patient requests to not disclose information to a health plan (if the patient has paid in full, out of pocket.)

Breach notification

For a full description of the “breach notification” requirements, which have been in effect since 2010, see MIEC’s newsletter on the HITECH Act (Special Report Claims Alert, No. 43). In a nutshell, physicians and Business Associates are required to notify patients and the federal government of breaches of PHI, and conduct and document risk assessments. The obligation to notify patients (and the government) if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk assessment applying four factors, it is determined that there is a “low probability of PHI compromise.” This “low probability of compromise” language replaces the previous, more subjective “significant risk of financial, reputational or other harm” analysis for establishing a breach. Risk assessments are now required to be based on:

• The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification, and the sensitivity of the information;
• The unauthorized person who used the PHI or to whom the disclosure was made and whether that person has an independent obligation to protect the confidentiality of the information;
• Whether PHI was actually acquired or accessed (this may be determined forensically in some instances); and
• The extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third-parties that the information was destroyed).

MIEC policyholders who have or believe they have experienced a potential data breach should contact MIEC for assistance.

Action Items:

• Update data breach risk assessment policies to reflect the replacement of the “harm threshold” with the “probability of compromise” assessment criteria.

Penalties and enforcement

The Interim Rule increased penalties and expanded enforcement authority to include Attorneys General. In addition, the Office for Civil Rights has begun auditing covered entities rather than solely relying on complaints or reported data breaches to trigger an investigation. The OCR continues to work with Covered Entities toward HIPAA compliance; the severity of fines is commensurate with the extent to which the CE has made a good faith effort to comply with the HIPAA and HITECH rules and regulations.

Action Items:

• Workforce training to update staff on the new requirements.

Sidebar: Accounting of Disclosures

The HIPAA Privacy Rule requires that physicians, upon patient request, produce an accounting of “non-routine” disclosures of the patient’s PHI that are unrelated to treatment, payment, or operations. The interim rule would require that covered entities who use electronic health records be required to produce an accounting of all disclosures upon patient request, including those made for purposes of treatment, payment, and operations. The final rule guidelines have not included an ultimate determination on whether this will be required of covered entities. MIEC will update policyholders as clarification on the Accounting of Disclosures becomes available.