New HIPAA Rule Overview
By Brian Ahier
Four years ago, the HITECH Act introduced major revisions to HIPAA. Now everyone is all atwitter since the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has published the omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules as well as additional changes required under the Genetic Information Nondiscrimination Act of 2008 (GINA).
"Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in a statement. "The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age." This rule also creates a lot of work for healthcare organizations.
First off, organizations will need to amend notices of privacy practices and make sure the revised notices are properly posted and distributed. This means creating new forms and posters as well as allocating resources for legal review. There will likely be other forms, such as requests for access, that should also be updated or created. There will also be a need for workforce training to promote more ongoing awareness among staff. This is a good opportunity to take advantage of the safe harbor provision by encrypting PHI according to HHS guidance.
The rule has significantly expanded the scope and impact of the Privacy and Security Rules on business associates. Anyone providing services to a health plan or healthcare providers who receives or generates PHI may be subject to these expanded provisions. Previously, most business associates were subject to the Privacy and Security Rules only through a business associate agreement with the covered entity. Now, even if there is no BAA, if you are simply acting as a business associate, you are liable under HIPAA. The rule specifically identifies as business associates subcontractors, patient safety organizations, health information organizations (and similar organizations), e-prescribing gateways, and vendors of personal health records that provide services on behalf of a covered entity.
Another interesting development is that the rule revises the definition of a “breach,” which will serve to make breach notification much more likely. The HITECH Act requires covered entities and business associates to provide notification following discovery of a breach of unsecured PHI. Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA privacy rule that “compromises the security or privacy” of the PHI unless an exception applies.
The rule amends the definition of breach to clarify that the impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach and breach notification is necessary unless a covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability that the PHI has been compromised.
Previously under the interim final breach notification rule, the privacy or security of PHI was deemed to be compromised if there was a significant risk of financial, harm to reputation, or some other harm to the individual as a result of the impermissible use or disclosure of PHI (commonly referred to as the “harm standard”). In other words, if you could demonstrate no significant risk of harm, then the incident did not rise to a reportable breach.
The new rule replaces this "harm standard" with what HHS calls a more objective process for assessing whether PHI has been compromised. The new standard, however, still appears to leave covered entities and business associates with a lot of questions. The rule has deleted the definition of “compromises the privacy or security” of PHI (which was the harm threshold), and declined to adopt a clear standard requiring notification of all impermissible uses and disclosures without any assessment of risk.
The rule expands what uses and disclosures of PHI are considered marketing thus requiring an individual’s authorization; however, the new marketing restrictions do not impact a covered entity’s face-to-face communications with individuals. For example, prior to this new rule, an authorization would not be required for a hospital to send a brochure to its patients about a new imaging device being used by the hospital, even if the communication was paid for by the manufacturer of the imaging device.
Now the hospital would no longer be permitted to send communications about its new imaging device if the manufacturer of the device pays the hospital for the communications unless the hospital first gets authorizations from its patients. The rule provides an exception for communications about drugs that are currently is prescribed to an individual as long as any payment is reasonably related to the covered entity’s cost of making the communications. For example a drug manufacturer would be able to subsidize a physician’s cost for sending out refill reminders.
The rule has also implemented a new tiered penalty structure. Depending on the degree of knowledge that the covered entity had or should have had regarding the violation, penalties for each violation range between $100 (did not know or have reason to know) and $50,000 (willful neglect without correction), with a maximum penalty for a given year of $1,500,000 for any violations of the same requirement or prohibition. It will be very interesting to see how aggressive enforcement is over the next few years.
One of the significant changes in the rule is the expanded rights for patient access to electronically-stored PHI. The rule extends beyond those promulgated under Meaningful Use and provides the right to obtain an electronic copy of PHI stored electronically in a designated record set (e.g., medical records, billing records, and other records relied upon to make decisions about the individual) rather than simply and electronic health record.
If the covered entity can’t readily produce the form and format requested, then it must offer other electronic formats that it can provide. If the patient doesn’t agree to any alternate electronic formats offered by the covered entity, then the covered entity must provide a hard copy as an option to fulfill the access request. Also, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then after advising the individual of the risks a covered entity is permitted to do so.
Another notable requirement is that covered entities now have 30 days to fulfill a request with the possibility for a singular 30-day extension allowed. Electronic and hard copy PHI, no matter where the data are located, must be provided within the timeframe.
The rule also clarifies the fees that may be charged. For example rule adopts the proposed amendment at § 164.524(c)(4)(i) to identify separately the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based fee. However fees associated with maintaining systems and recouping capital for data access, storage and infrastructure are not considered reasonable, cost-based fees, and are not permissible to include. The rule also rule we clarifies that a covered entity may not charge a retrieval fee (whether it be a standard retrieval fee or one based on actual retrieval costs).
Even with some of the protections in the Affordable Care Act, the rule still provides that a covered entity must comply with an individual’s request to restrict disclosure to a health plan (or the plan’s business associate) of PHI that pertains solely to a health care item or service for which the health care provider has been paid out-of-pocket and in full. This right extends to situations where a family member or other person, including another health plan, pays for the service on behalf of the individual.
Last week I joined Deven McGraw and David Harlow for a Google Hangout where we discussed the new HIPAA rules. It was a lively discussion and is well worth taking the time to see, so grab some popcorn and watch the video for some great insights.