Risk Management


<< Back
Share
 Print

HIPAA Omnibus Final Rule—What To Do

image_Digest-V23-N3Kimberly Wynkoop, OMIC Legal Counsel

After 10 years in the “HIPAA Privacy Enforcement Era,” the requirements of compliance continue to evolve. On January 25 of this year, the US Department of Health and Human Services Office of Civil Rights (“HHS”) published the HIPAA Omnibus Final Rule (“Final Rule”), modifying the privacy, security, breach notification, and enforcement rules. These modifications implemented most of the privacy and security provisions of the 2009 HITECH Act. The Final Rule became effective March 26, 2013, and compliance in most areas was required by September 23, 2013. However, existing business associate agreements do not need to be updated until September 22, 2014, as long as they are not modified or renewed prior to that date. We understand many ophthalmologists are still struggling with some of the nuances of these changes and how they impact their practices. This article will suggest actions you should take to implement the changes to your privacy, security, and breach notification procedures necessitated by the Final Rule. For personalized advice, insureds may consult one of OMIC’s risk managers at 800.562.6642, option 4. Remember that the HIPAA requirements are the baseline. Your state may have stricter applicable privacy and security standards.

Update your Notice of Privacy Practices

The Final Rule necessitates several amendments to covered entities’ (CEs’) Notice of Privacy Practices (NPP). On the Final Rule compliance date, the government published a plain language sample NPP, which can be found at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. It provides a minimal approach to patient notification. Prior to publication of the government’s sample, OMIC created its own sample and acknowledgment form, which can be downloaded at http://www.omic.com/hipaahitech-resources/. It provides a more in-depth description of permissible uses and disclosures, authorization requirements, and patient rights. The following are the changes that must be addressed. (See OMIC’s sample and “Other Final Rule Changes” on page 5 for more detail.)

The NPP should include a statement that for any use or disclosure not described in the NPP, the CE must obtain written authorization from the individual. The NPP must alert patients that they can opt out of fundraising communications from the CE. It must tell patients that the CE will never share their protected health information (“PHI”) for marketing purposes, sell their PHI, or share their psychotherapy notes, unless the patient gives them written permission. The NPP must tell patients they have the right to see or get an electronic or paper copy of their PHI (or direct receipt to a third party), usually within 30 days of their request, and the CE may charge a reasonable, cost-based fee. The NPP must inform patients that if they pay for a service or health care item in full, out-of-pocket, they can request that the CE not share this information for the purpose of payment or health care operations with the patient’s health insurer. The NPP must state that patients have the right to receive notification of a breach of unsecured PHI. Remember that you can include additional, voluntary limitations on your use or disclosure of PHI, but you will be bound by this promise if you do.

The CE must post the revised NPP. The CE may provide email copies, if patients have agreed to electronic notice, or have patients read a laminated copy of the NPP in the office, but must also make hard copies available to take. The CE must use its best efforts to obtain acknowledgment of receipt of the NPP from new patients. If the CE maintains a website, it must post the updated NPP there as well.

Assess your security risks, safeguards, and breach plans

The HIPAA Security Rule requires CEs to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (“ePHI”). HHS specifies that CEs can take a flexible approach, using any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications. The implementation specifications are either “required” or “addressable.” CEs must assess how reasonable and appropriate it is to implement the addressable standards and how likely they are to contribute to protecting the CE’s ePHI, and implement them where appropriate. If not implementing the addressable specification, the CE must document why not, and implement an equivalent alternative measure if reasonable and appropriate. Encryption, for example, is an addressable standard. However, in order to avoid reporting security breaches under the Breach Notification Rules, encryption is a de facto necessity.

HIPAA requires that CEs notify individuals whose unsecured PHI has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the PHI. The notification requirements still only apply to breaches of unsecured PHI. In other words, if PHI is encrypted or destroyed in accordance with the HIPAA guidance, there is a “safe harbor” and notification is not required. Likewise, the definition of breach still specifically excludes various unintentional and inadvertent acquisitions or disclosures where further impermissible use or disclosure did not result and disclosures of PHI where the unauthorized recipient would not reasonably have been able to retain such information. However, the exception for limited data sets without birth dates and zip codes has been removed.

Under the Final Rule, HHS has changed the threshold test for determining whether notice of a security breach must be given. The old test was whether the breach posed a “significant risk of reputational, financial or other harm” to affected individuals. Now, any use or disclosure of unsecured PHI is presumed to be a breach requiring notice unless a risk analysis reveals a “low probability” that PHI has been compromised. The analysis must consider at least the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether PHI was actually acquired or viewed; and the extent to which any risk to PHI has been mitigated. No risk assessment is needed if the CE decides to report the breach, though the CE will want to undertake an appropriate review in order to determine how to mitigate the harm and reduce the likelihood of future breaches. All documentation related to the breach investigation, including the risk assessment, must be retained for a minimum of six years. The notification and timing provisions for reporting breaches of unsecured PHI have not changed.

The CE should outline these breach assessment and response steps in a written plan. OMIC’s sample plan and breach notification letter can be found in OMIC’s HIPAA/HITECH Resources.

Amend your business associate agreements

Most of the Privacy Rule and all of the Security Rule now apply directly to business associates (“BAs”) and their subcontractors, who are all now directly liable for their own HIPAA violations. Subcontractors of BAs (and even subcontractors of subcontractors) may now be BAs themselves if they create, receive, maintain, or transmit PHI on behalf of the BA. CEs do not need business associate agreements (“BA agreements”) with these subcontractors. This is the responsibility of the first downstream BA. The CE, though, must require their BAs to enter into such agreements with the BAs’ subcontractors.

The Final Rule expands and clarifies the definition of a BA. A BA is one who, on behalf of a CE, “creates, receives, maintains, or transmits” PHI. This includes claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; and repricing. A BA is also one to whom PHI is disclosed so that person can provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a CE. The definition of BA also specifically includes a person who offers a personal health record to one or more individuals on behalf of a CE, and a health information organization, e-prescribing gateway, or other person who provides data transmission services to a CE and who requires “access to PHI on a routine basis.” The determination of whether a data transmission organization has access on a routine basis is fact specific, based on the nature of services provided and the extent to which the entity needs access to PHI to perform its service for the CE. Entities that act as “mere conduits” for the transport of PHI but do not access PHI, other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law, are not BAs. The conduit exception is narrow and is intended to exclude only those entities providing courier services, such as the US Postal Service, United Parcel Services, and their electronic equivalents, such as internet service providers (ISPs), and telecommunications companies. The conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains PHI on behalf of a CE, such as a data storage company, is a BA and not a conduit, even if the entity does not actually view the PHI. The difference between the two situations is the transient versus persistent nature of that opportunity to access PHI.

The new BA definition also states that a CE may, itself, be a BA of another CE. If so, the CE will need a BA agreement with the CE-BA (just like with a regular BA). A BA relationship also arises between a person performing any of the above described functions or activities on behalf of, or to or for, an organized health care arrangement (“OHCA”) in which a CE participates.

Institutional Review Boards (“IRBs”) are not BAs merely by virtue of their research review, approval, and oversight activities. While researchers are, likewise, not BAs by virtue of their research activities, HHS has confirmed that researchers may be BAs if they perform a service for the CE, such as de-identifying PHI or creating a limited data set or contacting individuals to obtain their authorizations for disclosure or use of the PHI for research, even if such tasks are ultimately for the researcher’s own use. Organ procurement organizations (“OPOs”), such as eye banks, are generally neither CEs nor BAs, and no HIPAA authorization is needed for CEs to use or disclose PHI to OPOs to facilitate donation and transplantation. CEs will need to reevaluate their business relationships to determine who now qualifies as a BA and enter into or update their BA agreements with them.

The Final Rule also modified several BA agreement requirements. CEs no longer need to report failures of the BA to the government when termination of the BA agreement is not feasible, as HHS has concluded that the BA’s direct liability for these violations is sufficient. BAs must comply with security and breach notification rules. With regards to breach notification, BAs must report security breaches to CEs; CEs are then required to report breaches to affected individuals, HHS, and in some cases, the media. CEs may propose in their agreements that BAs assume the responsibility of providing such breach notifications directly and to pay the costs associated with such notification.

Under the Final Rule penalty provisions, CEs are liable for civil money penalties if BAs who are their agents violate HIPAA. (Likewise, BAs are liable for the actions of their agents, including subcontractors.) Therefore, CEs should seek legal advice to determine whether their various BAs are agents or independent contractors. The Federal common law of agency applies. The terms or labels given to the parties (for example, “independent contractor”) do not control whether an agency relationship exists. The essential factor is the right or authority of a CE to control the BA’s conduct in the course of performing a service for the CE.

HSS has provided a sample BA agreement at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. OMIC’s can be downloaded at OMIC’s HIPAA/HITECH Resources. For more guidance from the government on determining who is a BA and CEs’ and BAs’ responsibilities, see http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/.

Other Final Rule Changes

Fundraising: Additional types of PHI now may be used for fundraising, such as service department, treating physician, and general outcome. Opt-out notices must be clear and conspicuous on each fundraising piece. The opt-out cannot be unduly burdensome (e.g., provide a toll free number or email address; do not require a postal letter) and must be honored.

Marketing: CEs must obtain prior written authorization before communicating with patients about a third-party’s treatment-related products or services unless the CE receives no compensation for the communication or the communication is face-to-face. Authorization is not needed to send patients information about appointments, treatments, or the patient’s medications so long as any compensation the CE receives only covers the reasonable costs of making the communication. CEs may communicate with patients to encourage a healthy lifestyle, get routine tests, or participate in a disease management program, or about government benefit programs, without patient authorization. CEs may give patients promotional gifts of nominal value, health-related (e.g., eye drops) or not (e.g., pens or notepads with the third party’s logo).

Sale of PHI: Prohibition on sale of PHI without authorization includes agreements to license or lease access to PHI, receipt of in-kind benefits, not just money; and disclosures in conjunction with research if CE remuneration includes any profit margin. Authorizations for sale must state that disclosure of PHI will result in remuneration to the CE.

Public Health: CEs may release immunization records to schools without an authorization, with informal, documented guardian permission.

Decedents: CEs can make disclosures to decedents’ friends and families in the same circumstances and manner they could if the patient were alive. HIPAA protection for decedents’ medical information ends 50 years after death.

Research: CEs may combine conditioned and unconditioned authorizations for each research participant, provided individuals can opt-in to the unconditioned activity. Authorization may also encompass future research.

Encryption: CEs may send PHI through unencrypted email if an individual is advised of the risk and still chooses receipt via unencrypted email. (Document their consent.)

 

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment



Six reasons OMIC is the best choice for ophthalmologists in America.

Supporting your specialty.

OMIC was founded by members of the American Academy of Ophthalmology nearly a quarter century ago and is the only carrier sponsored and endorsed by AAO. OMIC is also endorsed by 54 other ophthalmic societies. The OMIC partnerships with state and subspecialty societies qualifies their members for an exclusive 10% premium credit. Contact your state society for details.

61864684