On Jan. 25, 2013, HHS released the HIPAA omnibus final rule, clarifying and expanding existing requirements in accordance with the HITECH Act. While the final rule officially went into effect March 16, a date more meaningful and pressing to providers is looming — the compliance deadline of Sept. 23.
During a webinar on Sept. 4, Holly Carnell and Meggan Bushee, both associates with the law firm McGuireWoods, outlined key changes to HIPAA under the final rule, and steps hospitals should take to prepare for Sept. 23.
1. Breach notification. "The change in breach notification rules could be the most substantial change" in the final rule, said Ms. Bushee. Under HIPAA, a breach is defined as an event in which the dissemination, acquisition or release of patient information that compromises its security or privacy. Before the final rule, a breach had to "pose a significant risk" of harm to be subject to notification obligations. “This subjective standard has been replaced by the more objective standard that requires an organization to prove there is a low probability that PHI has been compromised,” said Ms. Bushee.
To help avoid a reportable breach, Ms. Carnell recommends taking advantage of the encryption safe harbor whereby if PHI is encrypted, generally it will not be considered unsecured for purposes of determining if there is a breach because the breach rule only applies to unsecured PHI. "If you encrypt the information and then something happens, like the theft of a laptop, you could avoid reporting a breach because the PHI is secured," she said.
If a breach does occur, the breach reporting requirements have stayed the same. According to Ms. Carnell, "It is critical to put time and thought into the breach notification letter so as to put affected individuals on notice of the breach without causing undue stress."
2. Expanded liability of business associates. Under the new rule, HHS has clarified that a business associate is any entity that creates, receives, maintains or transmits protected health information on behalf of the covered entity. The liability of these business associates will be expanded under the Privacy Rule and the Security Rule, and all business associate agreements need to be updated or created accordingly to reflect the changes under the final rule. A revised business associate agreement form should then be used in all business associate relationships going forward.
Generally, business associate agreements made effective before Jan. 25, 2013 and compliant with previous HIPAA regulations will be "grandfathered in" and have until Sept. 23, 2014 to be updated to reflect changes in the final rule. "Though if you wait, be sure the agreement qualifies for the extension under the extended compliance deadline," said Ms. Carnell, "and is completely compliant with the old regulations."
3. Subcontractors subject to HIPAA. Downstream subcontractors of business associates that create, receive, maintain or transmit PHI are also considered business associates and thus, subject to HIPAA, according to the final rule. These subcontractors cannot use, access or disclose PHI in a manner that would not be permitted by a business associate.
Additionally, an organization's business associates must have written agreements with subcontractors that meet the requirements for business associate agreements to protect PHI.
4. Patients' right to electronic copies of records. Under the final rule, providers are generally requires to comply with a patient’s request for an electronic copy of their PHI if the provider maintains such PHI in electronic designated record sets. However, "providers who only maintain hard copies of PHI are not required to convert the information into electronic form for the patient," explained Ms. Bushee.
5. Additional authorization required before selling PHI. Providers cannot use a patient's information for certain marketing purposes or sell a patient's information without the patient's consent under the final rule. "The threshold question here is whether or not remuneration is received," says Ms. Carnell.
6. Broader disclosure of deceased patients' information. The final rule has revised the definition of PHI to exclude any patient deceased for more than 50 years, and allows for disclosure of deceased patients' information to family and friends who have a need to know. For example, a hospital could disclose information to a friend involved in paying the patient's medical bills, "as long as the information disclosed is limited to what is relevant to the friend’s involvement," said Ms. Bushee.
7. Notices of privacy practices. A hospital’s notice of privacy practices must include additional information under the final rule, including a patient's right to keep confidential from insurers information on any procedure the patient paid for in full out-of-pocket. This notice should also describe the requirement of patient authorization prior to the hospital’s sale of PHI, and the duty of the hospital to notify affected patients of a breach of unsecured PHI.
"Once the notice is updated, it needs to be distributed to all new patients, posted publicly on-site and on the hospital's website and made available to any current patients who request it," said Ms. Bushee. “Additionally, copies of the old notice and all acknowledgements from patients for both the old and new versions of the notice should be kept consistent with the HIPAA documentation retention requirements,” she said.
All in all, the HIPAA omnibus final rule requires a thorough internal audit of a hospital’s policies and procedures. “Approval of any new policies should follow the provider’s formal approval procedure, be it a board vote and noting the new policy in the board's meeting minutes, or obtaining written consent,” says Ms. Bushee.
“A provider's staff should then be trained on the new procedures, a process that can be informal but must be effective,” says Ms. Bushee, who also stated that training on new policies can be done at a prescheduled staff meeting. However, it's important to ensure staff has learned the new procedures and are ready to implement them.
"One good way to tell [if employees understand the new procedures] is to walk around and do an informal survey of random employees," says Ms. Carnell. "That will give you a pretty good idea."
More Articles on HIPAA:
CVS Prescription Rewards Program Requires Patients to Sign Away HIPAA Rights
Affinity Health to Settle Potential HIPAA Violations With $1.2M
15 Things to Know About the HIPAA Omnibus Final Rule Before Sept. 23