Implementing the New HIPAA Rules Presented By: Cinde Warmington, Esq. Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord, NH 03302-2703 603-225-7262 cwarmington@shaheengordon.com October 7, 2013
The Final HIPAA Omnibus Rule On January 17, 2013, DHHS issued its Final Rule with significant changes to the HIPAA Privacy, Security and Enforcement Rules. The effective date of the new Rule was March 26, 2013. The compliance deadline was September 23, 2013. With respect to existing compliant Business Associate Agreements (as of January 25, 2013): If the BAA is not renewed or modified before September 23, 2013, the BAA shall be deemed compliant until it is renewed or modified on or after September 23, 2013, or September 22, 2014, whichever is sooner.
Summary of Major Provisions Make Business Associates directly liable for compliance with certain provisions of the HIPAA Privacy and Security Rules. Expands the types of entities subject to certain provisions of HIPAA to include subcontractors of Business Associates (to the extent they handle PHI), Health Information Organizations, patient safety organizations, e-prescribing organizations and others who provide data transmission services.
Summary of Major Provisions Restricts the use and disclosure of PHI for marketing purposes. Restricts the use and disclosure of PHI for fundraising purposes. Prohibits the sale of PHI without authorization. Expands the rights of individuals to receive electronic copies of their PHI. Expands the rights of individuals to restrict disclosures to health plans when service was paid in full out of pocket.
Summary of Major Provisions Requires modifications to Notice of Privacy Practices to advise individuals of new rights. Changes the requirements to allow certain disclosures about immunizations to schools. Changes the requirements to allow certain disclosures concerning a deceased individual to family members and others involved in the individuals care before death. Increases penalties for violations of the Privacy and Security Rule and clarifies how penalties are calculated.
Summary of Major Provisions Changes the breach notification requirement such that an unauthorized use or disclosure is considered to be a breach unless the covered entity concludes that there is a low probability that the information has been compromised. Clarifies that genetic information is PHI and restricts the use of such information for underwriting purposes.
Business Associates and Subcontractors Subcontractors are defined as “a person to whom a business associate delegates a function, activity, or services, other than in the capacity of a member of the workforce of such business associate.” Subcontractors that handle PHI are business associates of the covered entity and subject to the Business Associate provisions of the HIPAA rules. The covered entity is not obligated to contract with the subcontractor. The business associate is responsible for obtaining satisfactory assurances from the subcontractor.
Business Associates and the Enforcement Rule The Final Rule makes it clear that penalties apply to Business Associates. The covered entity is liable for the acts of its agents including its business associates who are agents. Whether a business associate is an agent is fact specific based on the terms of the agreement and the totality of the circumstances. The right or authority to control the business associates’ conduct is the essential determining factor. Covered entities must be careful not to inadvertently create an agency relationship.
Business Associates and the Enforcement Rule Example of authority or control: If the Business Associates Agreement states that “a business associate must make available protected health information in accordance with § 164.524,” this would not itself create an agency relationship. But if the Business Associates Agreement states that “a business associate must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of the covered entity,” this would create an agency relationship.
Business Associates and the Enforcement Rule The Final Rule does not make a covered entity or business associate liable for the acts of third parties that are not its agents.
Penalties Categories of Violations and Respective Penalty Amounts Category Each violation Max per violation/yr Did Not Know $100 - $50K $1.5 M Reasonable Cause $1K - $50K $1.5M Willful Neglect $10K- $50K $1.5M (Corrected) Willful Neglect $50K $1.5M (Not Corrected)
Penalties Secretary has discretion to not assess maximum penalty Counting methodology will be on a case by case basis but generally; Multiple individuals affected by a single improper use or disclosure would be counted by the number of individuals affected. Continuing violations (e.g. a lack of a safeguard) would be counted on a per day basis. A covered entity can be subject to multiple violations of up to $1.5M for each violation.
Penalties Factors to be considered in assessing penalties include: The nature of the violation. The nature and extent of the harm resulting from the violation. The history of prior compliance. The financial condition of the covered entity or business associate. Other matters as justice may require.
Penalties The Final Rule prohibits the imposition of penalties if the violation is: Not due to willful neglect, and Is corrected during either: The 30-day period beginning on the date the covered entity or business associate knew or, by exercising reasonable diligence, would have known of the violation; or Such additional period as the Secretary determines is appropriate. MOVE QUICKLY TO CORRECT THE VIOLATION UPON DISCOVERY!
Restrictions on using or disclosing PHI for Marketing The Final Rule requires authorization for any use or disclosure of PHI for marketing. Marketing does not include: To provide refill reminders or otherwise communicate about a drug or biological that is currently being prescribed if the financial remuneration received is reasonably related to the covered entity’s cost of making the communication. Certain treatment and health care operations purposes unless covered entity receives financial remuneration to make the communication. Also pay attention to New Hampshire law.
Sale of PHI The sale of PHI requires authorization unless it falls within one of the designated exceptions: For public health purposes. For research purposes. For treatment and payment purposes. For the sale, transfer, merger of a covered entity. To a business associate for activities undertaken on behalf of a covered entity. In response to an individual’s request. As required by law. For any other permitted purpose where the payment is a reasonable cost-based fee.
Sale of PHI An authorization for the Sale of PHI must state that the disclosure will result in remuneration to the covered entity.
Deceased Individuals’ Records Protection for the records of decedents is now limited to a period of 50 years after death. The Final Rule now permits a covered entity to disclose a decedent’s PHI to family members and others who were involved in the care or payment for health care of the decedent prior to death unless the decedent expressed contrary wishes prior to death.
Student Immunizations to Schools The Final Rule allows for the disclosure of PHI to a school where the individual is a student or prospective student, if: The PHI is limited to proof of immunization; The school is required by law to have such proof prior to admission; and The covered entity obtains and documents an agreement to disclose from either the individual (if an adult or emancipated minor )or a parent, guardian or someone acting in loco parentis. (Does not need to be in writing)
Restrictions on Fundraising Each fundraising communication must provide an individual with a clear and conspicuous opportunity to elect not to receive further fundraising communications. The method for the individual to elect not to receive communications may not cause the individual undue burden or more than a nominal cost. BE SURE AND LOOK AT NEW HAMPSHIRE LAW!
Restriction on Disclosures A covered entity must agree to restrict the disclosure of PHI to a health plan if; The disclosure is for payment or health care operations and is not otherwise required by law; and The PHI pertains solely to a health care item or services for which the individual has paid in full. The covered entity needs to flag the record to be sure this information is not disclosed. This may be complicated when the individual requests the restriction for only a single item or service provided as part of an encounter that is billed.
Restriction on Disclosures Other complications include situations when the payment is dishonored and in that case, after making reasonable efforts to obtain payment, the covered entity can submit the charge to the health plan for payment. If the procedure requires precertification, the covered entity may want to collect up front because failure to precert will likely prevent the billing of the procedure if the payment is later dishonored.
Individual’s Rights to Access PHI If PHI is stored electronically, individuals have a right to receive PHI in such electronic format or if not readily producible in such format, then in another readable electronic form as agreed to by the covered entity and the individual. The individual has a right to designate that a copy of the PHI be transmitted to another person. The request must be in writing, signed by the individual and clearly identify the designated person and where to send the PHI.
Individual’s Rights to Access PHI The covered entity can impose a reasonable cost-based fee for: Labor for copying. Supplies. Postage. Certified records: When an individual requests an affidavit accompany the records, the covered entity may charge the individual for the preparation of such affidavit.
Breach Notifications The prior rule provided that the covered entity would perform a risk analysis to assess whether the improper use or disclosure posed “a significant risk of financial, reputational or other harm to the individual.” The Final Rule does away with this standard. The Final Rule presumes that an improper use or disclosure is a breach requiring notification, unless the covered entity (or BA) demonstrates that there is “a low probability that the PHI has been compromised based on a risk assessment of at least the following:
Breach Notifications The nature and extent of the PHI involved, the types of identifiers and the likelihood of re-identification. For example, financial info (e.g. credit card numbers, social security numbers); clinical info (e.g. the nature of the services and the detail of information involved). Example from Preamble: With an unauthorized disclosure of a list of patient names, addresses and hospital ID numbers = likely determine there is more than a low probability that the PHI has been compromised. A list of patient discharge dates and diagnosis = depends if data can be re-identified.
Breach Notifications The person who used the information or to whom it was disclosed. Does the person who received the PHI have an obligation to protect its privacy and security. Whether the PHI was actually acquired or viewed. Lost and recovered laptop shows no access (likely low risk). PHI mailed to the wrong address was opened and returned (not necessarily a low probability of compromised data).
Breach Notifications The extent to which the risk to the PHI has been mitigated. Example from preamble– Obtain recipient’s satisfactory assurances that the information will not be further used or disclosed. May yield different results depending on the recipient “For example a covered entity may be able to obtain and rely on the assurances of an employee, affiliated entity, business associate, or another covered entity that the entity or person destroyed the information it received in error, while such assurances from certain third parties may not be sufficient.”
Breach Notifications Breaches are treated as discovered by a covered entity or business associate as of the first day on which such breach is known or should reasonably have been known. The time period begins when the incident is first known NOT when the investigation is complete EVEN if it is initially unclear whether the incident constitutes a breach. If the Business Associate is an agent of the covered entity then the date the BA discovers the breach is imputed to the covered entity.
Notice of Privacy Practices Covered Entities will have to modify their Notice of Privacy Practices to notify individuals of the following: For health plans, the prohibition against using or disclosing PHI that is genetic information for underwriting purposes. The prohibition on the sale of PHI without express written authorization (as well as marketing and psychotherapy records); The duty of the covered entity to notify affected individuals of a breach;
Notice of Privacy Practices If using PHI for fundraising, the right to opt out; The right of the individual to restrict disclosures of PHI to a health plan for which the individual has paid out of pocket in full.
Implementation Identify all Business Associates to insure appropriate Business Associate Agreements are in place. Review and revise Business Associate Agreements as appropriate. Be careful not to inadvertently create agency relationships. Review and revise Notice of Privacy Practices. Review and revise policies and procedures for compliance.