By Keith Loria
Vol. 14 No. 10 P. 16
New HIPAA rules kicked in on September 23, but is your organization compliant?
Although HIPAA has been a law since 1996, and the HITECH Act, which allows the federal government to directly enforce HIPAA requirements against business associates, has been around since 2009, a surprising number of covered entities and business associates have not been in compliance with the law. That’s why the US Department of Health and Human Services has modified its Omnibus Rule, enhancing a patient’s privacy protections, providing individuals with new rights to their health information, and strengthening the government’s ability to enforce HIPAA provisions.
The purpose of the new rule—which kicked in September 23—is to address and clarify certain aspects of the HITECH Act that did not have regulations in place and, in the case of the breach notification rule, to address concerns about the manner in which the regulations initially were written.
Under the new Omnibus Rule, patient rights have been expanded in numerous ways. Individuals now can ask for a copy of their medical record in an electronic form. When individuals pay with cash, they can instruct their provider not to share information about their treatment with their health plan. And there are new limits on how information may be used and disclosed for marketing and fund-raising purposes. The rule also prohibits the sale of an individual’s health information without his or her permission.
“This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security rules since they were first implemented,” says Leon Rodriguez, JD, director of the Office for Civil Rights. “These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Most importantly, imaging organizations and radiologists must ensure that anyone with whom they share patients’ protected health information (PHI)—whether a transcription service, billing company, EMR vendor, data storage facility, or even a law firm that handles a reimbursement appeal or some other matter on their behalf—signs a business associate agreement that contains all of the newly required provisions.
Under the new rule, any party that maintains PHI is considered a business associate, whether or not that party actually accesses the data as part of the services it provides. The new rule also requires that parties involved in a business associate agreement spell out their respective responsibilities in the event of a data breach along with certain other changes and clarifications.
Matt Kinley, JD, a partner in the law firm Tredway, Lumsdaine & Doyle in southern California, says the following items should have been updated as part of an imaging organization’s HIPAA compliance plan (assuming one already was in place) in light of the recently implemented Omnibus Rule:
• Conduct a yearly gap analysis/overall assessment of current privacy and security compliance.
• Revise and distribute notice of privacy. The law requires specific revisions, including ones relating to patient authorization for marketing, fund-raising, the right to keep information from health plans if the payment is made with cash, and the notification rules relating to breaches.
• Revise written privacy and security policies and conduct employee education on the changes. This includes changes to the breach notification policy.
• Revise authorization forms. This implements significant revisions to patient access to electronic PHI. Revise policies regarding new access rules for patients requesting information.
• Review business associate relationships and revise business associate agreement. This is a significant part of the new rules relating to changed requirements for the definition of a business associate and subcontractors who may be business associates.
• Review and revise current marketing and sales relationships. This reflects the need to consider the new rules relating to selling PHI to commercial interests. In short, providers must obtain authorization from patients.
• Restrict insurance company access to PHI for patients who pay cash. This requires a serious review of the EMR system.
“The new rules were necessary to add provisions relating to new laws passed under the Affordable Care Act and the HITECH Act,” Kinley says.
New ACA-Based Provisions
Amy Fehn, JD, an attorney at Fehn, Robichaud & Colagiovanni in Troy, Michigan, says independent radiologists are less likely to be involved in fund-raising and providing copies of immunizations to schools, so certain changes will not impact them as much. “The new rules will require changes to certain policies. For example, patients have been given a new right to request that a provider not provide information on a service to a health plan if the patient has paid out of pocket,” she says. “Most HIPAA policies will currently say that a practice has the right to deny such a request, but the new rules do not allow providers to refuse requests in these circumstances.”
Another example is the change in the definition of breach for purposes of the breach notification rule, which requires updates to policies that were drafted in accordance with the interim final rule. Additionally, a new patient now has the right to obtain an electronic copy of information that is maintained in such a format.
“The Omnibus Rule, combined with increased enforcement and some high-profile cases, should help ensure that protected health information is properly safeguarded as the risk of exposure of PHI continues to increase due to the emergence of new technologies and increased sharing of data between providers for care coordination purposes,” says Eric Fader, JD, counsel for Washington, D.C.-based Edwards Wildman Palmer, which advises clients about HIPAA. “All health care providers need to get serious about compliance now.”
Presuming an organization complied with the previous rules, they should focus on the new provisions and upgrade their policies. For example, new business associates should be reviewed in light of the new rule, and providers should no longer receive payment for PHI disclosure without the patient’s authorization.
When the deadline for the Omnibus Rule was set, it seemed radiology providers would have enough time to comply, but challenges did creep in. For example, numerous providers really didn’t understand what steps were needed to comply with the rule and didn’t investigate the help that was available. “The biggest challenge was educating physicians and the service providers they deal with and simply getting them to take the new requirements seriously,” Fader says. “Many busy physicians simply felt that they didn’t have time to deal with administrative issues right away and missed the compliance deadlines.”
Kinley adds that overcoming the administrative burden was another stumbling block. “Many offices have not complied with HIPAA rules in the first place,” he says. “It is mostly an administrative burden to review where there might be security breaches, create policies to prevent breaches, prepare new business associate agreements, provide training to staff, and create polices relating to privacy and security issues. There are very few sources for complete and easy-to-utilize policies for providers.”
Clinton Mikel, JD, a partner with Health Law Partners in Southfield, Michigan, says there was a significant amount of information about compliance on the Office for Civil Rights website, so the US government will likely take the position that those organizations that are noncompliant have no excuse and should be held responsible for their lack of action.
Late, Now What?
September 23 has come and gone, and if you haven’t had time to get everything done regarding the Omnibus Rule changes, there are some immediate steps you should take. “Training employees on how to comply with HIPAA and the HITECH Act and to safeguard patients’ protected health information is probably the most important because any noncompliance at all could trigger substantial penalties if there is a data breach or if a patient reports a HIPAA violation to the Office for Civil Rights,” Fader says. “Also, eliminating unencrypted transmissions of information can prevent a true data breach even if an unauthorized person gains access to a database.”
There is no provision in the rule for an extended deadline for compliance. However, existing business associate agreements that were established before January 25 and were not amended or modified between March 26 and September 23 do not need to be amended until September 22, 2014.
Kinley says there is no penalty for failing to comply by September 23, but there is—and has been for many years—”an ongoing threat of penalties in the form of fines and potential civil lawsuits for any breach that occurs and a failure to have complied with the HIPAA law.” He suggests the best way to avoid this is “by completing a review of office procedures and creating a plan to keep electronic protected health information safe.”
Fehn adds that there is a risk of penalties when a practice is audited or a patient complains, and the resulting investigation reveals noncompliance. Then the penalty would be a HIPAA violation, which would depend on the severity of the situation and whether the violation was related to willful neglect.
The new laws also created new enforcement mechanisms, such as increased civil penalties (up to $1.5 million for violations); audits (The law has been restated to say that the Office for Civil Rights will investigate complaints or conduct compliance reviews.); and state attorneys general have been empowered to investigate privacy violations.
According to Fader, penalties can be severe. If there is a data breach, the monetary penalty can cost $50,000 per incident (up to $1.5 million in a given year for each type of violation). If the provider was aware of HIPAA requirements and followed them but something unforeseeable happened (eg, lost laptop, hacking attack), there likely would be no penalty or only a minimal one. More severe penalties would be levied if the provider willfully neglected the HIPAA requirements. There are two other tiers of possible penalties in between these two extremes, including a penalty for situations when the violation was corrected promptly.
Industry insiders note that law enforcement is expected to ramp up its work in this area. It also is expected that the audits by the Office for Civil Rights will focus first on larger companies and those that have experienced breaches. Audits of smaller offices are expected in the future.
“Things that they may have let slide in the past, they are going to penalize if they catch them,” Mikel says. “If you are investigated through an audit, patient complaint, or a breach at your practice, you can rest assured the Office of Civil Rights is thinking, ‘Can we use this practice to set an example?’ They would get some enforcement buzz and increase compliance by that route.”
According to Kinley, civil law suits already have started. A Walgreens in Indiana was hit with a $1.7 million judgment for information disclosed about one individual.
— Keith Loria is a freelance writer who lives in Oakton, Virginia.