Understanding Your New HIPAA Obligations
In 2013, the HIPAA landscape changes for solo practitioners and medical groups alike. The final Omnibus Rule amending HIPAA and the HITECH Act (the "Mega Rule") became effective on March 26 and must be complied with beginning September 23, 2013. This means that solo practitioners and provider groups have only six months to update notices, revise privacy policies and procedures, train employees and possibly revamp systems.
HIPAA Privacy, Security & Breach Notification
The Mega Rule extends the HIPAA privacy and security requirements beyond Covered Entities (i.e., health care providers who electronically transmit health information) to include Business Associates and their Subcontractors. In addition, it modifies the HIPAA breach notification rule. Under the former HIPAA Breach Notification Rule, a Covered Entity had some discretion in evaluating whether a breach of unsecured protected health information (PHI) created a substantial risk or financial, reputational or other harm to an individual, any of which would trigger a report of the HIPAA breach to federal agencies and possibly public outlets. The regulatory amendments eliminate the harm standard and create a presumption that any impermissible use, disclosure or security incident with regard to PHI will trigger breach reporting. Under the new rule, all HIPAA breaches of unsecured PHI must be reported unless the organization can demonstrate that there is no more than a "low probability" that the PHI was compromised. This standard, a four pronged risk assessment, will likely lead to increased reporting.
Notice of Privacy Practices
Pursuant to the Mega Rule, Covered Entities must update their notice of privacy practices (NPPs) to reflect the changes and then redistribute the NPPs to patients. Required additions to NPPs include the following statements:
• Uses and disclosures of PHI and most psychotherapy notes (if applicable to the entity) for marketing purposes or sale require patient authorization;
• Uses and disclosures not described in the NPP will be made only with patient authorization;
• Patient has a right to opt out of receiving fundraising communications;
• Patient has a right to restrict disclosures of PHI to a health plan for items and services for which the patient has paid in full out of pocket;
• Individuals affected by a breach of unsecured PHI shall be notified of such breach.
Expanded Patient Privacy
Solo practitioners and provider groups must heed the expansion of patient privacy protections afforded by the Mega Rule. In particular, patients now have the right to obtain their health information directly from providers in electronic format. The Mega Rule does not specify the particular form of electronic information so long as it is a readable electronic format (e.g., PDF, simple or rich text, flash drive, CD). If the patient declines to accept the available electronic format readily producible by the Covered Entity, then the patient must accept a traditional hard copy. Most providers already have an electronic format available (e.g., scanner to convert to PDF). While providers can continue to charge patients a reasonable fee, it is limited to supplies, labor and postage and shall not include any portion of provider costs associated with obtaining new technologies.
Changes to HIPAA Enforcement
The Mega Rule also restricts disclosures to a health plan or insurer concerning the treatment for which an individual has paid entirely out of pocket (i.e., no insurer coverage). Specifically, the amendments empower patients to restrict uses or disclosures of their PHI for treatment, payment and health care operations, as well as for disclosures to family members and a limited number of others. This means that Covered Entities, while not required to comply with all patient requests, must agree to requested restrictions that address disclosures to health plans for the purpose of payment or operations when the provider has already been paid in full directly by the patient. It is important to note that all those disclosures required by law will continue to be permitted (e.g., Medicare and Medicaid audits).
The limitations on use and disclosure of PHI for marketing and fundraising have been strengthened by the Mega Rule. In addition, the amendments now prohibit the sale of PHI without individual authorization, which can be revoked at any time. Such authorization must indicate that the provider will receive remuneration (monetary or otherwise) for its disclosure of PHI. The Mega Rule does enumerate specific exceptions to these marketing, fundraising and sale limitations.
Among other changes, the Mega Rule also strengthens HIPAA enforcement rule. Under the new rule, the Department of Health and Human Services (HHS) will now investigate private complaints of non-compliance when the preliminary review indicates a possible violation due to willful neglect and will also conduct compliance reviews when there appears to be willful neglect. Resolution of these investigations and compliance reviews may result in increased and tiered civil money penalties (CMPs) as required under the HITECH Act. The increased tiered CMP structure for violations now takes into account whether the Covered Entity or Business Associate should have known of the violation, whether the violation was due to willful neglect or reasonable cause, and whether the violation was corrected within 30 days. HHS will take several mitigating factors into consideration when assigning CMPs.
In light of these significant amendments to HIPAA and the HITECH Act, solo practitioners and provider organizations are strongly encouraged to update training modules and retrain employees to ensure present and ongoing compliance with the Mega Rule.
Kate Auerbach represents health care providers and practitioners in corporate, regulatory and transactional matters. Kate has worked extensively with physicians and other health care providers who are selling or purchasing a practice. She is experienced in stock/partnership transactions and asset-only transactions, drafting acquisition documents, and drafting and negotiating employment and service agreement for health care providers. Kate also regularly advises health care practices and other employers on employment issues, including hiring, terminations, discipline, discrimination and harassment issues, leave matters, and handbook and personnel files. Kate is a graduate of the University of Wisconsin-Madison and a graduate of Suffolk University Law School.