On January 17, 2013, the federal Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued the long-anticipated final omnibus amendments (the "2013 Amendments") to the Privacy, Security, Breach Notification, and Enforcement Rules (the "HIPAA Rules") under the Health Insurance Portability and Accountability Act (HIPAA). The 2013 Amendments are effective as of March 26, 2013, and compliance with applicable requirements generally must be made within 180 days―by September 23, 2013 (with important exceptions for existing business associate arrangements). Significant penalties apply for non-compliance.
This article presents a very concise listing of the requirements that impact your ob-gyn practice. Due to space limitation, we can’t get into a great amount of detail (the actual federal document is 136 pages). Additionally, some of the amendments, such as those pertaining to fundraising and the Genetic Information Nondiscrimination Act of 2008 ("GINA”), don’t apply to most ob/gyn practices.
Here are the highlights and areas that need your immediate attention.
Expansion of Rule's Application: Definition of Business Associate
The 2013 Amendments greatly expand the definition of a "business associate" and thus the application of HIPAA. Subcontractors of business associates (and their subcontractors) that create, receive, maintain, or transmit PHI in performing a function, activity, or service delegated by the business associate to a subcontractor are now included. A covered entity must obtain satisfactory assurances in the form of a written contract or other arrangement from each business associate, and in turn, each business associate must do the same with regard to each subcontractor that handles PHI on its behalf. Your responsibility is to be certain that your Business Associates Agreements (BAA) are in place. You are not responsible for making certain that subcontractors of your Business Associates have the appropriate assurances. Advice: review your business relationships to make certain that current BAAs are in place with those associates covered by HIPAA.
Broader Definition of Who Is a Business Associate
The Amendments expand the business associate definition to include an entity that "maintains" PHI (in addition to creating, receiving, or transmitting it). This then includes organization such as health information organizations (HIOs, more commonly known as Regional Health Information Organizations “RHIOs”; vendors of personal health records; and others that facilitate data transmission).
Advice: If you are participating in a RHIO, make certain that you have a BAA in Place.
Covered entities and business associates (including their subcontractors) must ensure compliance, including by entering into written agreements, by September 26, 2013.
Change in the Breach Rules
The 2013 Amendments modify the definition of breach (of PHI or EPHI) by providing that an impermissible use or disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised. The determination of compromise is based on a four-part risk assessment that takes into consideration: a.) the nature and extent of the PHI involved in the breach; b.) the unauthorized person who used the PHI or to whom the disclosure was made; c.) whether the PHI was actually acquired or viewed; and d.) the extent to which the risk to PHI has been mitigated. If the risk-assessment evaluation fails to demonstrate that there is a low probability that any PHI has been compromised, breach notification is required.
The new Amendments require covered entities to notify each affected individual whose unsecured PHI has been compromised. Even if the breach is caused by a business associate, the covered entity is ultimately responsible for providing the notification (although the covered entity may delegate the breach-response notification to the business associate). Moreover, a business associate's, as well as the workforce member's, knowledge of a breach will be imputed onto a covered entity. If the breach involves more than 500 persons, OCR must be notified; under certain circumstances, the breach must be made public through local media. The HIPAA-covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach, and must maintain supporting documentation, including documentation pertaining to the risk assessment.
Advice: Since HIPAA became law over ten years ago, we have witnessed a number of low-level breaches of PHI in ob/gyn practices. Most of these were unintentional, but are potentially harmful to the practice. Routine retraining of staff on the importance of following the rule of law with HIPAA is a must.
Changes to the Notice of Privacy Practices (NPP)
Although the 2013 Amendments do not require the NPP to include all situations requiring authorization, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures, and sale of PHI do require prior authorization. It must also state the right of the individual to be notified in case of a breach of unsecured PHI. OCR clarifies that distribution by covered entities of new NPPs to individuals is required because the changes to the NPP requirements are material.
Patients’ Right to Restrict Disclosures; Right of Access
Under the auspices of the HITECH Act, the Privacy Rule was amended to require a covered entity to restrict, upon request, the disclosure of an individual’s PHI to a health plan, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which the individual has paid the covered entity in full. In the new Amendments, OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restricted healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan.
The new Amendments now have a rule requiring that a covered entity provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be provided to the individual if it is readily producible. However, OCR clarifies that covered entities need only provide individuals with an electronic copy of their PHI, and not with direct access to their electronic health record systems. The amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable and cost-based, and must identify separately the labor for copying PHI (if any). The timeliness requirement for providing this information to a patient has decreased from up to 90 days to 30 days, with a one-time extension of 30 additional days.
L. Michael Fleischman