Read on to learn how the Final Rule is changing HIPAA’s privacy and security provisions, and review the action item list we’ve included at the end.
Key Changes in the HIPAA Final Rule
1. Breached Until Proven Not Breached
Until now, a breach was reportable only if there was a “significant risk of financial, reputational or other harm” due to compromised information. Under the new regulations, the Covered Entity (CE) or Business Associate (BA) must demonstrate, “that there is a low probability that the protected health information has been compromised.”
In other words, any loss or inappropriate disclosure of data is now presumed to be a breach unless the CE can demonstrate otherwise. Organizations must conduct a “four factor” risk assessment which includes:
- The nature/extent of information;
- The person(s) who disclosed and/or received the PHI;
- Whether the PHI was actually acquired or viewed; and
- The extent the risk to PHI was mitigated.
Unless the risk assessment demonstrates a low probability that PHI was compromised, a breach notification will be required.
2. Increased Penalties
The penalties for non-compliance have increased. The new maximums are $50,000 per violation, with an annual limit of $1.5 million for violations of the same HIPAA provision in a calendar year. Penalties are assessed based on a four-tiered level of culpability, ranging from the CE or BA not knowing about the violation, to “willful neglect” and failing to correct the violation. For more information and some examples from HHS, see: HIPAA-Violation-Examples
3. New Requirements for Business Associate Agreements
Business Associates are now required to comply with HIPAA, are directly liable for compliance, and must have their own Business Associate Agreements (BAA) with their subcontractors. This doesn’t mean a CE must have agreements with the BA’s subcontractors; however, it must have agreements with its own subcontractors, and BAs have to do the same with theirs. The additional and revised provisions must be included in the BAAs. Any BAA in place prior to January 25, 2013 will be grandfathered in and may continue until they expire, renew, or until Sept 24, 2014, whichever comes first.
4. New Notice of Privacy Practices
CEs must update their Notice of Privacy Practices (NPP) to include key situations involving access to PHI. To make sure patients are aware of the changes, the updated NPP must be posted in offices, new patients must be given a copy, and CE websites must be updated with the new information. Notices must include statements that:
- Describe the types of uses and disclosures that require authorization under HIPAA, including most uses and disclosures of psychotherapy notes; for marketing purposes; disclosures that constitute a sale of PHI; and that other uses or disclosures not listed in the NPP will require authorization
- Inform individuals that they have the right to opt out of fundraising and marketing communications
- Inform individuals that they have the right to pay out-of-pocket for a service and the right to require that the CE not submit PHI to the individual’s health plan about those out-of-pocket services
- Inform individuals that the CE has a duty to notify affected individuals of a breach
5. Access to PHI in Electronic Form
The HITECH Act required CEs who maintain electronic medical records to provide patients with electronic copies of their PHI upon request. The Final Rule will require CEs to provide that electronic PHI in a format requested by the individual (provided that format is readily producible), such as burned to a CD or DVD, or in another mutually agreed upon, readable electronic format. The Final Rule also requires a covered entity to transmit PHI directly to a third party if directed to do so in writing by the patient.
6. Other Notable Changes:
- Immunization information can be provided to a school if the school is required by law to have it and if the parent or guardian gives written permission.
- Processes for getting patient authorization to use health data for research purposes have been streamlined, including “compound” authorizations, those included with other authorizations, and that authorizations no longer have to be study-specific.
- Insurance companies cannot use genetic information for coverage and cost determinations (does not apply to long-term care plans).
- CEs can disclose PHI to decedent’s family and others involved in the individual’s healthcare or payment. Additionally, health information is no longer PHI after the patient has been dead for 50 years.
Action Items for HIPAA Readiness:
- Update PHI breach investigation and breach risk/notification analysis policies to reflect the change from a “risk of harm” standard to a “presumption of breach” standard. Be sure to include the four factors in the risk assessment.
- Review vendors and subcontractors to determine if they are Business Associates.
- Update Business Associate Agreements for new BAs and for those whose contracts have renewed since January 25th, 2013.
- Update Notice of Privacy Practices; post the updated NPP on your website, and distribute the new NPP to individuals.
- Update your Release of Information forms to include the changes related to research, child immunization proof to schools, and access to decedent information.
- Ensure you have technical means to provide copies of individuals’ PHI in a readable, electronic format.
- Work with your EMR vendor to make sure you can exclude payment in full from reports to insurance companies.
- Train your staff on the new regulations.
This article is meant to highlight some of the HIPAA Final Rule key changes and action items, but is not a complete listing. For the complete rule and more information about deadlines, please visit hhs.gov.