HIPAA Privacy & Security Omnibus Changes 2013 The Federal Gvernment has published mdificatins t 45 CFR Parts 160 and 164: Mdificatins t the HIPAA Privacy, Security, Enfrcement, and Breach Ntificatin Rules under the Health Infrmatin Technlgy fr Ecnmic and Clinical Health Act and the Genetic Infrmatin Nndiscriminatin Act; Other Mdificatins t the HIPAA Rules. The effective date f the final rule is March 26, 2013. Cvered entities and business assciates must cmply with the applicable requirements f this final rule by September 23, 2013. The fllwing prvides guidance n key changes assciated with the Final Ruling and the impact f these rules n physician practices. Impacted frms and plicy and prcedures assciated with yur purchased Medical Office Cmpliance Tlkit have been updated t reflect any applicable Final Rule changes. Please nte: The HIPAA Security Business Assciate Agreement sample frm prvided in the tlkit already cntains the updated prvisins and therefre n updates are required. Updated dcuments can be dwnladed free f charge thrugh yur nline accunt. Updated frms include the fllwing: 1. HIPAA Privacy_Ntice f Privacy Practices
All Rights Reserved, 2013 Summary f the Final Rule Changes Mdified Definitin f Breach and When a Breach Ntificatin is Required: In the event f a breach f unsecured prtected health infrmatin, a cvered entity r business assciate is required t cnduct a risk assessment. The purpse f the risk assessment was t determine whether the breach pses a significant risk f financial, reputatinal, r ther harm t the individual. A breach was nt cnsidered t have ccurred if the cvered entity r business assciate is able t demnstrate that the disclsure wuld either fall under ne f the breach exclusins r that the risk assessment determined the breach des nt pse a significant risk f financial, reputatinal, r ther harm t the individual. The Final Rule mdified the fllwing: The Final Rule changed the purpse f the risk assessment t require that the cvered entity r business assciate nw demnstrates that there is a lw prbability that the prtected health infrmatin has been cmprmised. The risk assessment is required t assess the minimum fllwing factrs: The nature and extent f the prtected health infrmatin invlved, including the types f identifiers and the likelihd f re-identificatin. In ther wrds, examine the sensitivity f the identifiers invlved and the likelihd f re-identificatin. Identifiers include: i. Names ii. Gegraphic infrmatin (e.g. state, address, zip cdes) iii. Dates related t individual (e.g. date f birth, date f admissin/discharge) iv. Phne numbers v. Email addresses vi. Scial Security Numbers vii. Accunt number r health plan numbers Whether the unauthrized persn wh received the infrmatin has bligatins t prtect the privacy and security f the infrmatin. Whether the prtected health infrmatin was actually acquired r viewed. In the risk assessment, cnsider the distinctin between actual acquisitin r view f unsecured prtected health infrmatin versus the pprtunity fr the infrmatin t be acquired r viewed, t determine the prbability f impermissible use r disclsure, as the fllwing example in the Final Rule illustrates: If a laptp cmputer was stlen and later recvered and a frensic analysis shws that the prtected health infrmatin n the cmputer was never accessed. The extent t which the risk t the prtected health infrmatin has been mitigated. Fr example, btaining a signed cnfidentiality agreement frm the recipient. There was als an exceptin that a breach ntificatin was nt required fr limited data sets that d nt cntain any dates f birth and zip cdes. This exceptin has nw been remved in the Final Rule. As such, a risk assessment is nw required fr all situatins invlving an impermissible use r disclsure f prtected health infrmatin t determine whether a breach ntificatin is nt necessary. The new rules clarify that there is n need t have an independent entity cnduct the risk assessment and that n risk assessment is required t be cnducted if a breach ntificatin is made.
Breach ntificatin requirement may als be delegated t a Business Assciate, and yur practice is encuraged t crdinate with their Business Assciate s that patients receive nly ne ntificatin f a breach. Breach ntificatin invlving fewer than 500 individuals. The Final Rule changed that cvered entities are required t ntify the Secretary f all breaches f unsecured prtected health infrmatin affecting fewer than 500 individuals nt later than 60 days after the end f the calendar year in which the breaches were discvered, instead f when the breaches ccurred. All ther reprting and timeframe requirements will remain the same. Mdified Use and Disclsures f PHI: Marketing and Sale f PHI A cvered entity must btain an authrizatin fr any use r disclsure f prtected health infrmatin fr marketing r the sale f prtected health infrmatin. Under the Final Rule, prir written authrizatin extends t licenses r any type f lease agreements and when the cvered entity r business assciate directly r indirectly will be receiving remuneratin (payment) frm r n behalf f the recipient f the prtected health infrmatin in exchange fr the prtected health infrmatin. Sale f prtected health infrmatin des nt include a disclsure f prtected health infrmatin: Fr public health purpses pursuant Fr research purpses where the nly remuneratin received by the cvered entity r business assciate is a reasnable cst-based fee t cver the cst t prepare and transmit the prtected health infrmatin fr such purpses Fr treatment and payment purpses Fr the sale, transfer, merger, r cnslidatin f all r part f the cvered entity and fr related due diligence effrts. T r by a business assciate fr activities that the business assciate undertakes n behalf f a cvered entity, r n behalf f a business assciate in the case f a subcntractr. T an individual Required by law Disclsures t Health Plans Under the Final Rule, patients may request physicians nt disclse infrmatin abut care the patient has paid fr ut-f-pcket t health plans, unless fr treatment purpses r in the rare event the disclsure is required by law. Under the previus HIPAA Privacy Rules physicians culd refuse t abide by any such request, hwever, the new rule requires physicians and ther health care prviders abide by a patient s request nt t disclse PHI t a health plan fr thse services fr which the patient has paid ut-f-pcket and requests the restrictin. Use and Disclsures fr Genetic Testing The Final Rule impses new restrictins n the disclsure f prtected health infrmatin cntaining genetic infrmatin. The Rule nw prhibits grup health plans and any insurance issuer frm using r disclsing genetic infrmatin fr underwriting purpses. Genetic infrmatin is defined as infrmatin abut: An individual's genetic tests; The genetic tests f family members f the individual; The manifestatin f a disease r disrder in family members f such individual; r Any request fr, r receipt f, genetic services, r participatin in clinical research which includes genetic services, by the individual r any family member f the individual.
Genetic infrmatin excludes infrmatin abut the sex r age f an individual. Immunizatin Recrds (UPDATED In Plicy) The final rule added new language that permits a cvered entity t disclse prf f immunizatin t a schl where State r ther law requires the schl t have such infrmatin prir t admitting the student. While written authrizatin will n lnger be required t permit this disclsure, cvered entities will still be required t btain agreement, which may be ral, frm a parent, guardian r ther persn acting in lc parentis fr the individual, r frm the individual himself r herself, if the individual is an adult r emancipated minr. The final rule additinally requires that cvered entities dcument the agreement btained under this prvisin. Fr example if a mther calls t request immunizatins recrds be disclsed t the child s schl, then the practice wuld simply make a nte in the patient recrd regarding the call. PHI f Deceased Individuals Under the Final Rule, a cvered entity must cmply with the requirements f [the HIPAA Privacy Rule] with respect t the prtected health infrmatin f a deceased individual fr a perid f 50 years fllwing the death f the individual. A pint f clarificatin thugh, the 50-year perid f prtectin is nt a requirement t retain medical recrd infrmatin fr that duratin. Medical recrd retentin requirements are still subject t standard State ther applicable laws. The new rule allws a cvered entity t disclse t a family member, r ther persns wh were invlved in the individual s care r payment fr health care prir t the individual s death, prtected health infrmatin f the individual that is relevant t such persn s invlvement, unless ding s is incnsistent with any prir expressed preference f the individual that is knwn t the cvered entity. Prviding electrnic-phi The Final Rule expands individuals rights t receive electrnic cpies f their health infrmatin. Practices must prvide access t electrnic recrds in the frmat requested by the individual, s lng as the infrmatin is readily prducible in that frmat. Cvered entities are als permitted t transmit PHI thrugh unencrypted emails as lng as the requesting individual has been advised f the risk and still requests that frm f transmissin. In additin, under the Final Rule, a cvered entity will nw have 30 days t respnd t a patient s request fr their PHI, with a ne 30-day extensin, regardless f where the recrds are being kept. Under the prir rule, practices had a 60-day timeframe fr recrds maintained ffsite. Fees fr prviding e-phi r PHI The Final Rule changed the csts that a practice may charge fr cpies f prviding PHI. A cvered entity may include labr csts fr extracting e-phi and supply csts if the patient requested paper cpies r if electrnic, the cst f the prtable media used t prvide the e-phi (e.g. thumb drive, CD). Nte: State laws may impse different rules, yur practice shuld check if State laws differ. Updates t the Ntice f Privacy Practices (NPP): Cvered entities will need t update their NPPs t reflect the changes implemented under the Final Rule. Updates shuld include the revised prvisins fr breach ntificatin, disclsures t health plans, and marketing and sale f PHI. If a cvered entity engages in fundraising they will als need t update their NPP t infrmatin patients f their right t pt-ut f thse cmmunicatins.
The Final Rule als eliminated the requirement t include infrmatin n cmmunicatins regarding appintment reminders, treatment alternatives, r health-related benefits / services in yur NPP. Hwever, practices may still prvide this infrmatin if they chse. Once the NPPs are updated make sure t pst the revised updated NPP in yur practice and als update the NPP n yur website (if applicable). Changes t Business Assciates and Business Assciate Agreements: Prir t the Final Rule the business assciate was nly required t prvide satisfactry assurances related t HIPAA Privacy and Security rules thrugh the business assciate agreement (cntract), which meant enfrcement f the HIPAA Security rules was cntractual via the cvered entity. Nw business assciates and their subcntractrs are under direct federal regulatin and have direct liability fr cmpliance with HIPAA standards. In ther wrds, the business assciate and their subcntractrs must prtect and safeguard prtected health infrmatin in the same manner as a cvered entity. A Business Assciate Agreement is still required between a cvered entity and a business assciate. Hwever, the Final rule indicates that a cvered entity is nt required t enter int a business assciate agreement with a subcntractr f a business assciate; rather, this is the bligatin f the business assciate that has engaged a subcntractr t perfrm a functin r service that invlves the use r disclsure f prtected health infrmatin. The Final Rule defines subcntractr as a persn t whm a business assciate delegates a functin, activity, r service, ther than in the capacity f a member f the wrkfrce f such business assciate. Other changes assciated with the Business Assciate include: Since BAs are nw directly liable fr vilatins, a cvered entity is n lnger required t reprt failures f their BA s t the gvernment when terminatin f the business assciate agreement is nt feasible. The Business Assciate is nw als subject t the applicatin f Civil and Criminal Penalties fr vilatins f any f the security prvisins in the same manner as apply t a cvered entity that vilates such security prvisins. The Final Rule slightly mdified the definitin f a Business Assciate as an entity r persn that creates, receives, maintains, r transmits prtected health infrmatin n behalf f a cvered entity. As such the new rule wuld include rganizatins like e-prescribing gateways, health infrmatin exchanges r persnal health recrd vendrs. Cvered entities shuld review their relatinships with current vendrs and determine if any f them shuld nw be treated as a business assciate under the new guidelines. Als, cvered entities need t evaluate their Business Assciate Agreements t determine if mdificatins r new agreement prvisins are necessary. Cvered entities have until September 23, 2014 t bring all their BA agreements int cnfrmance with the new rules. Enfrcement and Civil Mney Penalties (CMP): The Final Rule clarifies the tiered structure related t civil mnetary penalties (CMPs) that can be impsed fr vilatins f HIPAA regulatins. These penalties apply t bth medical practices and their business assciates. The tiered structure fr impsitin f CMPs under the HITECH Act and Final Rule distinguishes the level f culpability as fllws: Unknwing. The cvered entity r business assciate did nt knw and by exercising reasnable diligence wuld nt have knwn f the vilatin.
Reasnable Cause. The cvered entity r business assciate knew, r by exercising reasnable diligence wuld have knwn, that the act r missin was a vilatin, but the cvered entity r business assciate did nt act with willful neglect. Willful Neglect Crrected. The vilatin was the result f cnscius, intentinal failure r reckless indifference t fulfill the bligatin t cmply with HIPAA. Hwever, the cvered entity r business assciate crrected the vilatin within 30 days f discvery. Willful Neglect Uncrrected. The vilatin was the result f cnscius, intentinal failure r reckless indifference t fulfill the bligatin t cmply with HIPAA, and the cvered entity r business assciate did nt crrect the vilatin within 30 days f discvery. The crrespnding tiers f CMP relating t each level f culpability are as fllws: Vilatin Categry Each Vilatin Ttal CMP fr Vilatins f an Identical Prvisin in a Calendar Year Unknwing $100 t $50,000 $1,500,000 Reasnable Cause $1,000 t $50,000 $1,500,000 Willful Neglect Crrected $10,000 t $50,000 $1,500,000 Willful Neglect Nt Crrected At least $50,000 $1,500,000 Under the Final Rule, HHS des nt have the authrity t autmatically impse the maximum CMP fr any given vilatin. Rather, in determining the amunt f a CMP, HHS must cnsider the fllwing: The nature and extent f the vilatin, including the number f individuals affected and the time perid during which the vilatin ccurred; The nature and extent f the harms resulting frm the vilatin, including whether the vilatin caused physical harm, whether the vilatin resulted in financial harm, whether there was harm t an individual s reputatin and whether the vilatin hindered an individual s ability t btain healthcare; The histry f prir cmpliance, including previus vilatins; and The financial cnditin f the cvered entity r business assciate, including whether financial difficulties affected the ability t cmply and whether the impsitin f the CMP wuld jepardize the ability f the cvered entity t cntinue t prvide r pay fr healthcare. Defenses t CMPs The Final Rule limits the ability f the Secretary t impse CMPs fr certain vilatins f HIPAA ccurring after Feb. 18, 2009. Specifically, the Secretary may nt impse CMPs fr a vilatin that is nt due t willful neglect and that is crrected within 30 days f actual r cnstructive knwledge f the vilatin, r during an additinal perid, as determined by the Secretary t be apprpriate based n the nature and extent f the failure t cmply. This defense, hwever, is nt available fr vilatins due t willful neglect. Thus, t the extent pssible, a cvered entity r business assciate that discvers a vilatin f HIPAA that is nt due t willful neglect shuld endeavr t (i) crrect the vilatin within 30 days f the discvery; (ii) dcument the date n which it discvered the vilatins; and (iii) dcument the date n which it implemented the crrectin in rder t establish a basis fr asserting the affirmative defense t the impsitin f CMPs fr the vilatin.
The infrmatin cntained herein is nt intended t be legal advice prvided by AAPC and shuld be relied upn as a substitute fr legal advice r pinin. This material may nt be applicable t, r suitable fr, the specific circumstances r needs f the reader, and may require additinal cnsideratin f ther factrs r infrmatin nt described herein. Fr a cmplete cpy f 45 CFR Parts 160 and 164 Mdificatins t the HIPAA Privacy, Security, Enfrcement, and Breach Ntificatin Rules g t http://www.gp.gv/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf