By Justin Vaughn, M.Div, CPC
Director of Compliance
The federal government has published a Final Rule that provides for sweeping changes in the HIPAA compliance, security, and privacy standards. The 563-page rule is massive in scope, and complex in content, but its key elements can be summarized as follows:
Compliance Date. While the effective date of the Final Rule is March 23, 2013, you will have until September 23 of this year to comply with most of its components.
Definition of Business Associate. The definition of “Business Associate” (BA) has been broadened to include anyone who “creates, receives, maintains, or transmits PHI.” Examples of entities that may or may not fall into the BA category are listed below.
- Examples of BAs include patient safety organizations, health information organizations, e-prescribing gateways, entities who offer personal health records to patients on behalf of a covered entity, and entities that provide data transmission services of PHI. Data storage companies are also considered BAs, regardless of whether or not they actually view the PHI, because they maintain PHI for covered entities. Shredding companies are BAs. Additionally, subcontractors of BAs are considered BAs, although the covered entity does not need to get a BAA (Business Associate Agreement) from the BA’s subcontractor. However, a BA will have to obtain a BAA from its subcontractor.
- Examples of non-BAs include companies that act as mere conduits for the transmission of PHI, such as physical courier services (UPS/Fed Ex/Post Office) or electronic transmission couriers (internet service providers). Banks and financial institutions that merely process payments are not BAs. An insurance plan that merely offers insurance services is not a BA (unless it performs risk management or legal services, such as handling a malpractice suit for the covered entity in which it accesses PHI).
Fax and Copy Machines. Some copy and fax machines have hard drives, with copies of PHI being stored thereon. Before the machine is turned back over to the leasing company or otherwise discarded, all stored PHI must be removed. In addition, while these machines are still in use, steps must be taken to disallow inappropriate access to any internal PHI. This means you will need to add an analysis of fax and copy machines to your mandated HIPAA compliance & risk assessment.
Mandatory Investigations. The Rule mandates that the Department of Health and Human Services (DHHS) must investigate and impose a fine for any “possible” HIPAA violation occurring due to “willful neglect.”
Vicarious Liability for Acts of Business Associate. A covered entity (CE), such as a healthcare provider, will be held liable for the acts of its BAs, if those BAs are determined to be “agents” of the CE. The test of agency turns on whether or not the CE has the right to control the BA’s conduct during the course of the BA performing a service on behalf of the CE. Typically, a BA is not an agent if it enters into a BAA where the terms of the service are controlled by the BAA, and the CE cannot direct, on an interim basis, the BA’s services. Therefore, the less control the CE has over the BA’s functions, the less likely the CE is to be liable for the BA’s HIPAA compliance.
Vicarious Liability for Members of Workforce. Both the CE and BA are vicariously liable for the HIPAA breaches of their workforce members. This means if your workforce members violate HIPAA (i.e., they steal PHI, or lose a laptop, or send an unencrypted email), the corporate entity is financially responsible.
Expanded Liability of Business Associates. BAs are now liable to the same extent as CEs for violations of HIPAA. BAs must follow the Security Rule’s administrative, physical, and technical safeguard requirements in 45 CFR 164.308, 310, and 312, as well as adopt policies and procedures pursuant to the documentation standards in 164.316. The costs of implementing the Security Rule should be proportional to the BA’s size and resources. BAs are now directly liable under HIPAA standards for:
- Impermissible uses and disclosures of PHI
- Failure to provide breach notification to the CE
- Failure to provide access to electronic PHI to the CE, patient, or patient’s authorized representative
- Failure to disclose PHI when requested by DHHS to investigate HIPAA compliance
- Failure to provide an accounting of disclosures
- Failure to comply with the requirements of the Security Rule
- Failure to comply with certain components of the Privacy Rule, such as the use of the minimum necessary standard when using or disclosing PHI (although the BA does not need to appoint a Privacy Officer or provide a notice of privacy practices)
- Failure to obtain a BAA from its subcontractors to whom it gives PHI
- Failure to terminate a BAA with a subcontractor it knows is in noncompliance with the BAA
- Failure to return or destroy all PHI received or created by it during the existence of the BAA, if feasible
- Failure to contractually abide by the permissible uses and disclosures set forth in the BAA
Penalties. The Final Rule sets forth the following fines and penalties for poor HIPAA compliance or violations:
- $100-$50,000 for each violation where the CE did not know, and would not have known, of a violation, even by exercising reasonable diligence
- $1,000-$50,000 where the violation was due to reasonable cause, but not willful neglect
- $10,000-$50,000 where the violation was due to willful neglect, but corrected within 30 days
- A minimum of $50,000 where the violation was due to willful neglect and not corrected within 30 days
There is a maximum penalty of $1.5 million for each type of violation within a calendar year; however, there may be multiple $1.5 million caps in a given year if there are multiple types of violations.
Patient Consent Required. The CE must obtain an authorization, signed by the patient, for the following circumstances:
- The CE receives financial remuneration from a third party vendor for sending communications to the CE’s patients, including treatment information, where the information also encourages the patient to purchase the third party vendor’s products or services. (The CE must disclose in the authorization that it is receiving financial remuneration from the third party. The authorization must include a provision that the patient may revoke the authorization at any time he wishes to stop receiving the vendor’s marketing material.)
- The CE receives anything of value in exchange for the sale, access to, lease or license of, PHI. (For example, if a CE is offered an iPad in exchange for accessing PHI, it must obtain an authorization from the patient to allow such access.)
Fundraising Communications. Although fundraising communications to patients do not need a signed authorization from the patient, any fundraising materials must include a conspicuous opportunity and an inexpensive mechanism for the patient to opt out of receiving any further fundraising communications (eg. an unsubscribe link on an email solicitation).
Providing Electronic Copies of Records to Patients. The CE or BA must provide the patient, upon request, an electronic copy of their medical records, if the CE or BA maintains such records electronically.
Must Submit New Business Associate Agreements. CEs must amend their BAAs to incorporate all the additional liabilities of the BA set forth above. There is some disagreement as to when these BAAs must be executed, based on the various legal analyses I’ve reviewed, as well as the Final Rule language itself. One analysis indicated that the amended BAAs will need to be submitted to your BAs for their signature by either March 23, 2014 or the date each existing BAA rolls over (if applicable), whichever is earlier. Another analysis suggested that for BAAs that were compliant, unmodified and in place prior to January 25, 2013, the CE would have until September 23, 2014 to execute the amended BAAs. For BAAs that did not meet the above conditions, the compliance date for executing a compliant BAA would be September 23, 2013. We will update you once these BAA compliance dates are clarified. In the interim, our own BAA is being revised and will be available prior to any such deadline.
Record Retention. For HIPAA compliance, CEs and BAs are required to make an accounting of disclosures to patients for up to six years. These entities would therefore need to retain records containing PHI for that period of time.
Providing PHI of Deceased Patients. The former rule limited disclosure to the deceased patient’s authorized representative. That rule is now modified to permit (but not require) disclosure to family members and others involved in the deceased patient’s care or payment for that care prior to death. However, disclosures to such individuals must be limited/related to that individual’s role in the deceased patient’s life. If the CE is uncomfortable with disclosing PHI because of questions concerning the individual’s relationship with the decedent, the CE is not required to disclose PHI to that individual.
Facility’s Notice of Privacy Practices. A CE’s Notice of Privacy Practices (NPP) must include separate statements about its permitted uses and disclosures of the patient’s PHI that the CE intends to make, including intended uses for “TPO” (treatment, payment, and healthcare operations). It must also disclose the patient’s rights and the CE’s obligations under HIPAA. Many anesthesia groups operate exclusively under an Organized Healthcare Arrangement (OHCA) with their facilities, whereby the anesthesia group uses the Notice of Privacy Practices of the hospital or ASC. If that is the arrangement under which you are operating, you should obtain a copy of each facility’s Notice of Privacy Practices to see what you are agreeing to do and not do with regard to the patients’ privacy rights, as well as your own privacy obligations.
Group’s Notice of Privacy Practices. If your anesthesia group does not wish to adopt the facility’s Notice of Privacy Practices, or if you are a chronic pain group, your current Notice of Privacy Practices must be amended to include the following statements:
- A patient authorization (consent form) will be required for most uses and disclosures relating to psychotherapy notes.
- Uses and disclosures for marketing purposes require an authorization.
- Disclosures that constitute the sale of PHI require an authorization.
- Other uses and disclosures of PHI not described in the Notice of Privacy Practices will be made only with a signed authorization from the patient or authorized representative.
- The patient has a right to opt out of all fundraising communications.
- Patients have a right to request non-disclosure of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
- Patients will be notified following a breach of unsecured PHI.
If you maintain a website, the revised Notice of Privacy Practices must be posted thereon the earlier of September 23, 2013 or the implementation date of the new Notice of Privacy Practices. Within the same time frame, you must post the new Notice of Privacy Practices at your office in a “clear and prominent location.” While you do not have to print and distribute the revised Notice of Privacy Practices to all your existing patients, you must have copies readily available to give them if they request it. In addition, you must give the revised Notice of Privacy Practices to all new patients. Finally, although you can post a summary of the revised Notice of Privacy Practices, in lieu of the full NPP (since it is longer than 1 page), you must have the full notice in plain view for the patients to pick up and take with them.
Sending Electronic Copy to Third Party. Currently, if a patient signs an authorization to send his/her records to an attorney or other third party, the CE sends a copy of the paper records to that person. The Final Rule provides that the patient can now request that an electronic copy be sent to that person, and the CE or BA must comply. The patient’s request to send an electronic copy must:
- Be in writing
- Be signed by the patient or authorized representative
- Clearly identify the person to whom the records are to be sent
- Specify where to send the PHI
The “in writing” requirement can be satisfied by “electronic documents” (i.e., pdf). Under federal law, electronic signatures can substitute for written signatures in such a request. The CE must try to verify the identity of the person requesting the PHI if the request was sent electronically (i.e., call and verify), making sure the email address of the recipient is entered correctly.
The CE or BA may charge its labor costs in responding to a request for electronic copies, including the cost of skilled or technically trained, higher paid employees to search for, compile, extract, scan, and burn PHI to media and then distribute the media. Out-of-pocket costs for CDs or USB drives on which the PHI is stored and sent to the third party, along with postage, can also be charged. On the other hand, costs of maintaining storage and infrastructure are not reasonable, cost-based fees, and are not recoverable. However, if state law limits the amount one can charge for providing records, the CE or BA must charge the lesser of the reasonable cost-based fee under HIPAA and the state law amount.
Modifications to the Breach Notification Rule. Under the provisions of the HITECH Act, a breach of unsecured PHI requires notification to (a) the patient, (b) DHHS, and (c) the media (where more than 500 patients are involved). No notification is required where the PHI is “secured,” i.e., where it is encrypted, de-identified, or where a hard drive is destroyed. Under the Final Rule (45 CFR 164.402), an impermissible use or disclosure of PHI is presumed to be a breach (and therefore requires notification), unless the CE or BA “demonstrates that there is a low probability that the PHI has been compromised.” The burden of proof is on the CE or BA to show that its decision not to notify met the “low probability that the PHI has been compromised” standard. In light of this change, you may want to modify your Risk Assessment Form so that it includes an analysis of whether or not there exists a “low probability that the PHI has been compromised.”
Risk Assessment Form and Analysis. As stated immediately above, the CE or BA must complete a Risk Assessment Form upon a breach of unsecured PHI. Per the Final Rule, that form must now contain an analysis of at least the following four factors:
- The type of PHI involved
- The unauthorized person who used or accessed the PHI, or to whom it was disclosed
- Whether the PHI “was actually acquired or viewed”
- The “extent to which the risk to the PHI has been mitigated”
Discovery of a Breach. The CE or BA has 60 days to notify relevant parties in the event of a breach of unsecured PHI. That 60-day period runs from the date of discovery of the breach. The date of discovery of the breach runs from the date that “any person, other than the individual committing the breach, that is an employee, officer, or other agent” of the CE or BA “knows or should reasonably have known of the breach.”
Notification to the Media, et al. The following rules apply:
- For breaches involving more than 500 patients in a given state, a prominent media outlet must be notified. Such an outlet may be a major, general interest newspaper with a daily circulation throughout the entire state, but would not include a newspaper serving only one town, or distributed on a monthly basis, or a daily newspaper relating only to limited interests, such as sports or politics.
- If there are more than 500 people affected in a single city, then a general interest newspaper with a daily circulation limited to that city is sufficient.
- The notification to the media is only required if there are more than 500 affected patients in a single state.
- However, if there are more than 500 patients involved, regardless of where they live or the number of CEs involved, DHHS must be notified within 60 days.
- If there are fewer than 500 patients involved, DHHS only needs to be notified within 60 days after the end of the calendar year in which the breach was discovered. The year-end notification forms can be found at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
- If the breach occurs due to impermissible uses or disclosures by the BA, then either the BA or the CE, but not both, should notify the relevant parties.
Requests from Law Enforcement for Delayed Notification. Under the Final Rule, the 60-day notification period can be delayed if requested by law enforcement. However, for an oral request, the delay is limited to an additional 30 days, and even then you must document the request and identity of the official. In order to obtain a delay longer than 30 days, you must obtain a written statement from law enforcement stating that notification would impede a criminal investigation or cause damage to national security.
New Training Requirements. Based on the change in the breach notification standard from “significant harm to the patient” to a “presumed breach unless there is a low probability that PHI has been compromised,” the Final Rule requires that all CEs and BAs train their workforce “about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured PHI.”
Revised Policies and Procedures. The Final Rule requires CEs and BAs to update their written policies and procedures to reflect changes to the Breach Notification Rule, i.e., the policies and procedures must now state that the standard for notification to patients, media, and DHHS of a breach has changed from “significant harm to the patient” to a “presumed breach unless there is a low probability that PHI has been compromised.”
State Breach Notification Laws. BAs and CEs must comply with both state and federal breach notification laws, recognizing that some states have more onerous breach notification provisions than HIPAA.
Failure to Notify. If a CE or BA fails to provide breach notification to patients, DHHS, or the media, the Office of Civil Rights (OCR) of DHHS may impose civil monetary penalties under the Enforcement Rule.
Each Day of Noncompliance is Another Violation. Per 45 CFR 160.406, a separate violation occurs each day the covered entity or business associate is in violation of a provision of the HIPAA compliance standards.
Affirmative Defenses. DHHS may not impose a civil monetary penalty on a CE or BA if the violation is:
- Not due to willful neglect
- Corrected during either (a) the 30-day period beginning on the first date the entity knew or should have known of the violation, or (b) such additional period as DHHS deems appropriate under the circumstances.
Medac recommends that you work with your healthcare attorney or HIPAA consultant to make the necessary changes to your HIPAA compliance forms that will allow you to be in full compliance with these new regulations by the compliance date. I want to thank attorney David Vaughn of Baton Rouge, La. for his invaluable research of the Final Rule. The above summary was largely adapted from his helpful articles on this subject.
The information presented herein reflects general information that is current as of the date it was first published. In light of changes that may occur in the health care regulatory and compliance environments, the author’s presentation of this information might become outdated. Please check with your individual legal and/or compliance advisor(s) prior to taking any significant actions based upon the information and advice presented.