Friday, 27 September 2013 00:00
Early this year, changes were made to the HIPAA requirements in the Omnibus Final Rule which went into effect September 23, 2013. Numerous authorities have provided lengthy interpretations and extensive guidance for covered entities. Now that the deadline has arrived people are asking the question "Did we do all that we need to do to be in compliance?"
In my extensive review on the topic, including the 138 page Federal Register, it appears that we can synthesize these requirements down to four (4) categories that should be addressed. For my purposes here, I will limit my comments to items that may apply to hospital based medical practices (radiology, anesthesiology, pathology, and emergency medicine), imaging centers, and billing companies who submit claims on their behalf.
Business Associate Agreements (BAA)
Covered Entities should review all business relationships to evaluate which business partner/vendor/supplier should have a BAA under the new rules. For example, lawyers are now considered Business Associates under the expanded definition. The new rules have been expanded to include subcontractors of business associates that may have access to patient information (PHI). The subcontractor should have their own BAA with the Covered Entity's Business Associate (not the Covered Entity themselves).
Updated BAA should include language requiring the Business Associates be in compliance with the Security and new Breach Notification Rules. Covered Entities no longer must report failures of their BAs to the government when termination of the BAA is not feasible, since the government can impose direct liability on business associate.
BAA agreements that have not been renewed or modified between March 26, 2013, and September 23, 2013, will be deemed compliant until the date the BA agreement is renewed or modified or until September 22, 2014, whichever is earlier. Covered Entities and Business Associates might consider using the American Medical Association (AMA) sample BAA agreement as a template.
Notices of Privacy Practices ("NPPs")
The updated HIPAA regulations significantly changes the content of the notice of privacy practices (NPP) that a Covered Entity is required to maintain and distribute to patients.
These changes include: a) describing uses and disclosures of protected health information ("PHI") for which an authorization is required from the patient; b) stating that any uses or disclosures not described in the NPP require the patient's authorization; c) the right of a patient to restrict certain disclosures of PHI to a health plan where the individual pays for the service in full out-of-pocket; d) expands an individual's right to receive electronic copies of his or her health information; and d) informing patients of their right to be notified in the event of a breach of unsecured PHI.
The new NPP should be redistributed to existing patients concurrent with the effective date of the revisions. Covered Entities with websites should post the updated notice on its' website. Where applicable, it should be posted in a prominent location. New patients should be provided a copy at time of service. Existing patients should receive a copy or link with the next monthly statement.
In my most recent visit to my physician office, I was asked to sign a summary of the NPP, which indicates that I have received and reviewed the full NPP. In fact, I was not provided with the full/actual NNP to review. It was not posted in the waiting room either. As a former compliance officer myself, I asked the receptionist for a copy of the full document. Sadly, she had no clue of what I was asking for. Please see last paragraph on educating employees for more information on how to be prepared for questions. Covered Entities and Business Associates might consider using the American Medical Association (AMA) Sample Notice of Privacy Practices as a template.
Review and update your HIPAA Manual including update breach response policies
Privacy policies need to be updated to reflect the changes to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Important changes that a Covered Entity need to consider in updating privacy policies.
Breach standard. The Omnibus Rule changed the standard for determining whether a breach of unsecured PHI has occurred, and thus, when a provider must follow the notification requirements under HIPAA. Who must be notified however, has remained unchanged. The new breach standard should be included in providers' internal policies on responding to a potential breach. Once the new standard has been incorporated into a provider's policies, the provider should no longer use the prior breach standard, even for potential breaches that occur prior to the Omnibus Rule's compliance deadline of September 23, 2013.1
Marketing and sale of PHI. Under the Omnibus Rule, the marketing of third party products and services and sale of PHI is generally prohibited. These general prohibitions do not apply if the provider has received valid authorization from the patient. Therefore, in order for a provider to market third party services to patients based on their PHI, or to sell or provide access to PHI for payment, the provider must request permission to do so from each patient whose PHI it wishes to use. Providers should also ensure that any definitions of "marketing" and "sale of PHI" in their policies comports with the revised definitions and standards under the Omnibus Rule. 1
Decedents' PHI. Under the Omnibus Rule, the definition of "protected health information" now expressly excludes the health information of a person who has been deceased for more than 50 years. In addition, the Omnibus Rule provides that providers may disclose the PHI of a deceased person to such person's family members, relatives, or close friends, or other individuals indicated by the deceased, who were involved either in the deceased's care or the payment of care. Providers may disclose only PHI that is relevant to the family member, relative, or friend's involvement in the deceased's care. PHI cannot be disclosed if the provider is aware that the deceased person expressed a prior preference for it not to be disclosed to the person in question. 1
Patient rights to limit disclosures. Under the Omnibus Rule, a provider must comply with a patient's request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the patient paid out-of-pocket, in full, for that item or service. 1
Provision of electronic copies of medical records. Providers complying with a patient's request for an electronic copy of his or her PHI are required to provide access to such records in the electronic format requested by the patient if the records are maintained by the provider in an electronic designated record set and are readily producible in the requested format. There has been no change to the rules regarding whether a provider is required to grant access to a patient's medical records. 1
The Office of Civil Rights is developing a new audit Program which will be focused those areas that can compromise patient confidentiality. The audit protocol covers components of Privacy, Security, and new breach rules. These audits will be performed through onsite inspections starting in 2014. Questions will be asked of management to confirm knowledge of these regulations along with documentation of policies and procedures. Covered entities can prepare themselves by educating employees of company policies and procedures. Training is considered part of preventative measures that ensure compliance. Training records should be maintained in the event of an audit or investigation. After updating policies, Covered entities should provide on-going training. Simply providing education for a new employee as part of initial orientation may not be sufficient.
While my wife thinks that I would have made a great attorney, I am not an attorney and therefore the material presented should not be considered legal advice. Covered Entities and their Business Associates should consider consulting with their legal advisor in these matters.
Copyright 2006-2013 Globe Business Publishing Ltd McGuireWoods LLP
ABOUT THE AUTHOR
is a Senior Management Consultant at IMAGINE Software. Schreiber has 24 years of medical practice management experience with the emphasis being in radiology. He has managed hospital-based and combined hospital/imaging center practices in highly competitive environments and has been an active member of RBMA since 2002. He is currently serving on the Board of Directors, past Parliamentarian, Vendor Relations Committee chair and as a member of various other committees. The RBMA has recognized Schreiber in the 2013 class of RBMA Fellows
and has also presented Schreiber with special recognition awards in both 2005 and 2011 for his contributions to the RBMA practice management forums.