Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.
The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.
The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.
CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.
- The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
- The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
- The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
- Nature and extent of PHI in the incident
- Recipient of the PHI
- Acquisition or viewing status of PHI
- Mitigation of the risk after disclosure
- The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
- The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
- The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
- The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.
Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.
February 22nd, 2013
Part 1: Updating your privacy policies.
By Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ
From its inception in April 2003, the Health Insurance Portability and Accountability Act (HIPAA) was something of a “paper tiger.” But when President Obama signed the American Recovery and Reinvestment Act (ARRA) into law in February 2009, the tiger got teeth.
Major changes to the privacy law, as outlined below, were included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the larger ARRA.
What did ARRA/HITECH change? For starters, it significantly increased liability for not being in compliance with HIPAA. Previously, the maximum fine was $25,000 per violation. Now, that’s just the first level of fines: You can receive up to $1.5 million in fines for a single HIPAA violation. The HITECH Act also mandates that the federal government—specifically the Office for Civil Rights (OCR)—conduct audits on covered entities to ensure compliance. Even if no complaints have been filed against you, the government can show up and say, “Let us see your policies.”
HITECH allows state attorneys general to bring suits against various covered entities on behalf of “harmed individuals,” and will allow individuals whose rights were violated to participate in any civil monetary penalty if a covered entity is fined (the precise regulations are still being hammered out). There’s also a breach notification law provision in HITECH. What that means is, if you lose even just one patient’s unsecured information you have an obligation to tell the affected individual and the federal government. If more than 500 unsecured records are exposed (for instance, due to a missing laptop or a breach into your system), you have an obligation to tell the affected individuals and the federal government immediately (and local news media, if the breach affects more than 500 individuals in one area).
ARRA/HITECH also applies HIPAA privacy and security regulations to business associates (BAs), creates tighter marketing restrictions, and mandates that the OCR initiate a multi-faceted, national education campaign to inform the public about its privacy rights as patients.
Identify Weaknesses in Your HIPAA Compliance
Most practices probably haven’t considered the changes brought about by ARRA/HITECH, and are still operating under their original HIPAA policies and procedures. If this is the case in your practice, here are some highlights of what is likely to be out of date, based on our experience with the OCR:
- The Notice of Privacy Practices (NPP) is incorrect, and does not list instances when the provider would be obligated to disclose protected health information (PHI).
- A policy on “Consent for the Use or Disclosure of PHI” is unnecessary (Although patient consent for their PHI use is permitted under the privacy rule, it is not required.).
- Safeguards (administrative, technical, and physical) need to be included from the 2005 Security Rule to protect the privacy and security of PHI. (More on this in Part 2 of this series, Security Updates.)
- Due to out-of-date policies, the OCR may suggest intense training to get back in compliance.
- The complaint procedure must list a contact person within the practice.
- Policies may include a form allowing a patient to designate a personal representative, thereby granting the person to have the same rights as the patient under HIPAA. (The form must include all required elements for valid authorization under HIPAA.)
At Physicians’ Ally, Inc., we needed to update our policies that are made available to physician practices. As a baseline, our policies include the five general categories of “Patient Rights” under HIPAA.
- Patients have the right to obtain a copy and review their PHI.
- Patients have the right to request the practice amend PHI when the information is inaccurate or incomplete.
- Patients have the right to an accounting of the disclosures of their PHI by the practice or the BAs.
- Patients have the right to request that the practice restricts use or disclosure of PHI for treatment, payment, and health care operations (TPO) or other disclosures, such as to people involved in the payment of health care or notification to family members (The practice does not have an obligation to agree to these requests for restrictions, but if the practice does agree, it must comply.).
- Patients have the right to complain about the practice’s compliance with the policies and procedures required under the Privacy Rule.
During review, the OCR told us that our forms looked good, but we needed more policies. Our work was cut out for us, as it is for every physician practice that has not seriously updated its original HIPAA policies and procedures. We dedicated many months to learning about recent HIPAA changes and how to incorporate them into the practice’s policies, procedures, and training. We are proud to say that our revised policies and procedures were approved (for use by our client who was undergoing an OCR review).
Get Current, Get Compliant
To get current with HIPAA, we had to create new policies or tweak our existing policies for the following:
A new NPP. This is needed specifically to address that HIPAA allows the use of PHI in the day-to-day operations of the practice. The new notice describes how PHI can be used for “treatment,” meaning the coordination between providers for the care of a patient. PHI can be used for pursuing “payment” on behalf of a patient, such as calling a patient’s insurance company to verify coverage and benefits. PHI can also be used for regular “operations,” such as credentialing, quality improvement, care coordination, and even provider performance evaluation. If the NPP says the practice will use the PHI in a certain way, then it can (such as appointment reminders or “Thank You” notes). If your office’s notice doesn’t mention the specific uses of PHI, then you can’t use the PHI.
It’s not hard to find an NPP to use for your office, but you must customize the form to be an accurate reflection of your practice. The notice also must contain the date when it first went into effect, and mention how revised notices will be distributed. If you’re just now changing or adopting a new NPP, you should follow the procedure for distributing the notice to all patients: The NPP must be provided to patients at their first visit to your facility; it must be available for anyone who asks for it; and, it should be posted in your waiting room and on your website.
A policy indicating the practice would make a “good faith” effort to obtain written acknowledgement of receipt of the NPP by patients. If acknowledgement cannot be obtained (e.g., the patient refuses to sign the Acknowledgement form), the practice will document its efforts to obtain the acknowledgment, along with the reason why the acknowledgment was not obtained. This form must be retained in the medical record for at least six years.
Identify current BAs, and get updated agreements on file. Under the original HIPAA regulation, BAs were under agreement with the practice to protect PHI. Under the ARRA, BAs are directly liable to the federal government for compliance with the privacy and security rules of HIPAA (effective February 2010). Today, even BAs must have policies and procedures in place for how they will handle your practice’s PHI. Examples of BAs are legal counsel, accountants, billing companies, collections agencies, and business consultants.
These policies, forms, etc. also were required or highly recommended:
- A policy on allowable disclosures without authorization
- A policy on allowable disclosures with authorization, including a section allowing revocation of the authorization by patients if they change their mind
- A policy for requesting access to PHI and/or obtaining a copy of PHI
- A policy for requesting restrictions on uses and disclosures of PHI
- A Privacy Complaints form
- A form for requesting alternative means of communication
- A policy regarding how the practice utilizes email contact to transmit PHI over the internet
- A policy regarding marketing uses and disclosures
- Under ARRA/HITECH, the government further strengthened the prohibitions on selling patient information. In general, you should not sell or trade PHI without patient authorization. Face-to-face marketing communication to a patient is allowed, as is providing a promotional gift of nominal value to a patient. You should use the individual authorization form, however, if you intend to receive any kind of direct or indirect payment (remuneration) for marketing to a patient. Under HIPAA, you cannot sell your patient list without each patient’s authorization saying it is OK to do so.
- A policy describing the privacy officer’s position in detail, which includes investigating all suspected HIPAA violations and handling complaints
- A minimum necessary standard policy, directing the staff to only look at records essential to who is being treated
- A non-retaliation policy declaring that the practice will refrain from intimidating or retaliating against any person for exercising any right established by the Privacy Rule, including the filing of a complaint against the practice
- A non-discrimination policy
- Designated employee sanctions for violating privacy or failing to report suspected or actual violations
- Workforce member hiring and termination procedures, such as the practice reserving the right to conduct criminal and/or credit record checks
- An “open door policy” and philosophy: Every manager’s door is open to every employee to encourage open communication, feedback, and discussion about any matter of importance
- Safeguards (physical, administrative and technical security) that prevent people from accessing electronic PHI
- A breach identification process: This requires employees to report breaches or suspected breaches of privacy without fear of retaliation (Under ARRA/HITECH, federal regulations now require that if you think there is a security breach or a potential breach of privacy, you must tell your privacy officer.)
- Patient notification of breach: Required if you lose (breach) unsecured PHI and there is a risk of significant harm to a patient because of the breach (Interim regulations allow a covered entity to go through a risk assessment to determine the level of harm to the individual(s) whose information was breached—notification of the breach to the affected individuals must be done in a specific manner and within a certain timeframe.)
We dedicated many months to learning HIPAA changes and how to incorporate them into the practice’s policies, procedures, and training.
Make Training Part of Your Compliance Plan
In addition to updating your practice’s policies and procedures, offer privacy training periodically to all workforce members (defined by HIPAA as full-time, part-time, and temporary employees, as well as volunteers). Keep training documentation, and signed confidentiality statements (not required by HIPAA, but a nice touch) on file and maintained for six years.
As an employee, be aware of who your practice’s privacy officer is and where the HIPAA policies and procedures are kept. Your practice should have a central location where all HIPAA documents are stored and where staff can access them. Begin using updated forms/policies at once, and immediately undertake the administrative project of updating your practice’s BA list and filing signed BA agreements.
Perform a risk analysis to ensure compliance with HIPAA regulations. In Part 2 of this series, we’ll address how to do a security risk analysis, which should be performed on a regular basis to keep your practice up to date with changing electronic technology.
Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ, is a health care consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Her firm is selling updated HIPAA policies and procedures at www.physicians-ally.com/hipaa_training.html.
August 1st, 2011