FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

By Margie Satinsky, MA, MBA

This article summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health and Human Services (DHHS) on January 17, 2013 and published in the Federal Register on January 25, 2013. The Rule modifies HIPAA Privacy, Security, and Enforcement Rules, implements statutory amendments under the HITECH Act of 2009, strengthens privacy and security protection for individuals’ health information, modifies the Breach Notification Rule, and strengthens privacy protections for genetic information.

When the HIPAA Privacy and Security Rules went into effect, we saw a flurry of compliance activity by Covered Entities, including but not limited to medical practices.   The inclusion of HIPAA compliance in the requirements for Meaningful Use stimulated additional interest by Eligible Providers seeking financial incentives. Business Associates, including many software manufacturers who work with Covered Entities, have also developed HIPAA compliance programs. Nonetheless, many practices and Business Associates have yet to establish or modify their HIPAA compliance programs. Hopefully this new Rule, which ties together many of the disparate pieces of the program, will stimulate all to take action.  There’s a lot more to HIPAA compliance than hanging a Notice of Privacy Practices on the wall!

HIPAA – REMINDERS AND NEW INFORMATION 

1.     What is HIPAA? In 1996, the federal government passed the Health Insurance Portability and Accountability Act (HIPAA).  Its purpose was to provide assurances that the healthcare system would keep personal health information private. The Administrative Simplification portion of the law had five parts: the Privacy Rule, Transactions and Code Sets Standards, the Security Rule, the Employer Identifier Standard, and the National Provider Identifier Standards.  The HITECH Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), both modified some of the provisions of the Privacy and Security Rules and added requirements. Other relevant statues are the Interim Final Regulations on implementation of Breach Notification, Federal Trade Commission (FTC) Final Regulations on implementation of Breach Notification, the Interim Final Rule addressing Breach Notification and monetary penalties, the 2010 Notice of Proposed Rule Making, and the Genetic Information Nondiscrimination Act of 2008.  The intent of the Final Omnibus Rule is to eliminate inconsistencies among some of these statutes and bring everything together.

2.     Who are the important parties affected by HIPAA Privacy and Security? Covered Entities (e.g. health plans, healthcare clearinghouses, or healthcare providers that transmit health information in electronic form); Business Associates; and Agents. When HIPAA first went into effect, emphasis was on the responsibilities and liability of Covered Entities. By 2009, there was more emphasis on Business Associates. Now the definition of Business Associate is broader and includes a person who creates, receives, maintains, or transmits PHI on behalf of a Covered Entity on a routine (as opposed to a random) basis. Business Associates must comply with all requirements of the Security Rule and with most but not all requirements of the Privacy Rule.  The requirements for Business Associates apply to their subcontractors too, and it’s the responsibility of the Business Associate, not the Covered Entity, to make sure that subcontractors are in compliance.

3.     What are the civil monetary penalties for non-compliance?

Four categories of violations reflect increasing levels of culpability and four tiers of penalty amounts. The penalty for each violation ranges from $100 to $50,000, and there is a $1.5 million maximum penalty per calendar year. The Office of Civil Rights (OCR), the enforcing agency, does not apply the maximum penalty in all cases. It considers an entity’s financial condition, number of individuals affected, reputation, and prior indications of non-compliance and compliance.

4.     How has enforcement changed since HIPAA went into effect?

First, DHHS now does a preliminary investigation of every complaint.  If the preliminary review indicates a possible violation of HIPAA rules due to willful neglect, the investigation automatically proceeds.  If the preliminary review does not show willful neglect, DHHS has the option of trying to achieve voluntary corrective action.

Penalties apply to Covered Entities, Business Associates, and subcontractors of Business Associates.

A 30-day cure period factors into the determination of the size of the penalty. The clock starts running at the time the entity (i.e. Covered Entity, Business Associate, or Subcontractor) learns of or should reasonably know of the problem.

There’s a formal and pro-active audit program in place.  We know of several medical practices that attested to being HIPAA compliant when they applied for the financial incentive under Meaningful Use and are now targets for audit.  Questionable HIPAA compliance may jeopardize their receipt of the money that they seek.

5.     What is the compliance date for the Omnibus Final Rule?

The effective date of the Omnibus Rule is March 26, 2013. Compliance for both Covered Entities and Business Associates is 180 days from the effective date – i.e. September 23, 2013.

6.     Should my practice revise its Notice of Privacy Practices (NPP) and redistribute it to patients?

Yes – there have been many changes since the passage of the HIPAA Privacy and Security Rules. Here are some of them. The NPP must have language regarding patient authorization for most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures regarding the sale of PHI. There must also be a statement that regarding patient authorization for uses and disclosures not specifically described in the NPP. New language must mention an individual’s right to opt out of fundraising communications. Healthcare providers must clearly acknowledge their obligation to restrict use and disclosure to a health plan upon request by an individual who has paid out-of-pocket in full for a specific service. 

Healthcare providers are not required to print and distribute a revised NPP. They must post the new NPP in a clear and prominent location and make copies available to those individuals who wish to take them. Providers may also post a summary of the revised NPP, provided that the full notice is also available.  If patients have provided permission to receive practice information by email, the practice can send the revised NPP electronically.

7.     How does the Omnibus Rule enhance the rights of individuals with respect to PHI?

The limitations on the use and disclosure of PHI for marketing and fundraising are stronger. Individuals can now request electronic copies of PHI, and Covered Entities must provide it in the form requested by the individual if readily producible, or in a readable form and format agreed to by the Covered Entity. Individuals can request transmission of a copy of PHI directly to a designated person.  In such cases, the Covered Entity must verify the identity of the individual making the request and take reasonable steps to ensure that the email address of the recipient is correct. Individuals who pay out of pocket in full for a service can restrict disclosure of that information to a health plan.  To help parents and guardians, Covered Entities now have an easier process for disclosing proof of immunization to schools in those states that have school entry and other similar laws.  There’s greater clarity in the procedures for notifying individuals of a Breach.  When individuals request PHI, Covered Entities must provide the requested information within 30 days, with a one-time 30-day extension.

8.     How has the definition of a Breach changed, and what are the guidelines for determining and reporting a Breach?

Although the determination of a Breach remains more subjective than many in the health industry would like it to be, the Omnibus Rule modifies and clarifies the definition of Breach and the risk assessment approach. There’s a new definition of a Breach: an impermissible use or disclosure of PHI unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised.  Rather than focusing on potential harm to the individual, the new language speaks to the responsibility of a risk assessment, performed by the Covered Entity or Business Associate, to assess the nature and extent of the PHI, the unauthorized person who used the PHO or to whom it was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.  A common example of a possible Breach is a lost or stolen laptop computer.  The loss or theft itself does not necessarily mean a Breach.  If the owner can retrieve the laptop and forensically show that there was no Breach, then there’s nothing to report.  But if the laptop can’t be retrieved, there is a Breach that must be reported to the individuals affected and possibly to CMS.

9.     How does the Omnibus Rule modify the HIPAA Privacy Rule to protect genetic information as required by the Genetic Information Nondiscrimination Act (GINA) of 2008?

GINA prohibits discrimination based on an individual’s genetic information in health coverage and employment contexts.  Genetic information is defined as the genetic tests of an individual or an individual’s family members and about diseases or disorders manifested in an individual’s family members. A distinction is made between medical tests such as HIV tests, complete blood work, cholesterol testing, and liver function tests.

10.    What are good resources for additional information?

The Final Omnibus Rule was published in the Federal Register on January 25, 2013. The link is http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.  The material identifies modifications and additions, citing both public comment and rationale for DHHS’ final decisions. 

The website of the Office of Civil Rights contains instructions for submitting a Breach form: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

 

Margie Satinsky, MA, MBA is a Consultant for InGauge Healthcare Solutions.   Contact her for consulting services at margie.satinsky@ingaugehsi.com.  Efficiency in Practice is the free eNewsletter for medical practice managers who want to save time, money and reduce risk.  For more information and to access your FREE report, Patient Collections: It’s Make or Break for Many Practices, visit www.efficiencyinpractice.com 

This article can be reprinted freely online, as long as the entire article and this resource box are included.



Comments are closed.