Maureen Bacon & Angela Hayden
Note: This editorial is designed to give you an overview of several changes in the Final Rule which is 138 pages in its final form. Information in this article should not be construed as legal advice. For specific questions about how to interpret or implement official requirements within your organization, please consult the source document or contact a knowledgeable healthcare attorney. For a more in-depth editorial on this ruling, see our most recent edition of VistaNotes available for purchase on our products page at: http://www.miravistallc.com/products.php.
The term “HIPAA Compliance” is very commonplace in our industry. HIPAA, is the acronym for the Health Insurance Portability and Accountability Act of 1996. This rule included provisions that require the Department of Health and Human Services (HHS) to improve the efficiency and effectiveness of the health care system and to set national standards for the security and privacy of individually identifiable Protected Health Information (PHI). On January 25, 2013 HHS issued a new Final Rule that modifies previous rules1. The Final Rule wraps all of the previous rules into one, and provides reference to all the parts of the original rules that providers must continue to follow. The final rule, appropriately deemed the Final “Omnibus” Rule, became effective on March 26, 2013 and established a compliance period of 180 days, making September 23, 2013, the ultimate deadline for compliance.
If this is the first time you are hearing about this new “Omnibus” Rule, you are not alone. The Competitive Bidding and National Mail Order initiatives have taken center stage in our industry, and this updated ruling has flown largely under the radar. In the Final Rule, any entity that is involved in the transmission of any PHI in electronic form is considered to be either a (1) Covered Entity (CE), (2) business associate (BA) of a covered entity, or (3) subcontractor of a business associate (SubBA). This classification system breaks down the relationship of businesses involved in the transmission of PHI and how PHI should be handled between entities. Companies that create, receive, maintain or transmit protected health information on behalf of a covered entity are now considered business associates under the new federal regulations and are now subject to business associate agreements regardless of their status as a CE, BA or SubBA. Additionally, all business associate agreements must meet the compliance regulations described within the rule. Providers that have business associate agreements executed prior to January 25, 2013, will need to amend those agreements before September 22, 2014 in order to become compliant. Any new business associate agreements executed on or after January 25, 2013, should be replaced with new compliant agreements on or before September 23, 2013.
Two of the most significant changes to the rule that providers should take note of relate to the definition of what constitutes a “breach” and an update to the breach notification process. Previously, an “incident” was considered a breach that required written notification only if the PHI disclosed was unsecured or identifiable and the risk of “harm” was great. The new final rule mandates that providers must perform a risk assessment that now more objectively determines a breach’s risk of “compromise”. The four factors of the risk assessment are: (1) To whom the disclosure was impermissibly made, (2) Whether the PHI was actually accessed or viewed, (3) Whether or not the recipient could identify the subjects of the data, and (4) Whether the recipient took appropriate mitigating action. As a result, we will likely see many more instances of breach that require written notifications.
Providers are also faced with changes regarding the Marketing, Fundraising and Sale of PHI. Through this final rule, new limits have been set on how information can be used and disclosed for marketing and fundraising purposes. Additionally, the final rule states that the sale of an individual’s PHI is now prohibited without their express permission.
One of the more labor intensive burdens placed by the final rule requires providers to revise their internal training and procedures to reflect compliance with the modifications. This involves updating existing HIPAA Authorizations and Forms to adhere to these new requirements.
Providers should note that this article only scratches the surface of the complexities within this Final “Omnibus” Rule. We encourage readers to seek additional information on the Health and Human Services website https://www.hhs.gov for the details of this rule and how it will impact their business.
1Security (Security and Electronic Signature Standards) Proposed Rule – published in 1998
HIPAA Privacy Rule – proposed 1999
Final Privacy Rule – released 2000
Final HIPAA Security Rule – published 2003
Genetic Information Nondiscrimination Act (GINA) – signed into law 05/21/2008
Breach Notification Final Rule – published 2009
Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as a part of the American Recovery and Reinvestment Act of 2009 – signed into law 02/17/2009
Final HITECH Rule – became effective 11/30/2009