Kathleen L. DeBruhl, JD, and Gilbert F. Ganucheau Jr, JD
Most physician practices are familiar with their obligation to protect a patient’s protected health information (PHI) under the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA). Recently adopted new rules have changed some of the old understandings and require the identification and modification of certain policies. These new rules also will change the way practices handle events that may be considered a breach of the privacy or security rules, including the identification of what may be a reportable breach.
Most of the required changes in policies and procedures went into effect in March 2013, with some extended compliance dates. The last required change to be enforced relates to Business Associate Agreements (BAA).
Breach Notification Rule
Regulations published in January 2013, known as the HIPAA Mega Rule, have changed how an entity determines whether a breach must be reported. Under the new rule, a breach is defined as the acquisition, use, or disclosure of unsecured PHI in violation of the Privacy Rule. Certain disclosures are not considered breaches; these include the following:
- an unintentional disclosure, in good faith, with no further use
- an inadvertent disclosure to a person who, by virtue of his or her job, would have access to the information (for example, the wrong file is passed to someone within the organization)
- the information cannot be retained
Previously, a breach was only reportable if there was a “substantial risk” of harm to the individual whose PHI was disclosed. Under the Mega Rule, any and all disclosures of unsecured PHI are considered reportable unless the entity determines that there is a “low probability of compromise” of the data, based on a risk assessment.
As a result, a practice must assume that any unauthorized use or disclosure of PHI is a breach that must be reported. A risk assessment must be made to determine if the practice must notify individuals, the federal Office of Civil Rights (OCR), and, in some circumstances, the press, based on the degree of probability that the PHI was compromised.
In performing the risk assessment, the practice must consider at least the following factors:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- the unauthorized person who used the PHI or to whom the disclosure was made
- whether the PHI was actually acquired or viewed
- the extent to which the risk to the PHI has been mitigated
Fig. 1 depicts a decision tree that may be helpful for a practice to use in determining whether a disclosure must be reported.
A Business Associate (BA) is an entity that creates, receives, maintains, or transmits PHI for or on behalf of a Covered Entity (CE) such as a physician or practice or another BA. Anything that a CE could do itself but has someone else do, which involves the creation, receipt, maintenance of transmission of PHI, causes that other entity to be considered a BA of the CE.
Types of entities that are considered BAs include subcontractors, health information exchanges, patient safety organizations, claims clearinghouses, billing vendors, shredding vendors, and system vendors. A contractor that would have no reason to use PHI (janitorial or plumbing services) and transportation conduits such as Federal Express or the US Postal Service are not considered BAs. However, an Internet storage (cloud vendor) is considered to be a BA.
A major change enacted by the Mega Rule is that BAs are now subject to the same requirements and penalties as CEs. Additionally, BAs must have a BAA with all subcontractors that have access to PHI. Those subcontractors of a BA are also considered BAs.
Because these entities are now directly subject to HIPAA regulations, all of the requirements imposed on CEs are applicable to BAs. These include the security rule, the breach notification rule, and the obligation to have BAAs with subcontractors. The penalties applicable to violations of the privacy and security rules now apply to BAs.
By Sept. 23, 2014, all BAAs must be compliant with the Mega Rule. However, if a BAA is replaced, modified, or renewed between March 26, 2013, and Sept. 23, 2014, the BAA must be replaced no later than the date of renewal or modification.
Penalties for violations of the Privacy Rule are in four tiers, based on the culpability of the entity violating the rules. These tiers have ranges of penalties, starting with a minimum of $100 to a maximum of $50,000 per violation. The penalties apply on a per day basis. The annual maximum cap on penalties is $1.5 million.
If it appears that the CE or BA exhibited willful neglect in causing the violation, the OCR is required to investigate the disclosure and must level penalties for the violation. “Willful Neglect” is the conscious, intentional failure or reckless indifference by the CE or BA to the obligation to comply with the rule that has been provided to protect the privacy of the PHI.
The Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008. GINA protects individuals against discrimination based on their genetic information in health coverage and in employment. The Mega Rule finalized regulations for GINA. GINA prevents all health plans that are subject to HIPAA from using genetic information in underwriting. Long-term care insurers are not subject to GINA prohibitions.
Providers are not responsible for ensuring that health plans use genetic information correctly. However, genetic testing information requested from providers is subject to the minimum necessary rules.
The Mega Rule required changes to the Notices of Privacy Practices (NPP) that providers are required to provide to patients. All practices must update their NPP and HIPAA policies to reflect new individual rights and privacy practices. These include the following:
- The NPP must list permitted or required uses or disclosures of PHI.
- The NPP can categorize uses that require authorizations, such as psychiatric notes, marketing, and the sale of PHI.
- The NPP must contain a statement that any uses or disclosures not listed in NPP must have the patient’s authorization.
- The NPP must describe a patient’s ability to opt out of fundraising communication, must advise the patient of the right to restrict disclosures to health plans if the patient pays out of pocket for services, and must describe the right to receive notice of breach of unsecured PHI.
Practices are now required to use the new version of the NPP. There is no requirement for providers to redistribute the revised NPP to all patients, but the new NPP should be provided to new patients, posted in the office, and available on request.
Practices should be aware of, and ensure that, their policies and procedures are compliant with the changes imposed by the Mega Rule. Practices should also update their policies on breach notification and their Notice of Privacy Practices and should review their BAAs with all vendors and contractors to ensure that they are compliant with the new rules.
Kathleen L. DeBruhl, JD, and Gilbert F. Ganucheau Jr, JD, are with Kathleen L. DeBruhl & Associates, LLC, a law firm specializing in highly complicated healthcare regulatory matters involving physician ownership and financial relationships, reimbursement, fraud and abuse, and compliance.
Sample forms available
Sample HIPAA-compliant documents are available for download from the AAOS Practice Management Center. A Notice of Privacy Practice and a Business Association Agreement can be found at www.aaos.org/pracman