HIPAA and HITECH Final Rule Released
advertisement
Health Care Team Client Alert HIPAA AND HITECH FINAL RULE RELEASED The U.S. Department of Health and Human Services (“HHS”) has issued its long-awaited Final Rule implementing changes and new requirements for compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) by health care providers and their business associates. The new HIPAA and HITECH rules go into effect on March 26, 2013. However, health care providers and their business associates will not need to comply with the new HIPAA and HITECH rules until September 23, 2013. Below is a summary of the major changes to HIPAA and HITECH under the Final Rule: Business Associates and Business Associate Agreements The definition of a “business associate” is expanded to include any entity that creates, receives, maintains or transmits protected health information on behalf of a health care provider. The Final Rule clarifies that mere conduits of protected health information that have limited, infrequent access to such protected health information, such as a courier or an Internet service provider are not business associates. However, an entity that maintains protected health information on behalf of a health care provider is a business associate even if the entity does not actually view the protected health information. For example, a data storage company that has access to protected health information is considered a business associate of the health care provider for whom it stores protected health information, even if such data storage company does not actually access such information. Thus, health care providers will need to enter into business associate agreements with any entity that maintains protected health information on behalf of such health care provider, which would include data storage companies (whether the storage is held digitally or in hard copy form). The Final Rule expands the definition of “business associate” to specifically include Patient Safety Organizations, Health Information Organizations, E-prescribing Gateways or other persons who provide data transmission services with respect to protected health information, and personal health records vendors. In addition, subcontractors of health care providers (contractors of a health care provider’s business associate) that are performing business associate services and have access to and use protected health information are also considered business associates. The business associate of the health care provider is required to enter into a business associate agreement with the business associate’s contractor. Thus, health care providers should ensure their business associate agreements include this requirement of business associates. www.lawmh.com August 20, 2013 1 The Final Rule also makes clear that if an entity fits into the definition of a business associate, such entity is required to comply with HIPAA and HITECH requirements even if such entity has not entered into a business associate agreement with a health care provider. Thus, while health care providers are still required to enter into business associate agreements directly with their business associates, the lack of such an agreement does not relieve the business associate of its obligations and liability for failing to comply with HIPAA and HITECH requirements. Business associates will now be held liable for the same penalties for HIPAA and HITECH violations as are applicable to health care providers. HIPAA Breaches and Notification Requirements Under the Final Rule, an impermissible use or disclosure of an individual’s protected health information is presumed to be a HIPAA breach which requires notice to the individual unless the health care provider demonstrates there is a low probability that the protected health information has been compromised. “Compromised” means that the protected health information was accessed, disclosed, used or subject to potential disclosure and use in an impermissible manner under the HIPAA and HITECH rules. This is a significant departure from the former requirement in which a health care provider was required to perform a risk assessment to determine if the breach would result in a significant risk of harm to the individual in order to determine if a reportable HIPAA breach had occurred. As a result, the risk assessment under the Final Rule is more likely to result in reportable HIPAA breaches. The Final Rule requires health care providers to provide a risk assessment that addresses the following four factors to determine if protected health information has been compromised: (1) the nature and extent of the protected health information involved, (2) the unauthorized person who used the protected health information or to whom the disclosure was made, (3) whether the protected health information was actually acquired or viewed, and (4) the extent to which the risk to the protected health information has been mitigated. As all impermissible uses or disclosures of an individual’s protected health information are presumed to be a reportable HIPAA breach, HHS also clarifies that a health care provider may decide to notify individuals of the breach without conducting a risk assessment. The Final Rule did not change the requirement that individuals be notified of a HIPAA breach involving the individual’s protected health information within 60 days of the discovery of the breach. Additionally, health care providers must submit a log of all HIPAA breaches discovered during the past calendar year to the Secretary of HHS no later than 60 days after the end of the calendar year. However, HIPAA breaches involving more than 500 individuals must be reported to media outlets and the Secretary of HHS no later than 60 days after their discovery. The Final Rule also did not change the contents required to be included in HIPAA breach notifications to individuals. Such notices must address the following factors: (1) a brief description of the breach, including the date of the breach and discovery of the breach, if www.lawmh.com August 20, 2013 2 known, (2) a description of the types of information involved in the breach, (3) any steps an individual should use to protect themselves from harm that may result from the breach, (4) a brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and protect against any further breaches, and (5) contact procedures for individuals to ask questions or learn additional information, which must include a toll free telephone number, an email address, website or postal address. Finally, the Final Rule continues to require that a health care provider have policies and procedures in place for HIPAA privacy requirements, train its workforce on HIPAA privacy requirements and breach notification requirements, have sanctions in place for failure to comply with such policies, and permit individuals to file complaints regarding privacy policies without retaliation. Each health care provider should review and update its HIPAA policies and procedures to ensure they reflect the new requirements under the Final Rule. Marketing and Sales of Protected Health Information The Final Rule requires a health care provider to obtain written authorization from an individual before using the individual’s protected health information to market a product or service to such patient when the health care provider receives financial payment from a third party whose product or service is being marketed for making the communication. The authorization must disclose the fact that the health care provider is receiving financial payment from such third party. No authorization is required for face-to-face communications or promotional gifts of nominal value provided by a health care provider to an individual. However, marketing communications made over the phone, through the mail, email or other format would require authorization. The Final Rule requires a health care provider to obtain an individual’s written authorization before the health care provider sells such individual’s protected health information and receives a financial or non-financial benefit for such protected health information. This is broader than the requirement for marketing, as the benefit for sales of protected health information includes non-financial benefits as well as financial benefits. The written authorization must disclose that the health care provider is receiving remuneration in exchange for the protected health information. The Final Rule clarifies that a “sale of protected health information” does not include payment a health care provider receives in the form of grants or other payments to perform programs or for research purposes or fees to cover the costs of submitting protected health information for public health activities. Protected health information exchanged through a health information exchange that is paid for by fees assessed on participants is not considered a sale of protected health information. In addition, fees paid by a health care provider to business associates, or business associates to its contractors, would not be considered a sale of protected health information. www.lawmh.com August 20, 2013 3 Fundraising The Final Rule modifies requirements of health care providers that use protected health information for fundraising purposes. Under the Final Rule, in each fundraising communication a health care provider must submit notice of how the individual receiving the communication can opt out of future fundraising communications. The method for the individual to opt out of receiving future fundraising communications cannot be unduly burdensome or cause the individual to incur more than a nominal cost to opt out of receiving future fundraising communications. Protected Health Information of Deceased Individuals The Final Rule clarifies that HIPAA and HITECH requirements apply to protected health information of an individual for 50 years after the individual’s death. The Final Rule also expands the list of people to whom a health care provider is permitted to disclose protected health information about a deceased individual to include family members and others involved in the care or payment for care of the individual prior to the individual’s death, unless the individual expressed a prior preference that such information not be disclosed to such persons. Notice of Privacy Practices The Final Rule requires that a health care provider’s Notice of Privacy Practices include statements regarding uses and disclosures of an individual’s psychotherapy notes and uses of protected health information for marketing purposes and sales of protected health information that require an individual’s authorization. The Notice of Privacy Practices must also include a statement to inform an individual of their right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for a health care item or service. Finally, the Notice of Privacy Practices must include a statement of the individual’s right to be notified after a breach of protected health information. Health care providers must make its revised Notice of Privacy Practices available upon request by September 23, 2013, and post the revised Notice of Privacy Practices in a clear and prominent location. Individuals’ Right to Access Electronic Health Information The Final Rule requires health care providers to provide individuals with a copy of their protected health information in electronic form upon request from the individual. Additionally, health care providers are required to comply with an individual’s request that the health care provider send the individual’s protected health information directly to another person. Health care providers are required to comply with an individual’s request for protected health information within 30 days. Where the protected health information must be obtained from off-site storage, or other exigent circumstances exist that would cause a delay in providing the requested protected health information, the health care provider has to supply the requested protected health information within 60 days. www.lawmh.com August 20, 2013 4 Health care providers are permitted to charge reasonable fees for copying and other costs associated with complying with an individual’s request for protected health information. The fee is limited to the actual labor costs for copying the protected health information and creating an electronic copy of the protected health information and costs for postage and supplies. The Final Rule does not require business associates to comply with requests for an individual’s protected health information in electronic format. However, a health care provider may require the business associate to comply with such requests in the business associate agreement between the health care provider and business associate. Expanded Liability and Fines and Penalties The Final Rule expanded liability for HIPAA and HITECH violations and strengthened civil monetary penalty provisions for health care providers, business associates and subcontractors that fail to comply with HIPAA and HITECH requirements. Under the Final Rule, health care providers and business associates will be held liable for acts of their agents. An agency relationship is determined on a fact-by-fact basis, but is generally a relationship in which the health care provider or business associate has the right or authority to control a party’s conduct in the course of performing a service on behalf of the health care provider or business associate. Thus, a business associate is likely to be considered an agent of a health care provider, and a contractor of a business associate is likely to be considered an agent of a business associate. Health care providers should review their business associate agreements to ensure they contain an indemnification provision so that the business associate is required to indemnify the health care provider in the event the health care provider is held liable for HIPAA and HITECH violations committed by the business associate. HHS may impose a civil monetary penalty for violations of HIPAA and HITECH requirements with penalties increasing based on the degree of culpability of a health care provider, business associate or downstream contractor. There are four categories of violations and associated ranges of penalties, ranging from $100 per violation (where the HIPAA or HITECH violation was unknown), up to $50,000 per violation (where the party committing the HIPAA or HITECH violation acted with willful neglect and did not correct the violation). The Final Rule also confirms an annual cap of $1.5 million for identical violations. The amount of civil monetary penalty that HHS may impose will vary based on HHS’s assessment of the nature and extent of the violation (including the number of individuals affected and the length of time in which the violations occurred), the nature and extent of the resulting harm to individuals affected, prior compliance with the HIPAA or HITECH provision at issue, the financial condition of the health care provider, business associate or contractor, and other matters HHS may consider in its discretion. The Final Rule also clarifies how HHS will “count” HIPAA and HITECH violations. For violations of HIPAA and HITECH privacy requirements, HHS can impose a civil www.lawmh.com August 20, 2013 5 monetary penalty based the number of individuals affected. Thus, if a health care provider mailed 20 statements to incorrect patients, each separate mailing would count as a violation of the privacy requirements under HIPAA and HITECH. For violations of the security requirements under HIPAA and HITECH, HHS can impose a civil monetary penalty based on the number of continuous days in which the security requirements were not met. Thus, for each day in which a health care provider failed to implement appropriate administrative, physical and technical safeguards for electronic protected health information, each day would could as a violation of the security requirements under HIPAA and HITECH. Conclusion The Final Rule will necessitate changes to health care providers’ business associate agreements, templates for risk assessments of HIPAA breaches, Notice of Privacy Practices, and privacy and security policies. Additionally, health care providers should ensure its workforce members are appropriately trained on the new Final Rule requirements as well as updates to a health care provider’s privacy and security policies. HHS will continue to conduct random audits of health care providers and business associates and investigate complaints to ensure HIPAA and HITECH requirements are being met. The Health Care Team at McCandlish Holton would be happy to assist you in ensuring your HIPAA policies are current and to provide HIPAA training to your workforce members. Our experienced Health Care Team can also assist with enforcement actions taken by the state or federal government in the event you are accused of committing a HIPAA violation. Please let us know if we may assist you or if you would like additional information about the Final Rule and HIPAA and HITECH requirements. As you can appreciate, this summary description cannot capture the full expanse of changes under the Final Rule. We would be happy to discuss these items with you and assist as necessary to ensure you are in compliance with the new requirements. If you would like more information about HIPAA and HITECH requirements, or need assistance updating business associate agreements, privacy and security policies, Notice of Privacy Practices, or HIPAA and HITECH compliance training for workforce members, please contact any member of McCandlish Holton’s Health Care Team at 804775-3100. www.lawmh.com August 20, 2013 6
