"The most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."
That’s how HHS Office for Civil Rights (OCR) Director Leon Rodriguez described the recent HIPAA "Omnibus" Rule. But at 163 three-column pages, reading the rule and associated commentary that was published on January 25 is a daunting task. So I asked San Diego health lawyer, Martha Ann (Marty) Knutson to share her knowledge accumulated over two decades as a trial lawyer, general counsel and healthcare compliance officer.
MM: What are the most salient points you take out of the New HIPAA Rules ?
MK: First is the definition of "business associates."
Figuring out who is a HIPAA "business associate" (BA) is a particularly challenging because the "rules" exist partly in the regulation text and partly in the voluminous commentaries and other materials that the OCR has produced to explain the concept — which it created in the first place. For example, this time OCR added a word — "maintains" — to the definition of who is a BA. This addition was apparently in response to an argument from record storage companies that they were not BAs but "mere conduits" of information similar to FedEx or the Postal Service; not actually "creating, receiving, or transmitting" protected health information (PHI). But the "conduit" concept is nowhere in the regulation — only in OCR interpretations of it.
The basic characteristics of BA status have survived the rule-making: (a) a non-employee; (b) performing work on "on behalf" of a covered entity; and (c) where the "function or activity" involves "creating, receiving, maintaining, or transmitting." Potential BAs that perform a substantial part of their work within a physician office, for example a contracted physical therapist, may be treated as "workforce" and simply trained rather than signing a formal "business associate" agreement.
Typical BAs in a physician office practice include: the answering service, any vendors involved in creating or maintaining the practice’s medical records, the billing service, practice management consultants, and attorneys (if they need access to PHI). The rule imposes additional responsibilities on physicians for the missteps of their BA contractors; it’s not enough to simply have a BA contract. Physicians are expected to use "reasonable diligence" in selecting and monitoring the actions of their "agents." Physicians can also expect some push back from potential BAs because the rule now makes BAs and their subcontractors directly responsible for compliance.
But many other vendors and businesses still are not BAs: including the cleaning service, the copy repairperson, couriers, and banks. Physicians need to use "reasonable diligence" in limiting the PHI that any of these individuals may encounter, but do not need to enter into written BA agreements with them.
MM: What about changes to Notices of Privacy Practices (NPP)?
MK: The rule requires that certain statements be added into the practice NPP related to, as applicable, marketing, fundraising, psychotherapy notes, a new right to limit disclosures related to services that the patient pays for in full, and notifications of privacy breaches. Physicians must post the revised NPP in their office and make copies available there, but need not mail a copy of the revised notice to each patient.
MM: I understand there are new marketing limitations?
MK: Third-party funded marketing for products and services can no longer be directed to patients without their prior written authorization. This prohibition does not include face-to-face communications / recommendations or distribution of promotional gifts (even if subsidized) of "nominal" value. Physicians can market their own facilities and services — without prior authorization — to their patients, even when the communication is funded by a third party, but acknowledging that assistance would be prohibited without a prior authorization from the patient.
MM: What about copies of the EHR?
MK: One challenging part of the rule is its creation of a patient right to receive a "machine readable" copy of portions of the EHR related to him / her. Although physicians can charge the actual costs of responding to such a request, standard "retrieval" costs are prohibited. Now would be a good time to figure out practically how to do this, because the response time has been narrowed to 30 days (and some state laws require even faster responses.)
MM: When do the new rules take effect?
MK: The "effective date" of the rule is March 26, 2013 but OCR has also granted a six-month period for physicians to get into compliance with the new requirements, so the "compliance date" is September 22, 2013. Some existing BA agreements may also qualify for a "grandfathering" period for up to 12 months past that.