On Jan. 17, 2013, HHS issued the long-awaited omnibus final rule implementing changes in current regulations under HIPAA. The final rule is effective March 26, 2013, and covered entities and business associates must comply with most of its provisions by Sept. 23, 2013.
The following are some specific changes included in the final rule that will impact your medical practice:
1. The Business Associate Agreement (BAA) currently used by your practice must be updated to include the following changes by Sept. 23, 2014:
• A requirement that business associates must comply with the HIPAA Security Rule;
• A requirement that business associates report breaches of unsecured protected health information (PHI) to covered entities;
• A requirement that any subcontractors of the business associate agree to the same restrictions and conditions that apply to the business associate.
Keep in mind that business associates are now also required to enter into BAAs with their subcontractors. For example, if your management company subcontracts the billing duties to a separate company, those parties will need to enter into a BAA. It is recommended that both parties maintain evidence that a BAA was executed.
The final rule also makes covered entities liable for violations of business associates when acting as an agent of the covered entity. This means that your practice can be liable for violations of your management company in handling your practice’s protected health information. Although a written BAA is a must, training business associates regarding compliance efforts and privacy issues is advisable.
2. Your practice’s current Notice of Privacy Practices must be updated to include:
• Certain statements in the notice regarding uses and disclosures that require authorization;
• A statement about fundraising communications and an individual's right to opt out of receiving such communications;
• Information about an individual's right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service (only healthcare providers are subject to this requirement); and
• A statement of an affected individual's right to be notified following a breach of unsecured PHI.
2. The final rule also expanded the definition of "breach" under HIPAA.
Under the final rule, any impermissible use or disclosure of PHI is presumed to be a breach requiring notification, except in limited circumstances. The final rule eliminated the harm standard, which allowed entities to avoid notification if they could demonstrate that the breach posed no significant risk of harm to the individual. Instead, under the final rule, breach notification may be avoided if the entity can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised.
The final rule further provides the factors that must be used in the risk assessment, which include:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
These changes require that your practice’s compliance plan be revised and updated. Training and education of key compliance individuals is recommended to adjust to these new mandates. Keep in mind that HHS has retained the high penalty structure currently in effect for HIPAA violations, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per-provision basis. HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.
HIPAA compliance should be a priority for all practices and meeting the next deadline is essential. Talk with experienced healthcare counsel if you need guidance to assure you are prepared to handle enforcement of HIPAA and any subsequent violations that might occur.