New HIPAA rule means big changes for doctors, hospitals and providers

By Correy Stephenson
The Daily Record Newswire
 
BOSTON — Doctors, hospitals, other medical providers and companies who do business with them are facing big changes as a result of new HIPAA regulations.

The new rule will keep lawyers busy counseling entities covered by the Health Insurance Portability and Accountability Act in the coming months, said Adam H. Greene, a partner in the Washington office of Davis Wright Tremaine who formerly worked at the Department of Health and Human Services’ Office for Civil Rights and focuses his practice on HIPAA compliance.

“Covered entities are going to have to revisit their policies, their training and their business associate agreements,” he said.

The omnibus regulations are the “most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The 563-page final rule includes modifications to HIPAA’s Privacy, Security, Enforcement and Breach Notification Rules.

Here’s a look at the most important changes:

• Privacy notices need to be updated.

Covered entities will likely need to update their privacy notices as a result of the final rule, HHS said.

Notices must now include a statement about a patient’s right to restrict the disclosure of their health information when they pay out of pocket for the service. Notices must also inform patients about their notification rights in the event of a data breach.

• Business associates of business associates are covered.

HIPAA applies to “covered entities” (health care providers and health plans, for example) as well as “business associates,” which are businesses that perform functions on behalf of covered entities that involve the disclosure of protected health information such as billing and phone services, and document or data storage companies.

The final rule extends coverage to “downstream” business associates, which means that certain subcontractors of business associates are also covered.

The idea was that covered entities and business associates should not be able to contract away their HIPAA obligations by farming out tasks to a subcontractor, said David Harlow, a health care attorney at The Harlow Group in Newton, Mass. and author of the HealthBlawg.

Now, entities that perform such functions as transmitting personal health information (a personal health record vendor, for example) are considered to be “business associates” under the rule and subject to direct liability and the potential for agency enforcement action and penalties.

An entity may still be covered even if it doesn’t have a business associate agreement; the rule provides that any subcontractor that “creates, receives, maintains or transmits personal health information” on behalf of a business associate is a business associate.

The change “is a huge extension of how many entities HIPAA applies to directly,” he added.

It may also cause covered entities and existing business associates alike “to re-think their business associates approach,” Greene said. For example, a subcontractor not previously covered may not be equipped to follow the HIPAA regulations and a covered entity may need to find a new IT vendor, for example, or face vicarious liability.

• Breach notification standard changes.

Covered entities will face a significant challenge with the new data breach notification requirements, said Amy K. Fehn, a partner at Wachler & Associates in Royal Oak, Mich.

Currently, a breach must be reported to a patient if it poses a “significant risk of financial, reputational, or other harm to the individual.”

Under the new rule, if information is compromised, a data breach is presumed unless there is “a low probability” that protected health information was compromised.

That means that businesses must treat nearly all data compromises as data breaches, requiring them to notify individuals and/or state authorities depending on the size of the data breach.

• Patients have a right to a copy of their records.

Under the rule, patients have the right to a copy of their health records and may specify the form in which they want to receive the copy, including electronic copies. While this right existed previously, the rule changed the default form of production from a hard copy to an electronic copy.

Patients may also designate in writing to have their records sent to a third party.

Covered entities may charge a “reasonable” fee for their efforts, Harlow said, but the charge cannot exceed labor and supply costs. A time limit on providing patients with their records was also imposed; all paper and electronic personal health information must be given within 30 days of the patient’s request.

• Patients who pay out of pocket can request non-disclosure to their health plan.

The rule allows patients who pay in full out of pocket to request that the health care provider not disclose information about the service to their health plan.

“Now covered entities must segregate patient information, which can be pretty challenging, especially if there are subsequent related services,” Greene said.

A patient who seeks to keep a diabetes test confidential may require future health care services related to diabetes care, for example, and the patient must either pay for the subsequent services out of pocket or the provider is entitled to disclose the services to obtain appropriate payment from a health plan.

• Providers may use more patient information to focus fundraising.

Providers received good news on the fundraising front because they may now use more types of patient information to target their requests.

“A hospital raising money for a new cancer center may now look at which patients were oncology patients and target there,” Greene said. “It can also look at outcomes and not send fundraising requests to people who had poor outcomes and it can look at health insurance and skip the Medicaid population as fairly unlikely to be donating.”

Previously, covered entities could only use information such as the dates care was provided and demographic information.

• Marketing by covered entities is limited.

Covered entities are now limited in their marketing if they receive remuneration for their efforts, Greene said.

Liability and enforcement

The final rule takes effect on March 26 with compliance required by Sept. 23.

Both civil and criminal penalties apply to covered entities and business associates.

For civil penalties, fines are based upon increasing levels of culpability ranging from $100 if a covered entity establishes that it did not know it violated the rule up to $50,000 for willful neglect resulting in a violation, with a cap set at $1.5 million per calendar year for multiple violations of an identical provision.

Penalties could significantly exceed $1.5 million per year for a covered entity where there are violations of multiple provisions.