Please ensure Javascript is enabled for purposes of website accessibility

Covered entities can’t put it off any longer: HIPAA compliance now required

Covered entities can’t put it off any longer: HIPAA compliance now required

Listen to this article

September was a busy month for attorneys guiding doctors, hospitals, medical providers and those that do business with them.

The enforcement deadline for entities covered by the Health Insurance Portability and Accountability Act was Sept. 23, under the 563-page omnibus regulations issued by the Health and Human Services’ Office for Civil Rights.

The changes to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act, or HITECH, took effect March 26, but entities were given a six-month grace period to achieve compliance with the myriad of new requirements.

In addition to expanding the definition of “business associate” under HIPAA, the new rule broadens patient rights, tweaks the standard for data breach notification requirements, and affects the use of patient information for fundraising and marketing.

Not to mention the necessary updates to privacy notices and employee training, noted Adam Greene, a partner in the Washington, D.C., office of Davis Wright Tremaine who formerly worked at OCR and now focuses his practice on HIPAA compliance.

Those covered by the regulations have incentive to comply, with both civil and criminal penalties available for covered entities and business associates. Civil penalties can range from $100 for an unknowing violation up to $50,000 for willful neglect resulting in a transgression.

“Particularly the changes to patient rights, covered entities need to understand and be able to comply right away in case a patient walks in and requests them,” said Amy Fehn of Fehn, Robichaud & Colagiovanni PLLC in Troy, Mich.

Compliance presents numerous challenges because of the many areas covered by the law. Health law practitioners highlighted some of the biggest changes as well as some of the most challenging new requirements.

Business associates of business associates

HIPAA historically applied to “covered entities” (health care providers and health plans, for example) as well as “business associates,” which are businesses that perform functions on behalf of covered entities that involve the disclosure of protected health information such as billing and phone services, and document or data storage companies.

The regulations now extend coverage to “downstream” business associates, which means that certain subcontractors of business associates are also covered.

Entities like a personal health record vendor that performs functions like transmitting personal health information are considered to be “business associates” and subject to direct liability — and the potential for agency enforcement action and penalties.

An entity may still be covered even if it doesn’t have a business associate agreement; the rule provides that any subcontractor that “creates, receives, maintains or transmits personal health information” on behalf of a business associate is a business associate.

Fehn experienced a last-minute flurry of activity as entities entered into updated business associate agreements that reflect this change.

Breach notification

Previously, a data breach was required to be reported to a patient if it posed a “significant risk of financial, reputational, or other harm to the individual.”

Med_malUnder the new rule, if information is compromised, a data breach is presumed unless there is “a low probability” that protected health information was compromised.

Effectively, the updated standard requires businesses to treat nearly all data compromises as data breaches, mandating notification of individuals and/or state authorities, depending on the size of the data breach.

Factors to consider when evaluating whether a breach must be reported include the nature and extent of information involved, the person to whom the data was disclosed, whether he or she actually viewed it and whether the risk has been mitigated.

“Everyone is somewhat confused about the new standard,” Greene said. “To what extent is it a change or is really the same old standard with specific factors to consider?”

Covered entities should err on the side of caution, he said, “with the presumption on breach reporting unless there is solid evidence that the incident did not rise to the level of a breach.”

The change in breach notification standard also implicates business associates, Fehn noted. The regulations give a business associate suffering a breach 60 days to report the incident to a covered entity.

“But that doesn’t allow much time for the covered entity to fulfill its reporting requirements,” she explained. To buy an entity more time to meet its own requirements, business associate agreements should therefore shorten the time period for an initial report, she suggested.

Patient rights

Patient rights were expanded under the new regulations. Patients now have the right to specify the form in which they want to receive a copy of their health records, including electronic copies.

The rule changed the default form of production from a hard copy to an electronic copy when the information is maintained electronically.

Patients may designate in writing to have their records sent to a third party and the rule established time limits on providing patients with their records. All paper and electronic personal health information must be given within 30 days of the patient’s request.

Patients also may now request that a health care provider not disclose information about services received to their health plan when they pay in full out of pocket for the service.

This change still has some covered entities nervous, Greene said, as they struggle to deal with the practicalities. “Systems are not really set up to accommodate these requests,” he said.

    Will providers need to create a second, separate file for the same individual to ensure that personal health information isn’t shared with a plan? If the patient requires subsequent related services, are those also segregated from the health plan? And what about situations where the provider has contracted with the plan and promised not to bill the patient for any costs?

    When faced with a patient seeking to exercise their restrictions on disclosure rights, Fehn advises clients to have the patient sign a form indicating that they are exercising their rights under HIPAA and refused to file a claim with their provider. “That way, a patient can’t turn around and say they did want to have a claim submitted,” she explained.

    Contract provisions restricting providers from billing patients are found in almost every managed care contract, Fehn noted. For those providers who are therefore unable to treat the patient and not report the service, they must explain the situation, she said; simply refusing treatment or service is not acceptable.

    While it is unclear how many patients may actually cover their own costs, certain areas of medical treatment are more likely to experience such requests, like mental health providers or substance abuse centers.

    Older children remaining on their parent’s health plan may also elect to keep their treatment confidential if possible, Fehn said.

    Marketing and fundraising

    “One area a lot of entities are running into issues is the sale of PHI,” or personal health information, Greene noted. “It can creep into things where you least expect it.”

    PHI includes information about an individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or payment information relating to medical services in combination with common identifiers like name, address, birth date and Social Security number.

    The regulations prohibit remuneration in exchange for protected health information, Greene explained — and remuneration is not limited to just financial payments.

    If a software company offers a provider a free app, the provider “needs to be sensitive as to why they are getting this service,” Greene said. “It could be for any number of reasons, but if it is to get access to PHI for things like data mining, that creates an issue.” Even the cost of postage paid by a third party would trigger concerns.

    An exception exists for refill reminders, Fehn said, “but any reimbursement received for making a refill reminder communication must be reasonably related to the covered entity’s cost of sending the reminder. So the provider cannot profit from subsidized refill reminders.”

    Providers received good news on the fundraising front as they may now use more types of patient information to focus their requests.

    “Fundraising efforts can now be better targeted using department of service, outcome information or health insurance status,” Greene said. The Medicaid population is not likely to be the best source of raising money, for example.

    One other fundraising change: all communications must now include an opt-out notice.


    Should additional funding and resources be given to the Secret Service?

    View Results

    Loading ... Loading ...

    Legal News

    See All Legal News

    Case Digests

    Sea all WLJ People

    Opinion Digests