HITECH-related HIPAA Changes Final
Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.
The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.
The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.
CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.
- The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
- The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
- The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
- Nature and extent of PHI in the incident
- Recipient of the PHI
- Acquisition or viewing status of PHI
- Mitigation of the risk after disclosure
- The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
- The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
- The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
- The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.
Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.