New Final Rule Changes HIPAA Provisions and HITECH Applicability
Review how clarifications can impact your protected health information (PHI) use and disclosure.
By Michael D. Miscoe JD, CPC, CASCC, CUC, CPCO, CCPC, CHCC
In 2010, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandated changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Then, on Jan. 17, 2013, the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR) published the final rule, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” significantly revising the act. Let’s take a look at how these revisions will affect your practice.
Business Associate PHI Liability Is Expanded
The HITECH Act made the Breach Notification Rule, significant portions of the HIPAA Security Rule, and specific HIPAA Privacy Rule provisions directly apply to business associates. The final rule clarifies who a business associate is and how the HITECH Act’s provisions pertaining to business associates are applied.
Business Associate Agreements Extend to Subcontractors
OCR clarifies that only data transmission services requiring routine access to PHI are considered business associates. OCR also clarifies who is considered a subcontractor. It still requires a business associate agreement with all subcontractors who have access or use PHI as part of their contracted function with the covered entity. It extends this requirement to entities the subcontractor retains to accomplish any function that requires the use and disclosure of PHI.
For example: Assume a provider (Doctor A) subcontracted its billing function to a third-party billing service (ABC Billing). ABC Billing would be a business associate, and as such, it has direct liability for any violation of HIPAA. Doctor A is required to execute a business associate agreement with ABC Billing. If ABC Billing subcontracted work to another person (Outside Coder)—such as an independent contract coder (including those in another country)—then Outside Coder is liable under HIPAA. Not only is Outside Coder subject to HIPAA liability, but Doctor A must execute a business associate agreement with Outside Coder. For this to occur, Doctor A must require, as part of the agreement with ABC Billing, that it disclose the identity of Outside Coder so Doctor A is able to execute the appropriate business associate agreement with that subcontractor.
Who Needs a Business Associate Agreement?
The definition of “business associate” includes any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The word “maintains” was inserted to address entities that store or maintain PHI on behalf of a covered entity, even though they never access or view the PHI. These entities include companies providing physical storage of paper records or facilities serving providers with online backup and storage of electronic PHI. All of these are now considered business associates under HIPAA and a business associate agreement is required.
The final rule also clarifies that when a covered entity discloses PHI to a healthcare provider for purposes of treatment, the healthcare provider is not considered a business associate of the disclosing covered entity.
Business Associate Liability Under the Revised HIPAA Rules
Consistent with the preliminary rule, business associates and their subcontractors are now directly liable for violations of the HIPAA Security Rule and for uses and disclosures in violation of the HIPAA Privacy Rule. As a result of these changes, business associates (which includes their subcontractors who are also considered business associates under the final rule) must address the following in the business associate agreement:
- Business associates must keep records and submit compliance reports to HHS when HHS requires such disclosure to investigate the business associate’s compliance with HIPAA and to cooperate with complaint investigations and compliance reviews (45 CFR § 160.310(a), (b)).
- Business associates must disclose PHI, as needed by a covered entity, to respond to an individual’s request for an electronic copy of his or her PHI (45 CFR § 164.502(a)(4)).
- Business associates are required to notify the covered entity of a breach of unsecured PHI (45 CFR § 164.410(a)).
- Business associates must make reasonable efforts to limit use and disclosure of PHI consistent with the minimum necessary disclosure rule in response to requests for PHI (45 CFR § 164.501(b)(1)).
- Business associates—just like providers—must provide an accounting of disclosures of PHI (76 Federal Register 31426, May 31, 2011) and must execute agreements with sub-contractors that comply with the Privacy and Security Rules (45 CFR §§ 314(a)(2)(iii); 164.504(e)(5)).
PHI for Marketing Use Has Further Restrictions
Consistent with the prior rule, use or disclosure of PHI for “marketing” purposes remains permissible, with the patient’s written authorization. A revision in the final rule, however, provides additional restrictions on PHI use and disclosure in cases where the covered entity received remuneration connected to its use or disclosure.
Under the new rule, marketing is defined as covered entities that use PHI to identify individuals for the purpose of receiving communication about an item or service and that receive a form of monetary compensation from a third party to communicate with the targeted individuals.
The original rule defined marketing simply as communicating about a product or service to encourage individuals to purchase it. The prior rule, however, loosely defined exceptions to marketing that permitted a practice to describe to its patients the products, services, or alternative treatments on behalf of others without being characterized as “marketing.” The final rule amends the definition of marketing and it now encompasses treatment or healthcare operations communications about health-related products or services where a practice (or business associate) receives remuneration from the entity whose product or service is being described (45 CFR § 164.501).
For example: If a physician office shares PHI with drug companies for payment so the drug company can pitch its products to the physician office’s patients, that’s engaging in marketing.
The final rule also states that financial remuneration can be either direct or indirect payment from, or on behalf of, the third party whose product or service is described in the marketing material. The official comments to the regulation, however, clarifies that financial remuneration does not include in-kind (non-cash) benefits provided to a covered entity in exchange for making the communication (78 Federal Register 5566 at 5593, Jan. 25, 2013).
Existing exceptions for face-to-face communication (78 Federal Register 5566 at 5596, Jan. 25, 2013) remain intact in the final rule, as do communication about currently prescribed medications (e.g., communication about prescription refills, generic substitutes, or instructions for taking the drug). These activities are not considered marketing as long as any remuneration received for making the communication is limited to the covered entity’s cost in making or sending the communication (45 CFR § 164.501).
Sale of PHI Needs Patient Authorization
The sale of PHI to third parties remains impermissible without the patient’s written authorization (45 CFR §§ 164.502(a)(5)(ii)(A), 164.508(a)(4)). Any written authorization must detail what will be disclosed and to whom, and must expressly indicate that the permitted disclosure of PHI will result in remuneration to the covered entity. Written authorization is required for both financial and non-financial remuneration. As a result—and unlike the marketing rule—remuneration associated with the “sale” of PHI involves anything of value. Beyond this clarification, the final rule does provide a number of exceptions, which are found at 45 CFR 164.502(a)(5)(ii).
Provision of Electronic Copies of PHI
The final rule adopts the following rules pertaining to electronic protected health information (ePHI) and patient use:
Providers Must Supply Copies in Compatible, Risk-free Formats
Covered entities that maintain records in designated electronic record sets must provide an electronic copy of the patient’s medical record for the patient. The electronic form and format requested by the patient must be readily producible by the covered entity. If the form or format requested by the patient is not readily producible, the covered entity is obligated to produce an electronic copy of any ePHI in at least one readable electronic format.
To be compliant with this rule, you can provide the electronic data on a flash drive or compact disk, send a secure email with the attached file, or provide secure web portal access to the patient’s medical record.
Note: If using the latter two methods, perform relevant risk analysis and update your HIPAA Security Policies to address potential PHI disclosure risk and methods of minimizing such risk.
Rules for Providing Entire Patient Records
Unless the patient requests a subset of his or her record, the practice must provide all PHI held by the practice (covered entity). Practices are not required to purchase specific software to accommodate requests for certain document formats, although the practice must be able to produce some form of readable electronic copy. If the electronic file contains links to images or other documents, those images or documents must also be provided.
If the entire record is part paper and part electronic, the practice is not required to convert paper records to electronic form (for example, scanning to portable document format (PDF) or other image format). The practice is, however, obligated to disclose the paper records, as well as ePHI. As a result, if it’s more cost effective to scan the paper records and provide a single electronic record containing all PHI, the practice may do so when the entire record is requested by the patient.
Patients Should Not Supply Storage Media
A covered entity is not required to use media provided by the individual for storage of the ePHI because media provided by the patient may contain virus files or other files, creating security concerns for the practice. Because this is a real concern, the HIPAA Security Policy should address this circumstance and expressly prohibit use of patient supplied media.
Know the Rules for Sending Unsecure Email
If the practice does not have secure email and the patient requests his or her PHI sent via email, the practice may send ePHI via unsecure email only after advising the individual of the risks of a third-party viewing. The notice of risk must be sent separately before sending the unsecure PHI email. Obtain the patient’s expressed acknowledgement of the risk.
To avoid this circumstance altogether, look into secure email services that “plug in” to most email programs. Besides providing a secure method of submitting ePHI to patients, it also provides secure and encrypted communication between employees. It’s not uncommon for physicians to email PHI obtained at another site back to their office and vice versa. Because secure email is encrypted, no breach occurs even if the email is accidentally sent to the wrong person or is intercepted through the Internet.
Safeguard Third-party PHI Transactions
When requested by the patient, a practice must transmit the electronic copy of the patient’s PHI directly to the third person designated by that individual. From a security policy perspective, although the practice may rely on the individual’s request as authorization to send PHI to a third party, the practice must implement appropriate policies and procedures to verify the identity of the requesting individual and implement appropriate and reasonable safeguards to protect the information disclosed.
You Can Charge Reasonably for Copy Costs
If a patient requests paper or electronic copies of PHI, you can charge for the reasonable costs associated with producing the requested copies. The final rule clarifies that providers may now include reasonable labor costs for the technical time spent in creating or copying electronic or paper records.
Reasonable cost-based fees may also include the cost of supplies used such as electronic media or paper and postage for mailing. According to the final rule, however, fees may not include new technology costs, costs for maintaining PHI in electronic form, or a retrieval fee. Keep in mind when establishing fees that there is a state law preemption provision in HIPAA that disallows covered entities from charging fees in excess of the state statutory limits.
Respond Quicker to PHI Requests
The final rule decreases the maximum time a covered entity has to respond to a request. A covered entity has 30 days to provide requested PHI and is permitted a one-time, 30-day extension. The practice must notify the requesting individual of the need for a 30-day extension, the reason for delay, and the expected date the records will be produced. There is no longer an exception allowing an additional 30 days to respond when records are stored offsite. These time guidelines apply regardless of whether records are stored in electronic or paper form.
Clarify Concerns by Reviewing the Final Rule
Study how these new clarifications impact the way in which PHI is used and disclosed. Be certain to revise present HIPAA privacy and security policies to meet the requirements of the final rule. Failure to do so could involve higher-tier sanctions following a breach on the basis the covered entity’s policies and procedures were non-compliant.