Health Information Compliance Alert

Published on Tue Mar 11, 2014 PDF

Plus: HHS issues new final rule that broadens patients’ access to lab test reports.

Get ready: The U.S. Department of Health and Human Services (HHS) is busy making preparations for 2014 compliance activities — and all signs point to an imminent return of random HIPAA audits.

In the Feb. 24 Federal Register, HHS announced that it will conduct a HIPAA Covered Entity and Business Associate Pre-Audit Survey. The survey will include up to 1,200 covered entities (CEs) and business associates (BAs), with an aim to determine their suitability for the HHS Office for Civil Rights (OCR) HIPAA Audit Program.

The survey will gather information about CEs and BAs for OCR to assess the respondents’ size, complexity, and fitness for an audit, HHS states. The survey will collect recent number of patient visits or insured lives, use of electronic health information, revenue, business locations, and much more.

You can view the Federal Register posting at https://www.federalregister.gov/articles/2014/02/24/2014-03830/agency-information-collection-activities-proposed-collection-public-comment-request. The proposed information collection request is currently open for comments, with the comment period ending on April 25. 

Significance: “This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contracts going out once the comment period is over,” warns Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, VT. “The time to get ready is NOW.”

Check Out New Model NPP In Spanish

If you have Spanish-speaking patients, you’ll be delighted to know that you now have a model Notice of Privacy Practices (NPP) available for them.

On Feb. 19, the HHS Office for Civil Rights (OCR) issued a Spanish version of the model NPP, available in separate versions for both health plans and healthcare providers. Like the English-language version, the Spanish model NPP comes in several forms: a booklet; a layered notice that presents a summary on the first page, followed by the full content; a full-page version; and a text-only version.

Link: To access the model NPPs in both English and Spanish, go to www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.

In a related announcement, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) is launching the Digital Privacy Notice Challenge, which calls for designers, developers, and patient privacy experts to create and submit the best model online NPP. The contest’s first-place winner will receive $15,000.

In May 2014, a review panel will evaluate entries for the following:

• Accurate use of content from paper NPPs;
• Use of best practices in presenting Web content for public consumption;
• Visual appeal; and
• Capacity for entity to customize content and link to other relevant content.

Entries are due by April 7. For more information on the Digital Privacy Notice Challenge, visit http://onchealthitchallenges.ideascale.com. 

Security Breach? Now You Must Worry About FTC Actions, Too

If you have a HIPAA security breach, you know you could face the wrath of the HHS Office for Civil Rights (OCR). But did you know that you could also face enforcement actions by the Federal Trade Commission (FTC)?

So says a recent court case decision involving the Atlanta-based medical laboratory LabMD, Inc. On Aug. 29, 2013, the FTC filed an administrative complaint against LabMD for two separate breaches affecting more than 10,000 consumers’ information. The FTC charged that the company failed to “reasonably protect the security of consumers’ personal data” and medical information. Specifically, the FTC’s enforcement action against LabMD was for allegedly “unfair and deceptive acts” under Section 5 of the FTC Act.

In a motion to dismiss the complaint, “LabMD argued that because it was regulated by HIPAA, the FTC lacked authority to enforce privacy and security violations” that were within HHS’s jurisdiction, wrote attorneys Linn Foster Freedman and Kathryn M. Sylvia in a recent Nixon Peabody LLP analysis. But on Jan. 16, 2014, the FTC voted unanimously to reject LabMD’s arguments.

The FTC’s refusal to dismiss the enforcement action “confirms that HIPAA regulated businesses will now also have to worry about compliance with FTC regulations and enforcement actions for security breaches,” warned Freedman and Sylvia.

This also means that, “whether or not a privacy or security problem is noted by HHS, the FTC could become involved if there have been deceptive trade practices (e.g., promising security and then not providing it),” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, VT.

Comply With Broadened Lab-Test Access Rules

Now patients have more rights than ever before under HIPAA to get copies of their protected health information (PHI) — and laboratories are no longer exempt from the rules.

A new final rule has eliminated the HIPAA exemption for laboratories in providing patients access to their lab reports, so that patients or their designated personal representative can gain direct access to the patient’s completed laboratory test reports. The U.S. Department of Health and Human Services (HHS) published the final rule in the Feb. 3 Federal Register. 

The final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and eliminates the exception under the HIPAA Privacy Rule to an individual’s right to access his PHI when it’s held by a CLIA-certified or CLIA-exempt laboratory, according to HHS. 

“While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy,” HHS states. Now patients, patients’ designees, and patients’ personal representatives can obtain a copy of the patient’s PHI, including an electronic copy, with limited exceptions.

The rule is effective on April 7, with a compliance deadline of Oct. 6. To read the entire final rule, visit www.federalregister.gov/articles/2014/02/06/2014-02280/clia-program-and-hipaa-privacy-rule-patients-access-to-test-reports.