Just when you and your staff are finally getting comfortable with compliance with HIPAA and the Security Standards in your offices, the government has adopted new rules which will require you to make changes to your plans with the first changes to go into effect in September, 2009.
The Stimulus Bill enacted by Congress contains a section known as the Health Information Technology for Economic and Clinical Health Act (“HITECH”) which includes some funds (actually credits) for use for electronic medical records and conversion of some technologies. However, as a part of the change, the government imposed additional restrictions and regulations under HIPAA which apply to all healthcare providers and other HIPAA covered entities whether or not they received any funds for the electronic medical records. The changes do apply to all healthcare providers, including private medical practices, clinics, hospitals or any other healthcare provider that would otherwise be covered under the former version of the HIPAA regulations. These changes will require all healthcare providers to update and change their HIPAA compliance plan, probably require a change to your Notice of Privacy Practices (“NPP”) and will require updated training for professionals and their staff.
Unauthorized Disclosure Reports
Under HIPAA, if an unauthorized disclosure of Protected Health Information (“PHI”) occurred, it was up to the healthcare provider to determine what, if any, steps needed to be taken to address the unauthorized disclosure or to protect the patient’s information. Other than government imposed sanctions, the matter was left up to the individual providers. A number of states, including California, had adopted some state regulations which imposed upon the healthcare provider certain affirmative actions in the event of an unauthorized disclosure. The so-called “California Rule” has been substantially adopted in HITECH and now applies to all US healthcare providers and healthcare plans which go into effect on September 19, 2009. The new rules provide that if an unauthorized disclosure of PHI, or an unauthorized access to protected health information has occurred, then the healthcare provider is required to notify the patient in writing that information has been improperly accessed or disclosed. In addition, a notice must be sent to the Department of Health and Human Services (“HHS”) of the unauthorized access or disclosure. If the disclosure involves more than 500 patients, the provider is required to publish the disclosure event in “prominent media outlets.” In general, this would be a situation such as the theft of a laptop computer with information or something more extreme and it would be a general notice, not a notice listing the names of the individual patients.
There is an exemption from these notices requirements if the provider adopts encryption technology. By a subsequent guidance issued by HHS, they have reported that technology which is accredited by the American National Standards Institute (“ANSI”) is deemed to be indecipherable except by authorized individuals and any unsanctioned access to the information would not trigger these mandatory disclosures. This exemption however, does not excuse a violation where an employee of a healthcare provider, without authority, looks at medical records of a patient. For example, there have been numerous reports where persons employed by hospitals have acted without authorization, reviewed medical records of celebrities in the hospital and such improper access to information would still trigger the duty to disclose that and provide the notice to HHS.
HIPAA now equally applies to all business associates of healthcare providers and healthcare plans. Currently, healthcare providers are required to have a business associate agreement in place before the practice releases any information to outside firms such as billing companies, auditors or the like. While the contract requires the business associate to retain the confidentiality of the information, the former rules did not require the business associate to actually have a HIPAA plan in place. Under the new rules, all business associates are required to fully comply with HIPAA, including the Security Standards and it is the obligation of the healthcare provider to verify the business associate’s compliance before the release of information. By virtue of these changes, healthcare providers need to have discussions with outside billing transcription or other third party services and require them to verify that they have HIPAA plans in place and that they take reasonable procedures to comply with those plans. By virtue of these changes, healthcare providers should review all of their current business associate agreements and update those agreements to include those changes.
The new rules further impose some expanded restrictions against using PHI for marketing purposes and in essence prohibits providers from “opting out” of the marketing restriction by including waivers in their NPP’s. In addition, HIPAA is now expanded to apply to vendors of personal health records. These would be companies that develop healthcare smart cards or other types of technology which aggregates health information and the rules now apply to those vendors with both privacy and security standard regulations.
A number of other changes are included within HITECH that have various effective dates in the next year or two. Starting in February, 2010, if the provider maintains medical records in an electronic form, then the practice must make records available to patients upon request in an electronic form rather than converting the data to paper and delivering the paper copies. Another change is that a patient can insist that the provider not disclose to third parties services performed for the patient when the patient pays cash for those services. In some circumstances, a patient would rather pay directly for the service rather than submit it to their healthcare plan for compensation for a variety of reasons. Under the changed rules, the provider is required to honor that request and appropriately segregate records to prevent an inadvertent disclosure.
Currently, providers are only required to track disclosures of healthcare information which are released under an authorization from the patient. Currently, providers are not required to track or keep an accounting of disclosures to insurance companies or other providers as part of the ongoing treatment or payment for that treatment. Starting in January, 2011, all providers are required to track all disclosures of health information for any purpose and to provide an accounting of all electronic disclosures to patients upon request.
Changes to the Notice of Privacy Practices
Because of the changes in the requirements, it is likely that most NPP’s currently used by providers will be required to be changed to reflect the changes in the rules. Regrettably, if the practice changes the NPP, the practice is required to redisclose all patients of the changes in the NPP and will go through the same process they did back when HIPAA first came into effect of giving a notice to all patients, not just new patients to the practice. Those NPP changes need to be in effect and redistributed starting in February, 2010.
In addition to the changes to the rules, the government has substantially increased the penalties for violations of HIPAA. The rules now have a different level of sanction based upon a determination by the government whether or not it was an innocent mistake or if the practice simply failed to take steps to comply with HIPAA, increasing the penalties from $100.00 up to $50,000 per incident. In the past, all enforcement action was handled by the federal Office of Civil Rights. Effective immediately, the statute authorizes the individual state attorney general offices to also have jurisdiction to pursue enforcement actions for violations of HIPAA. Under the state authority however, the individual provider is given thirty days to take steps to correct the violation before enforcement actions could be initiated. If enforcement does proceed, the state is entitled to recover the same level of penalties as could be collected by the federal government, but in addition, the state has the authority to recover attorneys fees. We anticipate that many states will appoint “special attorney generals” to pursue enforcement actions and think there will be a dramatic increase in state enforcement of these rules.
In addition, starting in February, 2012, individual patients who file complaints involving HIPAA violations will be able to share in any recovery received by a state or federal government if those agencies pursue and collect because of a HIPAA violation.
Based upon these changes, healthcare providers should begin to review their current HIPAA plan documents and make changes to alter those documents to meet the current rules and to provide flexibility to incorporate additional changes that are being released in the next year. In addition to changing plans, healthcare providers should review and revise their NPP so that the new forms will be in effect by February of next year and will also need to review and modify their business associate agreements to include the changes which likewise have an effective date of February, 2010. Because of the complexity of these changes and increased penalties for non-compliance, we strongly recommend healthcare providers work with experienced healthcare attorneys to make sure their plans meet the stringent new rules.
Article by Scott P. Sandrock taken from the Stark County Medical Society Newsletter – Summer 2009