HIPAA time: Covered entities can no longer put off compliance

Listen to this article

September has been a busy month for attorneys guiding doctors, hospitals, medical providers and those that do business with them.

September 23 marks the enforcement deadline for entities covered by the Health Insurance Portability and Accountability Act under the 563-page omnibus regulations issued by the Health and Human Services’ Office for Civil Rights.

The changes to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act, or HITECH, took effect March 26, but entities were given a six-month grace period to comply with the myriad new requirements.

In addition to expanding the definition of “business associate” under HIPAA, the new rules broaden patient rights, tweaks the standard for data breach notification requirements and affects the use of patient information for fundraising and marketing.

The numerous changes have had a “cascade effect” on providers and other covered entities, explained Roanoke attorney Heman A. Marshall III. “Any substantive modification to policies and procedures requires the retraining of staff on the changes, which requires some time.” In addition, changes to policy will likely necessitate updates to other documents or agreements.

“Covered entities have to be aware that they need to have these policies and procedures in place and in force,” Marshall said.

McLean attorney Alan S. Goldberg, chair of the Virginia Bar Association Health Law Section, expressed some concern for doctors and providers seeking to comply.

“Even though people seem to be taking compliance seriously and the government is doing an exemplary job of providing information and materials, the law is complicated,” he said. “I’m just concerned it’s a little too complicated and overwhelming,” particularly in the context of practicing medicine.

“While all the privacy and security sensitivities need to be maintained, people still have to deliver health care, save lives and prevent injuries,” he said.

Biggest changes, biggest challenges

Compliance presents numerous challenges because of the many areas covered by the law. Health law practitioners highlighted some of the biggest changes as well as some of the most challenging new requirements.

• Business associates of business associates

HIPAA historically applied to “covered entities” (health care providers and health plans, for example) as well as “business associates,” which are businesses that perform functions on behalf of covered entities that involve the disclosure of protected health information such as billing and phone services, and document or data storage companies.

The regulations now extend coverage to “downstream” business associates, which means that certain subcontractors of business associates are also covered.

Entities like a personal health record vendor that performs functions like transmitting personal health information are considered to be “business associates” and subject to direct liability – and the potential for agency enforcement action and penalties.

An entity may still be covered even if it doesn’t have a business associate agreement; the rule provides that any subcontractor that “creates, receives, maintains or transmits personal health information” on behalf of a business associate is a business associate.

While many companies rushed amended business associate agreements to meet today’s deadline, some companies may benefit from a grandfather provision for business associate agreements giving them more time for revisions, Marshall said.

If a business associate agreement was entered into and compliant with HIPAA as of Jan. 25, 2013 and the agreement was not renewed in the interim, the parties may rely upon that agreement for another year, until Sept. 23, 2014. However, if an agreement is renewed between this September and next September, then it must be brought into compliance with the new rule.

“That takes some of the pressure off of providers, particularly those that have multiple business associate agreements,” Marshall said.

• Breach notification  

Previously, a data breach was required to be reported to a patient if it posed a “significant risk of financial, reputational, or other harm to the individual.”

Under the new rule, if information is compromised, a data breach is presumed unless there is “a low probability” that protected health information was compromised.

Effectively, the updated standard requires businesses to treat nearly all data compromises as data breaches, mandating notification of individuals and/or state authorities depending on the size of the data breach.

Factors to consider when evaluating whether a breach must be reported include the nature and extent of information involved, the person to whom the data was disclosed, whether he or she actually viewed it and whether the risk has been mitigated.

“Everyone is somewhat confused about the new standard,” said Washington, D.C.-based Adam H. Greene, who formerly worked at OCR and now focuses his practice on HIPAA compliance. “To what extent is it a change or is it really the same old standard with specific factors to consider?”

Covered entities should err on the side of caution, he said, “with the presumption on breach reporting unless there is solid evidence that the incident did not rise to the level of a breach.”

• Patient rights

Patient rights were expanded under the new regulations. Patients now have the right to specify the form in which they want to receive a copy of their health records, including electronic copies.

The rule changed the default form of production from a hard copy to an electronic copy when the information is maintained electronically.

Patients may designate in writing to have their records sent to a third party and the rule established time limits on providing patients with their records. All paper and electronic personal health information must be given within 30 days of the patient’s request.

Patients also may now request that a health care provider not disclose information about services received to their health plan when they pay in full out of pocket for the service.

This change still has some covered entities nervous, Greene said, as they struggle to deal with the practicalities. “Systems are not really set up to accommodate these requests,” he said.

Will providers need to create a second, separate file for the same individual to ensure that personal health information isn’t shared with a plan? If the patient requires subsequent related services, are those also segregated from the health plan? And what about situations where the provider has contracted with the plan and promised not to bill the patient for any costs?

While it is unclear how many patients may actually cover their own costs, certain areas of medical treatment are more likely to experience such requests, like mental health providers or substance abuse centers.

• Marketing and fundraising

“One area a lot of entities are running into issues is the sale of PHI,” or personal health information, Greene noted. “It can creep into things where you least expect it.”

PHI includes information about an individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or payment information relating to medical services in combination with common identifiers like name, address, birth date and Social Security number.

The regulations prohibit remuneration in exchange for protected health information, Greene explained – and remuneration is not limited to financial payments.

If a software company offers a provider a free app, the provider “needs to be sensitive as to why they are getting this service,” Greene said. “It could be for any number of reasons but if it is to get access to PHI for things like data mining, that creates an issue.” Even the cost of postage paid by a third party would trigger concerns.

Providers received good news on the fundraising front as they may now use more types of patient information to focus their requests.

“Fundraising efforts can now be better targeted using department of service, outcome information or health insurance status,” Greene said. The Medicaid population is not likely to be the best source of raising money, for example.

One other fundraising change: all communications must now include an opt-out notice.

Penalties and fines

Both enforcement efforts by HHS and the amount of fines and settlement have increased, providing incentive for compliance.
Civil and criminal penalties may be levied on covered entities and business associates. Civil penalties can range from $100 for an unknowing violation up to $50,000 for willful neglect resulting in a transgression.

While HHS launched an audit program last year, just over 100 audits were completed, leaving the odds of being investigated low.

“The main way we are seeing HIPAA issues come up is still through the HIPAA hotline where a patient or another party complains,” Marshall said. A large number of the settlements and fines announced by the agency also involve the required self-reporting for a data breach.

What that means for clients and covered entities: “Focus on any and all steps to avoid the technical breach of unsecured health information,” Marshall advised, like using safe harbor encryption methods, to stay off the agency’s radar.

Most importantly, do something, Goldberg said. Have policies and procedures in place and follow them.

“My perception of what the government wants besides compliance is for covered entities to do something, continue to do something and enhance what you are doing as you find more areas that need to be addressed.”