HIPAA Compliance Reminder
Covered entities must comply by September 23, 2013
September 20, 2013 08:51 AM
September 23, 2013 is the deadline to comply with new Health Insurance Portability and Accountability Act (HIPAA) provisions published in a final rule earlier this year. The new rule extensively modifies the privacy, security, and enforcement provisions of the law. The rule strengthens and expands the privacy and security protection for individuals’ health information; modifies breach notification; and expands requirements to business associates of covered entities that receive protected health information, such as contractors and subcontractors. The final rule went into effect March 26 but gave covered entities and business associates 180 days to comply with its new regulations.
The final rule stipulates that an individual must receive a notice of privacy practices that now includes a statement of allowed uses and of those disclosures that require an authorization. It must also include notification that other uses and disclosures not described in the notice will be made only with the individual’s written consent. Finally, it must allow for the individual to revoke any prior authorizations. Separate statements are required if the entity plans to engage in fundraising and certain health plan activities. Separate statements to notify of a breach will also be required. If patients are paying out of pocket for items and services they can instruct their provider not to share their health information with their health plan. The Office of Civil Rights (OCR) has published a model Privacy Notice that covered entities can customize for their organizations. Click here
The Final Rule did not change the regulation at §164.520(c)(2)(i) for when health care providers must deliver notices with material changes. Therefore, agencies will need to deliver the notice to all patients on service during the first visit that occurs after the effective date for the changes. Providers should also post the revised Privacy Notice on their web site.
Business associates are now directly liable for compliance with the HIPAA Privacy and Security Rules and are subject to enforcement.Business associate contract requirements are expanded to require covered entities to take reasonable steps to cure any breach by a business associate. In addition, business associates must do the same with any subcontractor breach. Business associate contracts must also include permitted and required uses and disclosures.
Additional business associate contract requirements include: reporting of information to the Secretary, making available accounting of disclosures, destruction of all protected health information upon contract termination, and termination of business associate contracts in the case of violation of terms of the contract. The OCR has published a sample business associate agreement on their web site. Click here
Business associates, and business associate subcontractors are permitted to operate under existing contracts for up to one year beyond the compliance date of the final rule unless the entity has renewed or modifies its contract in the interim. Covered entities and business associates will have until September 23, 2014 to renew or modify their existing contracts to meet new requirements.
The final rule also made some changes to the breach notification requirements that were effective in 2009. Up until 2013, an impermissible use or disclosure was not considered a breach unless it posed a significant risk of financial, reputational or other harm to the individual. The significant risk portion has been removed. Now impermissible acquisition, access, use, or disclosure of unsecured protected health information is presumed to be a breach unless the entity can demonstrates that there is a low probability that the PHI has been compromised or an exception applies. The exceptions are:
Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.
Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.
A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Agencies are encouraged to continually educate staff about the threat of theft, especially of laptops and papers in vehicles, and to verify that staff are taking all necessary precautions to keep these items safe.
Below are links to three NAHC Report articles published earlier this year that examine the final rule in greater detail can be found here, here, and here.