September is compliance deadline
By Michelle Browning Coughlin, Alan J. Dansker and Daniel E. Fisher
Bingham Greenebaum Doll
Benjamin Franklin is credited with saying, “An ounce of prevention is worth a pound of cure.” If you do business with healthcare providers, what can you do to prevent compliance issues with the expanded Health Insurance Portability and Accountability Act (HIPAA) requirements?
The Office for Civil Rights (OCR) of the Department of Health and Human Services issued the final rule on Jan. 25 amending the HIPAA privacy, security, enforcement and breach notification requirements. The final rule signals the largest expansion of the HIPAA privacy, security, enforcement and breach notification efforts in at least a decade. Any entity that works with a healthcare provider or a business associate of a healthcare provider must determine whether these changes will also affect their business relationships.
The final rule notes that compliance with these requirements should be in place by September 2013, and that noncompliance may results in civil or even criminal penalties. The time for “prevention” is now.
HIPAA’s expanded reach to business associates
Any business working with healthcare providers, ranging from law firms, to accountants, to data processing businesses, to electronic health record providers, is now directly responsible under HIPAA for the implementation of privacy and security measures to protect personal health information. Businesses working with healthcare providers are known as business associates. In a snowball effect, each of these business associates must then require any of its subcontractors to also comply with the applicable required privacy and security rules.
[pullquote_left]Covered entities include: traditional healthcare providers and health plans; healthcare clearinghouses, such as billing services companies, repricing companies, community health management information systems companies and any value-added networks performing clearinghouse functions.[/pullquote_left]
This large expansion of the application of the HIPAA regulations beyond the healthcare industry is likely to be viewed as the most challenging for compliance.
Breach notification risk assessment requirements have changed
The final rule also changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The OCR’s changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.
In addition to the changes already noted, the final rule made various changes to the research authorization, marketing, fundraising and sale of personal health information requirements.
Are you a covered entity? Update your notice of privacy practices
In addition to traditional healthcare providers and health plans, covered entities may also include healthcare clearinghouses, such as billing services companies, repricing companies, community health management information systems companies and any value-added networks performing clearinghouse functions. Covered entities are required under the HIPAA regulations to review, revise, and redistribute their Notice of Privacy Practices (NPP). The NPP must reflect certain situations where authorizations to use or disclose personal health information are needed, particularly in the case of psychotherapy notes, as well as marketing and sales of personal health information.
The NPP must also include a notice regarding a patient’s right to opt-out of certain fundraising and a right to prevent certain information from being shared with the patient’s health plan when the patient pays out of pocket. Finally, the NPP must inform patients of the covered entity’s breach notification requirements. Once the NPP has been updated to include this information, a covered entity must then redistribute its NPP and post the revised NPP on its website.
Increased enforcement and penalties
The final rule notes that compliance with these requirements, including revised business associate agreements, should be in place by September 2013. Business associates and covered entities in violation of the regulations could be subject to the statutorily-mandated increases in the civil monetary penalties authorized under the rules. Covered entities and their business associates must take action to make sure they are in compliance with the HIPAA regulations. The past two years have shown evidence of the OCR’s intent to increase auditing and enforcement efforts, not just for large health care entities, but soon, for small covered entities, business associates and their subcontractors.
Thus, we return to the wise words of Benjamin Franklin: “You may delay, but time will not, and lost time is never found again.” Compliance with OCR’s new mandates will take concerted effort across organizations, and with the compliance period so brief, time is of the essence.
Michelle Browning Coughlin, Alan J. Dansker, and Daniel E. Fisher are attorneys with Bingham Greenebaum Doll LLP. Get more business tips on BGD’s blog, www.bgdlegal.com/blog/.