HIPAA – It's Time to Get Serious
In January of 2013, the federal Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), issued the final omnibus amendments to HIPAA which were necessary pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The 2013 Amendments became effective on March 26, 2013, with full compliance required as of September 23, 2013. You cannot start to assess too soon – significant penalties await the non-compliant.
Let’s start with the definition of a “business associate” which has been expanded to basically include all business associates and their subcontractors and those subcontractors’ subcontractors and so on as long as there is protected health information or electronic protected health information (“PHI”) being maintained on behalf of a covered entity or one of its business associates. A covered entity must obtain written contracts or other satisfactory assurances from each business associate and each business associate must in turn do the same with each of its PHI-handling business associates and/or subcontractor and so on as far as the PHI reaches. Additionally, the Security Rule update was expanded to require business associates to comply as if they were a covered entity, meaning business associates must comply with all of the Security Rule’s applicable safeguards (administrative, physical and technical), must enter into agreements that require their business associates to comply with the Security Rule (again as far as the PHI reaches) and must notify the entity of any security incident or breach under the breach notification rules no matter how far down the stream of business associate or subcontractor.
Also affecting employers is the new requirement by a covered entity to provide a copy of PHI to a requesting individual in electronic format within 30 days with a one-time extension of 30 days, replacing the 90 days currently permitted. This same change also allows an individual to direct a covered entity to provide an electronic copy of their PHI to a specific third party. Fees for such services now must not only be reasonable, but be cost-based.
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits discrimination based on an individual’s genetic information and forced the OCR to include “genetic information” in the definition of health information within HIPAA (with an exception for long-term care underwriting). It is important to note that GINA or the inclusion of genetic information within HIPAA would not preclude a health plan from using this type of information to adjust premiums or establish eligibility.
A breach is everyone’s biggest concern – and now it is even bigger. The earlier 2009 rules used the “harm” standard – an impermissible use or disclosure of PHI was only a breach if it posed a “significant risk of financial, reputational, or other harm to the individual.” The 2013 Amendments modify the breach definition in two major ways. First, there is now a presumption that an impermissible use or disclosure of PHI is, in fact, a breach and therefore notification must take place. Secondly, rather than using the harm standard, a covered entity, a health plan or a business associate must demonstrate that there is a “low probability that the protected health information has been compromised.” To sufficiently demonstrate “low probability”, a risk assessment using at least these factors should be performed:
- The nature and extent of the PHI, including the types of identifiers and the likelihood the information can be used to re-identify;
- Whether the PHI was actually acquired or viewed;
- To whom the disclosure was made and whether or not they are actually unauthorized and how they may have used it; and
- The extent to which mitigating steps have been taken to minimize the risk of the PHI.
If it is determined that there is a probability that PHI has been compromised, breach and notification procedures must occur in accordance with the 2013 Amendments.
The penalties for a breach or failure to properly assess and/or report/notify a breach have a tiered penalty structure with penalties from $100 to $50,000 per violation, depending on culpability, with a $1.5 million cap per calendar year for multiple infractions of the same violation. Also, the 2013 Amendments provide for criminal penalties of up to 10 years imprisonment. Willful neglect is at the top of the list, and even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties.
The big take-away is that covered entities, health plans, business associates and subcontractors must review the 2013 Amendments in depth, assess how those changes affect their organization and make necessary adjustments. It is highly unlikely that no adjustments would be needed in light of the 2013 Amendments. This process should not be taken lightly. Investigate any applicable State laws or enhancements, and make sure the process is overseen by a committee consisting of internal and external participants. This helps ensure that all facets are thoroughly reviewed and addressed, and that collusion cannot be suspected.
There were also changes to the HIPAA Rules relating to marketing, sales and fundraising using PHI which were not discussed in this article. This article is meant to provide a basic introduction to the 2013 Amendments of HIPAA for MEA Members and should not be relied upon as complete, comprehensive or as legal advice. If you have follow-up questions you are, as always, encouraged to call the Hotline at 800.662.6238.