HIPAA Final Rule
Help Your Clients Learn Some of the NuancesAn article by Connie Ditto, Esq., taken from the May/June issue of HBMA Billing.
On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its Final Rule of modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH) and Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA).
The stated purpose of the Final Rule is to both "strengthen the privacy and security protections" established under HIPAA and to "increase flexibility for and decrease burden on the regulated entities." The Final Rule amendments can be found in 45 Code Federal Regulations Parts 160 and 164. The amendments became effective on March 26, 2013 and will be enforced by the OCR beginning September 23, 2013.
The Final Rule implements most of the revisions to the Privacy and Security Rule of HIPAA that were proposed in the interim final rules published in 2009. It is expansive and this article will address just a few of the amendments affecting health care providers.
Business Associates Direct Liability
Prior to the Final Rule, providers were required to enter into business associate agreements with contractors to whom they divulged protected health information (PHI). Although a business associate agreement is still required, the Final Rule makes business associates directly liable for violations of certain HIPAA provisions. The proposed rule's discussion of "downstream contractors" and "vicarious liability" had many providers fearful that they would be liable for a business associate's (or that business associate's business associate) failure to comply with HIPAA. The Final Rule clarified that providers do not need to enter into business associate agreements with the contractors of its business associates. Each business associate itself is responsible for ensuring its contractors protect patient privacy when entering into the applicable business associate agreement. For example, a physician's office that contracts with a medical billing company should have a business associate agreement with the billing company, but does not need to have a business associate agreement with the collection agency the billing company has hired. Instead, the billing company is responsible for entering into a business associate agreement with that collection agency.
Keep in mind, however, the Final Rule maintained the agency's ability to assess liability against an agent under the legal theory of vicarious liability as it is interpreted under the federal common law of agency. This essentially means that if a provider controls the business associate, it may be held responsible for the business associate's failure to comply.
Increased Penalties for Non-Compliance
The penalties for non-compliance remain as they were proposed in 2009. There are four levels of civil monetary penalties, ranging from $100 to $1,500,000. The amount of the civil monetary penalty assessed will depend upon the culpability of the entity or individual that violated HIPAA. In general, violations that occur under circumstances in which the individual or entity did not know (or would not have known exercising reasonable diligence) result in lower penalties than those in which the entity or individual "willfully neglected" to comply. The entity or individual's response to the identified violation is also a factor, and increased penalties may result if corrective action is not taken within 30 days. The Final Rule reaffirmed HHS's commitment to investigating alleged violations and clarified that the OCR is required to investigate violations of HIPAA that are suspected to have been caused by willful neglect (it no longer retains the discretion to determine if it wishes to conduct an investigation). The Final Rule also indicated that the OCR will generally conduct a "compliance review" in response to a complaint, whether it stems from a media report, the State, or other means.
Importantly, the Final Rule made clear that the Secretary of HHS has discretion to directly assess civil monetary penalties without first exhausting informal resolution procedures. On the other hand, the Secretary also has discretion to settle issues and cases, and to compromise on the amount of penalties imposed. In exercising this discretion, the Secretary may consider all relevant factors, including, but not limited to, the culpability of the violator, the entity or individual's history of compliance, and the financial condition of the provider (which may increase or decrease the amount of penalties). The extent to which the Secretary is willing to compromise remains to be seen. However, it is important for providers to be ready for a review of its HIPAA policies, procedures, and practices at all times.
Relaxed Rule for Decedents
The Final Rule eased the burden on providers regarding the provision of a decedent's PHI to others. Specifically, it clarified that providers may disclose PHI to "family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known..."1 So long as the provider has "reasonable assurances" that the individual was involved in the decedent's care or payment for same, the provider is not required to investigate whether the person who seeks PHI is the "personal representative." HHS declined to place the burden of proof upon the individual seeking the information, but also noted that providers who are not comfortable disclosing PHI to an individual due to questions about the individual's relationship to the decedent are not required to do so.
Immunization Records Release Relaxed
Requirements to release immunization results to schools were also relaxed. While it remains necessary for providers to document the permission of a parent or guardian to release immunization records to a school, written permission is not required. Instead, the parent or guardian's verbal permission will suffice. Providers are encouraged to document verbal permission in the child's medical record.
Notice of Privacy Practices
Providers should be cognizant of both the requirements for revising their Notice of Privacy Practice (NPP) and the manner in which the revised document should be provided to patients. Among other revisions, the NPP now needs to include a statement advising the patient that he or she has a right to be notified of a breach of unsecured PHI. HHS opined that such a statement is meant to "provide helpful context for individuals should they later receive and breach notification," and will not "cause individuals unnecessary concern" or create unfounded fear that providers are not appropriately safeguarding PHI.
Further, although providers are not required to re-issue hard copies of their revised NPP to all patients, providers "must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site or individuals to request to take with them." Alternatively, providers are permitted to post a summary of the NPP "so long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP."
Restrictions on Uses and Disclosures
The Final Rule clarifies a provider's duty when a patient requests a restriction on the use and disclosure of his or her PHI as required by HITECH. The regulations implementing HIPAA previously provided that providers were not required to agree to a patient's request for a restriction. The Final Rule implements Section 13405(a) of the HITECH Act by providing an exception in which providers are required to agree to such a restriction under certain circumstances. Namely, the provider must agree to the restriction if:
- the disclosure is for payment or health care operations;
- such disclosure is not otherwise required by law; and
- the PHI pertains only to a health care item or service for which the patient (or someone or an entity other than a health plan on behalf of the patient) has paid the provider for in full.
Interestingly, the Final Rule acknowledged that providers have a duty, under the mandatory claim submission provisions of Section 1848(g)(4) of the Social Security Act, to submit certain claims to Medicare. The drafters, however, noted that a Medicare beneficiary has the right to refuse to allow the provider to submit the bill to Medicare, and "[i]n such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. However, [t]he limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare."
Additionally, the quandary of a provider required to unbundle certain services was also addressed. Providers who are not able to unbundle services without divulging the restricted information are encouraged to advise their patients of the inability to comply with the restriction and allow the patient to pay for the particular service out of pocket.
Further, the Final Rule clarified that providers are not required to create entire separate medical records regarding the information restricted, but do "need to employ some method to flag or make a notation in the record" in order to avoid inadvertent disclosures of the information.
Notification of Breach
Most of the focus on the interim final rule surrounded the requirement to notify an individual if his or her PHI had been breached following the provider's assessment that the breach would likely cause harm to the individual. The Final Rule changed the definition of breach and essentially eliminated the "harm threshold" provision. It now sets forth a presumption that harm has occurred that can be overcome by the provider demonstrating that there is a "low probability" the PHI was disclosed. Therefore, providers will need to revamp their HIPAA Compliance Plans to reflect the new risk assessment that now must be undertaken prior to determining whether a "breach" requires notification to the patient, the media, or the Secretary of HHS.
Ms. Ditto is an attorney specializing in healthcare and medical malpractice defense, practicing at the firm of Fee Smith Sharp & Vitullo. She is licensed in Georgia, Tennessee, and Texas. Prior to her career as an attorney, she was a registered nurse. She may be reached at firstname.lastname@example.org.
- The Final Rule was published in pages 5566-5702 of Volume 78 No. 17 of the Federal Register on January 25, 2013, and may be accessed at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/FR-2013-01-25.pdf.
- For simplicity's sake, the new requirements will be referred to as amendments to HIPAA, and information provided in the HHS's guidance.
- This article is not an exhaustive summary of the Final Rule nor is it intended to substitute for legal advice. Providers are encouraged to seek legal counsel regarding compliance with any applicable law, including HIPAA.