Health Care: A Glimpse at Some Changes Required By HITECH and Omnibus HIPAA Final Rule (1/13)
Key Dates: Published in Federal Register on January 25, 2013
Becomes effective on March 26, 2013,
Compliance will be required by September 23, 2013.
After more than 3 years of deliberations, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services finalized four major pending rules regarding HIPAA privacy, security, breach notifications and penalties for violations. This will be the first of a multi-part series to guide health care providers and business associates on implementation by OCR of the “Omnibus HIPAA Rulemaking”. Significantly, with just a few minor exceptions, full compliance will be necessary by September 23, 2013. As will be discussed in future guidance from Bond’s Health and LTC Practice Groups, a significant level of due diligence and changes to your organization’s policies, procedures will be required by these new rules.
Health care providers and BAs have already developed compliance protocols after OCR issued its initial “Interim Final Rule” (IFR) on August 24, 2009 (implementing the Health Information Technology for Economic and Clinical Health Act – or HITECH). The HITECH Act significantly increased privacy protections for patients by making Business Associates directly liable for certain violations of the HIPAA privacy and security rules. Finally, the Omnibus HIPAA Rulemaking implements the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule.
Our second guidance on implementing these rules will focus on review of Business Associate addenda and subcontractors of BAs. As noted below, the new rules now mandate that certain subcontractors of your BAs be held to much higher standards of privacy and security. This will be one of the most significant aspects of compliance under the new Omnibus rules. The new rule gives covered entities and business associates up to one year after the 180-day compliance date (up to September 23, 2014) to modify contracts to comply with the rule.
Other aspects of the rule, such as the ability of patients to authorize the use of their health information for research purposes, new restrictions on marketing and sale of health data along with easing the ability of parents and others to give permission to share proof of a child’s immunization with a school will be the subject of focused guidance during the next several months.
In developing a to-do list, it is helpful to start with internal changes that must be made based on the new Omnibus rule. These break down as follows:
- Modification of HIPAA Privacy Notice.
- Changes to the organization’s Business Associate Addendum with existing vendors and agents.
- Modifications of policies and procedures regarding work force training and implementation of the changes required by the rule.
- Modifications of breach notification policies, security protocols and continued risk assessments.
Within each broad item noted above, there will need to be a work plan with specific tasks to be undertaken and lines of authority. This Bond-Health & LTC Guidance will focus on item 1, modifications to your Notice of Privacy Practices (NPP). The following table provides an example of the assessment required for review of the NPP as well as some internal procedures which will need to be revised. The information in quotes comes directly from the Omnibus rule and may used as a guide for further internal compliance work plans:
|Focus Area||Change Required to NPP||Internal|
“The final rule requires authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed.”
“Other communications for such purposes that do not involve financial remuneration are adequately captured in a covered entity’s description in its notice of privacy practices of treatment and health care operations.”
|Existing prohibitions on marketing must be reviewed and a risk assessment conducted to determine if any treatment and health care communications are being subsidized by third parties. See explanations below.|
“We adopt in the final rule the provision prohibiting the conditioning of treatment or payment on an individual’s choice with respect to the receipt of fundraising communications.
We also adopt at §164.520(b)(1)(iii)(A) the requirement that the notice of privacy practices inform individuals that a covered entity may contact them to raise funds for the covered entity and an individual has a right to opt out of receiving such communications. The final rule does not require covered entities to send pre-solicitation opt outs to individuals prior to the first fundraising communication.”
Existing policies and practices must be modified to include an opt-out provision for fundraising.
Special procedures must be developed where an individual or family member wishes to opt-out after receipt of the original NPP.
Conduct compliance assessment and training.
|Notice of what requires an Authorization||“First, the final rule adopts the modification to §164.520(b)(1)(ii)(E), which requires certain statements in the NPP regarding uses and disclosures that require authorization…. the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization, as well as a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual.”||Revisions to be made to NPP.|
|Notice of right to restrict private pay health data and rights regarding HITECH Breach notifications|| |
“The final rule also adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service. ***
The final rule also requires covered entities to include in their NPP a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. We believe that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.”
|Revisions to be made to NPP. Coordinate with internal policies on breach notification and restriction for privately paid health care services.|
Many of the new standards will require both modifications of your NPP as well as changes in the way your organization conducts business. There are many nuances in the Omnibus rule which impact prior practices. This Guidance is not meant to be all inclusive with regard to assuring comprehensive compliance and it is important that organizations compare their existing NPPs, policies and practices to the new standards as outlined by OCR.
Future Bond-Health & LTC Guidance on the Omnibus rule will include a glimpse as significantly enhanced mandates for Business Associates and their subcontractors, along with changes in the way in which “breaches” of privacy and security will be assessed. These will include:
Part II: Who are your Business Associates and who are their subcontractors? – Why it is imperative that providers conduct due diligence:
New definitions in the HIPAA rule have been added at section 160.103(3) which state that a Business associate includes:
“(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”
This aspect of the Omnibus rules may be the most controversial since it expands liability to subcontractors of business associates but does not require that Covered Entities have a BA Addendum with such subcontractors. Our future guidance will address the type of due diligence which would be appropriate under this admittedly strange rule making given the penalties involving breaches of health information.
Part II: Breach Notification – Turning the Prior Rule on its Head:
The new standard in this area significantly changes prior assessments of whether incidents involving impermissible uses of health information amount to reportable “breaches”.
Author’s Note: Raul A. Tabora, Jr., prepared the above analysis after being one of the first speakers to discuss the Omnibus Rule at the annual meeting of the New York State Bar Association’s Health Section held in Manhattan on January 23, 2013. Raul co-presented with Steven Smith, Director of Operations of NYSDOH Office of Health Information Technology Transformation.
Contact: The following Bond attorneys are available to discuss and further assess compliance with the Omnibus rule as part of our Health & LTC Practice Team:
|Albany: (518) 533-3000|
|David A. Ruffofirstname.lastname@example.org|
|Raul A. Tabora, Jr.||email@example.com|
|Buffalo: (716) 566-2800|
|Robert A. Dorenfirstname.lastname@example.org|
|James J. Rooneyemail@example.com|
|Long Island: (516) 267-6300|
|John F. McKay, IIIfirstname.lastname@example.org|
|New York City: (646) 253-2300|
|Louis P. DiLorenzoemail@example.com|
|Raul A. Tabora, Jr.||firstname.lastname@example.org|
|Rochester: (585) 362-4700|
|John F. Darlingemail@example.com|
|Peter C. Lutzfirstname.lastname@example.org|
|Syracuse: (315) 218-8000|
|Richard D. Holeemail@example.com|
|Larry P. Malfitanofirstname.lastname@example.org|
|Roderick C. McDonaldemail@example.com|