February 2013—The Office for Civil Rights of the US Department of Health & Human Services (OCR) recently issued its long awaited final regulations modifying the HIPAA privacy, security, enforcement, and breach notification rules (the HIPAA Megarule).
The HIPAA Megarule will become effective on March 26, 2013, and compliance will be required by September 23, 2013. Briefly summarized below are a few highlights from the HIPAA Megarule that will be of particular interest to radiology practices.
The HIPAA Megarule, its impact on radiology providers, and steps that they will need to take to comply with the law will be given more detailed treatment in the upcoming March/April 2013 edition of Radiology Management.
The HIPAA Megarule addresses, among other things, five major topics:
- Numerous revisions to the HIPAA privacy and security rules;
- Substantial strengthening of the HIPAA enforcement rule and incorporating an increased monetary penalty tiered structure;
- Incorporating and clarifying the HITECH Act’s direct regulation of “business associates” and their “subcontractors;”
- Significant revisions to the breach notification rule; and
- Modifications to the HIPAA privacy rule required by the Genetic Information Nondiscrimination Act.
For radiology providers who are covered entities, the new HIPAA rules will, at a minimum, require revisions to their Notice of Privacy Practices, changes to their business associate agreements, revisions to their HIPAA privacy and security policies and procedures, and an overall assessment of their HIPAA compliance.
Required Changes to Notices of Privacy Practices
The HIPAA Megarule requires modifications to a covered entity’s notice of privacy practices. Radiology providers’ notices of privacy practices must be updated to include explanations regarding certain changes to patient’s rights under the HIPAA Megarule, as well as changes to HIPAA’s privacy rights.
Impact Related to Business Associates
The HIPAA Megarule broadened the definition of who is considered to be a “business associate.” Radiology providers should assess their relationships to determine who might now be considered a “business associate”. These revisions to the HIPAA Megarule are significant, and will likely require covered entities to enter into business associate agreements with vendors who were not previously considered to be “business associates.”
The HIPAA Megarule will also require changes to radiology providers’ business associate agreement contracts (BAA). If radiology providers have BAAs now in force, the existing agreements are grandfathered until September 22, 2014, to permit amendments to comply with the final regulations.
Changes to Breach Notification Rule
For nearly three years radiology providers have had to implement the breach notification regulations mandated by the HITECH Act (the Breach Rule) in the manner set forth in the August 24, 2009 interim final HITECH Act rules regarding breach notifications (the IFR).
The Breach Rule requires covered entities to disclose to both patients and the government when there are specific kinds of security breaches involving an unauthorized use or disclosure of unsecured patient information. The HIPAA Megarule made two primary changes to the Breach Rule regulations.
The HIPAA Megarule first clarifies that any situation involving an impermissible access, acquisition, use, or disclosure of protected health information (PHI) is presumed to be a breach. Further, the HIPAA Megarule replaces the IFRs “significant risk of harm to the individual” standard, and states that a Breach is deemed presumed unless the covered entity is able to demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the PHI involved…;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the PHIwas actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
Requests for Restrictions
Covered entities are not normally required to agree if a patient requests restrictions related to a use or disclosure of their PHI that would otherwise be allowed under HIPAA. The HIPAA Megarule, however, requires covered entities to agree to restrict disclosures of a patients’ PHI to an insurer if the service is paid for in full by the patient and certain other criteria are met.
Limits on Marketing and Sale of PHI
The HIPAA Megarule contains additional specificity regarding HIPAAs restrictions on using PHI for marketing and selling PHI. Under the HIPAA Megarule, any provision of financial remuneration in exchange for sale of or marketing of services/products is prohibited, except for certain enumerated and technical exceptions. Notably, providers are still allowed to receive financial remuneration to provide refill reminders or to send out other communications about a drug or biologic currently prescribed for the patient, so long as the financial remuneration is reasonably related to the costs associated with making the communication.
Access to PHI Maintained Electronically
The HIPAA Megarule provides that, if a patient requests PHI that is maintained electronically in a designated record set, the covered entity must provide them with electronic access in the form and format they have requested, if the information is readily producible in such format. If the information is not readily producible in that format, it must be given in a readable electronic form and format as mutually agreed by the covered entity and individual.
Increased HIPAA Enforcement
The HITECH Act drastically changed the enforcement landscape related to HIPAA. Since the passage of the HITECH Act, OCR has begun auditing providers, and has levied numerous hundred-thousand-dollar-plus, and even million-dollar-plus, penalties on providers (including smaller physician groups).
The HIPAA Megarule formalizes the HITECH Act requirements, and makes it clear that the OCRs recent ramp up of HIPAA enforcement is not merely a passing trend. The new rules underscore that both covered entities and business associates must reassess and strengthen their HIPAA compliance, or face potential severe monetary consequences for their failure to do so.
Look for more detailed discussion in the upcoming March/April 2013 edition of Radiology Management.
Adrienne Dresevic, Esq. graduated Magna Cum Laude from Wayne State University Law School. Practicing healthcare law, she concentrates in Stark and fraud/abuse, representing various diagnostic imaging providers, eg, IDTFs, mobile leasing entities, and radiology and multi-specialty group practices.
Clinton Mikel, Esq. graduated from the University of Michigan Law School. Practicing healthcare law, he concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.