The September 23, 2013 deadline for compliance with the final Omnibus Rule which amends HIPAA and the HITECH Act, called the “Mega Rule,” is just 15 days away. The Mega Rule, which became effective on March 26, 2013, calls for medical providers to update and revise privacy policies, procedures and notices, business associate relationships and agreements, and employee training. The Mega Rule affects both Covered Entities and Business Associates.
What is Protected Health Information (“PHI”)?
PHI refers to individually identifiable health information. Individually identifiable health information is information that can be linked to a particular person. This can relate to an individual’s past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Common identifiers are names, social security numbers, addresses, and birth dates.
What is a Covered Entity?
A Covered Entity is a health care provider, a health plan, or a health care clearinghouse. A health care provider is a Covered Entity only if the provider transmits information in an electronic form in connection with transactions that involve the transmission of information between two parties to carry out financial or administrative activities related to health care. Simply put, a Covered Entity is any entity that handles and transmits health information.
What is a Business Associate?
A Business Associate is a person/entity who, with respect to a Covered Entity, performs or assists in the performance of a function or activity involving the use or disclosure of PHI, or provides management, administrative, accreditation, or financial services to or for a Covered Entity, where such services involve the disclosure of PHI by a Covered Entity to a Business Associate.
The definitions of Covered Entity and Business Associate can be found at 45 CFR 160.103.
What are the main Mega Rule requirements of which Covered Entities and Business Associates should be aware?
The following are the main components of the Mega Rule of which Covered Entities and Business Associates should be aware and should incorporate into their practices. This is not a complete list.
1. Extension of HIPAA privacy and security requirements to Business Associates and Subcontractors of Business AssociatesBefore the Mega Rule, Subcontractors who used or disclosed PHI were not subject to HIPAA. Now, both Business Associates and third-party Subcontractors can be held accountable for unauthorized disclosures under the Mega Rule. Business Associates and Subcontractors of Business Associates can be subject to compliance requirements and civil penalties for unauthorized disclosures. Business Associates and Subcontractors must update Business Associate Agreements to reflect these changes.
2. Breach redefinedWhen an impermissible access, acquisition, use or disclosure of PHI occurs, the Mega Rule presumes such transaction is a breach. Prior to the Mega Rule, such transaction was not a breach unless it posed a significant risk of financial, reputational or other harm to the individual. In order for a Covered Entity not to be required to notify the patient of the breach, it must demonstrate that there is a low probability that the information was compromised. This is determined by examining the type and extent of the PHI involved, to whom the disclosure was made, if the PHI was actually acquired or accessed, and if the risk of unauthorized disclosure was mitigated. This review must be documented according to the Covered Entity’s established policies and procedures. If Covered Entities do not follow these guidelines, or have established policies and procedures, they could face monetary penalties for willful neglect.
3. Updates to Notice of Privacy Practices (“NPPs”) and redistribution of NPPsCovered Entities must update their NPPs, and redistribute the updated NPP. The updated NPP must include a description of the disclosures that do and do not require authorization, the fact that: patients can opt out of fundraising and marketing communications, patients can request disclosure restrictions, patients can access their PHI, and Covered Entities are legally required to notify patients whose PHI is breached. It must also state that any disclosures not described in the NPP may only be made with authorization, and that relevant PHI may be disclosed to a deceased’s family member, friend, or representative if that person was involved in the patient’s care or payment for services (unless the patient expressed otherwise).
4. Expansion of patient privacy and patient empowermentThe Mega Rule empowers patients to request further restrictions on disclosure of their PHI. Covered Entities must comply with such requests if the disclosure is for payment or health care operations purposes, the disclosure is not required by law, or if the requested restriction applies to disclosure of a service which has already been paid for in full by someone other than the health plan.
5. More rigorous HIPAA enforcementUnder the Mega Rule, the Department of Health and Human Services is responsible for investigating private complaints of non-compliance alleging unauthorized disclosures due to willful neglect. As required by the HITECH Act, these investigations and reviews may result in increased and tiered civil money penalties. The penalties take into account whether Covered Entities or Business Associates should have known of the violation, if the violation was due to willful neglect or reasonable cause, whether the violation was corrected within 30 days, and whether the Covered Entity or Business Associate mitigated the harm.
6. Option for patients to opt out of receiving fundraising and marketing communicationsWhen Covered Entities communicate with patients regarding fundraising, they must notify the patient clearly of the patient’s option to opt out of receiving such communications. In addition, Covered Entities cannot sell patient information for fundraising and marketing purposes without authorization. When seeking such authorization, the patient must be made aware that the provider will receive remuneration for disclosing PHI. However, Covered Entities may continue to receive financial remuneration to provide refill reminders, or to send out other communications about a drug currently used by the patient as long as the remuneration is related to the costs of making the communication.