The Office for Civil Rights (OCR) published the final rule for changes to the Health Information Portability and Accountability Act (HIPPA) of 1996 in accordance with the Health Information Technology Economic Clinical Health Act (HITECH). It is a very extensive and in this blog we will just touch on a few of the amendments that will affect health care providers.
Business Associates –
Providers are required to establish business associate agreements with any contractors that transmit, receive, or maintais protected health information (PHI) on behalf of the provider or covered entity under HIPAA. One of the changes in the final rule is that it makes the business associates liable for violations to the HIPAA provisions. The final rule also clarified that providers don’t need to establish agreements with the contractors of a business associate. The business associate, with whom the provider has an agreement, is responsible to ensure its contractors have the appropriate agreements and protections in place for privacy and security.
Non-Compliance Penalties Increased –
Under the HITECH act, there are tiered penalty amounts for HIPAA violations. The minimum fines are range from $100 and $50,000 per violation. The amounts will cap at $1.5 million for all violations during the same calendar year. The four tiers are as follows, listing from the lowest violation to the highest. 1. Did not know – meaning by exercising reasonable diligence, associates and providers wouldn’t have known of the violation. 2. Reasonable cause – violations due to reasonable cause and not willful neglect. 3. Willful neglect (timely corrected) – violation due to willful neglect and was corrected within 30 days of when business associate or provider knew or should have known. 4. Willful neglect (not timely corrected) – violation due to willful neglect and was not corrected within 30 days of when business associate or provider knew or should have known. Below is also a chart of the tiered violations and penalties.
Violation Category Penalty Per Violation Violations Identical In Calendar Year
Did not know Between $100 & $50,000 $1.5 Million
Reasonable Cause Between $1,000 & $50,000 $1.5 Million
Willful Neglect (corrected) Between $10,000 & $50,000 $1.5 Million
Willful Neglect (not corrected) $50,000 $1.5 Million
Notice of Privacy Practices –
Provders need to be aware of the requirements for their Notice of Privacy Practices (NPP) that will need revision and how they should be provided to patients. One of the key revisions to NPP should be a statement informing patients they have the right to be notified of a breach of unsecured PHI. Providers are not required to re-issue hard copies of NPP to patients, but providers need to post the revised NPP in a clear location and have new copies of the NPP available at patient request. Providers are allowed to post a summary of the revised NPP as long as a full version of the NPP is available (reception desk, table, etc.) for patients to acquire without adding additional burden. It is not appropriate for a patient to have to ask for copies of a full NPP.
Use and Disclosure Restrictions –
The final rule also includes restrictions on providers in regards to use and disclosure of PHI. Previous HIPAA regulations did not require providers to comply with a patient’s request on restrictions when disclosing information. There is now an exception that providers are required to agree to under certain curcumstances. The provider must agree if:
- the disclosure is for payment or health care operations
- disclosure is not required by law
- PHI relates only to a health care item of service for which the provider has been paid in full (cash pay)
Medicare beneficiaries also have the right to refuse a provider to submit a billing to Medicare. In these cases, a provider is not required to submit a claim to Medicare for the covered service. What can be collected from the Medicare patient is still limited, as it always is.
It is recommended that in a situation where a patient restricts the provider from submitting claims for payment, that the provider request payment in full from the patient prior to providing services.
Breach notification –
A lot of the focus on the final rule was the requirement to notify patients if their PHI had been breached following an assessment that the breach would cause harm to the patient. The final rule also changed the definition of “breach” to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the provider or business associate indicates a low probability that PHI has been compromised, thus replacing the “harm standard” with “low probability”. Providers are encouraged to assess compliance plans and include risk assessment to be undertaken by providers, covered entities, and business associates prior to detirmining whether a breach requires notification to the patient or other entities (HHS, media, etc.).
Other information and sources regarding the final rule can be accessed at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
Providers are encouraged to seek legal counsel regarding compliance with applicable laws and HIPAA.