Trends

Be sure to know these 5 important HIPAA/HITECH REGULATIONS

Is your practice compliant with the latest in patient privacy? Check these points to be sure.

C. Jolynn Dobson Cook, RN, Brookville, PA

Patients expect healthcare organizations to keep their personal health information (PHI) confidential and safe from data breaches and other exploits. Healthcare organizations, such as ophthalmic practices, also have a self-interest at heart because penalties for non-compliance can be substantial.

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, which took effect September 23, 2013, provides patients with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers (such as your practice), health plans and other entities that process health insurance claims. Subsequently, the final rule under the Health Information Technology for Clinical and Economic Health (HITECH) Act was published January 25, 2013. The final rule under the HITECH Act made a number of significant changes that strengthen the privacy and security provisions of HIPAA.

It is prudent to invest time to carefully review and update HIPAA and HITECH changes implemented in 2013. If your practice has not updated your HIPAA documents for several years, your practice is now out-of-compliance and at risk. Healthcare attorneys and organizations can assist with making these updates. Be sure to do a thorough reassessment of your practice’s policies and documents relating to HIPAA.

Here are five significant areas where change has occurred in the past 15 months:

1. NOTICE OF PRIVACY PRACTICES

The HIPAA Omnibus Final Rule adopts the modification to 164.520(b)(1)(ii)(E), which requires certain statements in the notice of privacy practices (NPP) regarding uses and disclosures that require authorization. The privacy rule requires covered entities to maintain and distribute an NPP, which must provide that any uses or disclosures other than those expressly permitted by the privacy rule will be made only with the written authorization of an individual (45 C.F.R. § 164.520).

The NPP must contain a statement indicating that an authorization is required for:

1) Most uses and disclosures of any psychotherapy notes that are appropriate.

2) Uses and disclosures of PHI for marketing purposes.

3) Disclosures that constitute a sale of PHI.

Disclosures not described in the NPP require authorization from the individual. Because most ophthalmology practices do not record or maintain psychotherapy notes, it does not need to include the requisite statement in its NPP. However, it is not necessary to list all possible instances wherein an authorization is required.

The Final Rule requires a statement in the NPP that an individual has a right to opt out of fundraising communications (i.e. if the practice intends to contact the individual regarding fundraising).

Also, a statement is now required indicating the patient’s new right to restrict certain disclosures of PHI to a health plan when the patient pays out-of-pocket in full.

Lastly, the final rule requires that the NPP contain a statement of the right of an affected individual to be notified following a breach of unsecured Protected Health Information.

HHS recognizes that these new changes are “material changes.” The notice must be updated, posted and re-distributed to all new patients. Anytime the practice revises an NPP, it must make the NPP readily available at the front desk or check-in area to existing patients who request a copy on or after the effective date of the revisions. Additionally, the practice is required to post the revised notice on its website, if applicable, and must post the notice in a prominent location on its premises. The practice may opt to post a summary of the notice, provided the full notice is immediately available. Provide a copy of the revised NPP to new patients who receive services for the first time after modification of an NPP. The practice should retain copies of previous versions of their NPPs and of any written acknowledgements by patients of receipt of NPPs.

2. BREACH NOTIFICATION AND RISK ANALYSIS

The HIPAA Breach Notification Rule (BNR) did not exist prior to the HITECH Act. Section 13402 of the HITECH Act requires the ophthalmic practice to provide notification to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured PHI. In some cases, the Act requires the practice to provide notification of a breach to the media. In the case of a breach of unsecured PHI at a business associate of a covered entity, the Act requires the business associate to notify the practice of a breach.

As noted, the HITECH BNR clarifies the circumstances when breaches of unsecured health information must be reported to HHS. The term “breach” is defined in the HITECH Act as “the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed, would not reasonably have been able to retain such information.” To simplify, HIPAA covered entities must notify affected individuals of a breach, as well as the HHS Secretary (within 60 days of the breach) and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis 60 days prior to the end of the calendar year when the breach occurred. These reports must be done online via the Office of Civil Rights portal.

In order to ensure the practice is safe from the risk of a breach of PHI or ePHI, an annual risk analysis is required. This change requires the practice to conduct a thorough, written analysis. Private companies are available to perform an independent risk analysis. However, the risk analysis may be done by the IT professional within the organization. In either case, documentation is critical to prove the risk analysis was completed. Penalties have been increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

3. BUSINESS ASSOCIATES/SUBCONTRACTORS

A business associate includes any organization that uses or discloses PHI to provide administrative services to your practice. Most of us are used to obtaining a written Business Associate Agreement (BAA) whenever we enter into a new relationship with a vendor with whom our practice will share PHI.

The final rule requires the practice to be diligent with regard to subcontractors whenever the business associate subcontracts work to another vendor. The final rule does not require covered entities to enter into business associate agreements with their business associate’s subcontractors, however it is important to understand that the business associate will need such an agreement with each subcontractor. Communication with new vendors accessing PHI will help to determine if the business associate will engage the services of a subcontractor. It is important to ensure BAAs describe all the contemplated uses and disclosures of PHI by the business associate.

4. PATIENT’S RIGHTS

The Final Rule expands the requirements to provide individuals with a better understanding of

(i) A patient’s right to restrict disclosures;

(ii) The types of uses and disclosures that require individual authorization;

(iii) A patient’s right to opt out of disclosures.

(iv) Rights to receive notice of a breach.

(v) Rights with respect to the use of their genetic information for health plan underwriting purposes.

The Final Rule modifies 164.522 as per HITECH Act Section 13405(a) indicating that a patient has the right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for the healthcare item or service. The practice should adopt some method to flag, or make a notation in the medical record, with respect to PHI that has been restricted so that the information is not sent to a health plan.

Additional modification allows patients to request a copy of their EHR in an electronic form, if the practice utilizes EHR. If the patient elects to pay with cash for a visit, then the patient can instruct the practice not to share information about their treatment with their health plan.

The aforementioned changes must also be included in the revised NPP.

5. MARKETING AND FUNDRAISING

The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of a patient’s health information without permission. The term “marketing” has been by expanded with regard to the uses and disclosures of PHI that are considered marketing. Marketing includes communications about health-related products or services if the practice receives “financial remuneration” in exchange for making the communication from, or on behalf of, a third party whose product or service is being described. OP

C. Jolynn Dobson Cook, RN is the Administrator of the Laurel Eye Clinic and the Laurel Laser & Surgery Centers. A Certified Ophthalmic Executive and Certified Administrator Surgery Center, she is a registered nurse and also has a degree in Health Care Administration.