In Hungry Hungry Hippos, the classic tabletop game by Milton Bradley, each player frantically competes to snag as many plastic marbles with their colorful mechanical plastic hippo, as fast as possible. In the healthcare sector, a new frantic exercise is being performed, but it is certainly not a game. It is more of a race, and the race is to compliance, with the deadline quickly approaching.
Earlier this year, the U.S. Department of Health and Human Services (HHS) made significant changes by way of the final omnibus rule. The aim of the changes are to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). According to the HHS Office for Civil Rights (OCR) Director Leon Rodriguez, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final omnibus rule became effective on March 26, 2013 and compliance is required by September 23, 2013. The modifications to the HIPAA Privacy, Security, and Enforcement Rules are voluminous, and covered entities should give careful consideration to all the details in order to become compliant and avoid hefty fines and penalties. Below, we have highlighted some of the changes prescribed by the final omnibus rule that we believe will have a significant compliance impact on a majority of covered entities.
With the final omnibus rule, the definition of a “business associate” has changed as follows; “a business associate includes a person who ‘creates, receives, maintains, or transmits’ protected health information on behalf of a covered entity.”
Business associates are now liable for compliance with certain HIPAA Privacy Rule and all Security Rule requirements. The final omnibus rule also specifies that subcontractors of business associates must also abide by these requirements as well and the liability of compliance rests with the business associates.
From a security standpoint, business associates are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of a covered entity.
From a privacy standpoint, business associates are subject to the HIPAA Privacy Rules related to the appropriate uses and disclosures of protected health information. Business associates may only use or disclose protected health information as permitted or required by their business associate contracts or as required by law. Any other use or disclosure would violate the Privacy Rule.
Business Associate Agreements
Covered entities must pay particular attention to their business associate agreements and ensure that they obtain satisfactory assurances, in the form of a written contract, with the business associates that will appropriately safeguard the covered entities’ information. Covered entities also need to ensure that business associates use or disclose protected health information only as permitted or required by the business associate contract or as required by law. The business associate agreements serve as a valuable tool to provide a basis of the relationship and clarify and limit the allowed uses and disclosures of protected health information by the business associate.
The newly prescribed requirements for business associate agreements may take significant time and effort to implement. The final omnibus rule does provide some relief in that all currently active business associate agreements will be grandfathered in and then modified by September 2014. All new agreements written between now and the September 2013 enforcement deadline should be written in accordance with the new guidelines.
Some of the required elements for a written contract between a covered entity and a business associate include:
• Establishing the permitted and required uses and disclosures of protected health information by the business associate.
• Providing assurance that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
• Requiring the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule regarding electronic protected health information
To see a full listing of all required contractual elements and a sample business associate agreement, please visit the HHS OCR website.
The final omnibus rule has clarified the definition of a breach as follows, “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised”. This change of definition essentially removes the former “harm threshold” and focuses more on a risk assessment of the breach prior to notification. If a covered entity or business associate can prove through a risk assessment that there is a low probability that protected health information has been compromised, then a breach notification may not be necessary.
The risk assessment process for breach notification analyses must include a number of standard analysis factors for covered entities and business associates:
• Evaluate and consider the nature and the extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification of the information.
• Evaluate and consider to whom the impermissible disclosure was made and whether or not the unauthorized person who received the information has obligations to protect the privacy and security of the information.
• Evaluate and consider whether the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.
• Evaluate and consider the extent to which the risk to the protected health information has been mitigated.
Don’t let the hungry hungry HIPAA regulations eat your organization alive. Prepare yourself accordingly and arm yourself with the knowledge needed to comply. If you have additional questions surrounding HIPAA compliance or the effect of these rulings, please contact Eric Wright (412-697-5328 | firstname.lastname@example.org) or Dan Desko at (412-697-5285 | email@example.com).
© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.