By Heidi Jannenga, PT, MPT, ATC/L
As a rehab therapist, HIPAA is something you think about and comply with on a daily basis. But if you haven’t reviewed the Department of Health and Human Services’ (HHS) recent HIPAA Omnibus Ruling, then there’s a chance you’re not really as compliant as you think you are—at least not beginning September 23, 2013, when the ruling actually goes into effect.
The new rules established in the Omnibus affect both “Covered Entities” (e.g., providers, health plans, and healthcare clearinghouses) and “Business Associates” (e.g., health data transmission services, medical record services, or health information organizations). This HHS executive summary lays out the main items that comprise the overall ruling. These changes will:
- Extend some direct liability for HIPAA compliance to Business Associates of Covered Entities.
- Prohibit the unauthorized sale of protected health information (PHI) and further limit the use and disclosure of PHI for marketing and fundraising activities.
- Give individuals greater authority in obtaining electronic copies of their health information and in limiting disclosures to a health plan of information related to treatment for which the individual paid out-of-pocket.
- Require Covered Entities to modify and redistribute their notices of privacy practices (NPPs).
- Amend certain requirements concerning disclosure of health information in an effort to facilitate research and the disclosure of child immunization proof as well as grant family members access to their decedents’ health information.
- Enact HITECH Act enhancements that were not adopted in the October 2009 interim final rule, including the enforcement of penalties for non-compliance due to willful neglect.
- Incorporate a tiered civil money penalty structure with augmented penalties.
- Establish a more objective standard for the breach notification rule’s “harm” threshold.
- Prohibit most health plans from using or disclosing genetic information for underwriting per the Genetic Information Nondiscrimination Act (GINA).
Now for the really important part: how all of this impacts you and your practice. According to this summary from the American Medical Association (AMA), providers should focus most of their attention on the following three areas:
1. Privacy, Security, and Breach Notification Policies and Procedures
- Once the Omnibus goes into effect, you must notify your patients of any PHI breach unless you determine—following a careful risk analysis—that there is a “low probability of PHI compromise.”
- If a patient who pays out-of-pocket requests that you do not disclose any information about his or her care to a health plan, you must comply unless the disclosure furthers treatment or is legally required (which is rare).
- If you would like to tell a patient about a third-party product or service, you must get his or her written authorization to do so unless—generally speaking—the communication does not result in you receiving compensation; takes place in person; involves medication currently prescribed to the patient (from which you are not profiting); involves general health promotion (not promotion of a particular product or service); or involves government-sponsored programs.
- You cannot sell a patient’s PHI unless you have his or her express written permission. This rule applies to licenses, lease agreements, the receipt of financial/compensatory benefits as well as research if there is an implication of any sort of profit. (It does not apply to reasonable cost-based fees associated with authorized disclosures.)
- You are allowed to disclose relevant PHI to the family and/or friends of a deceased patient in the same way that you would if the patient were still alive—that is, if the family member or friend was involved in, or financially responsible for, caring for the patient and the patient never gave any indication of another preference. (Note: HIPAA protection expires 50 years after a patient’s death.)
- You are responsible for supplying a patient with his or her PHI within 30 days of receiving a written request, regardless of whether the PHI exists in paper or electronic form. You are allowed one 30-day extension if you cannot reasonably fulfill a patient’s request for PHI. However, you must provide the patient with a written explanation of why it will take more than 30 days and when he or she should expect to receive the requested information. If you have electronic records, you must give the patient the information in the format he or she requests provided that the recorders are “readily producible” in said format. If they are not, you must come to a mutual agreement on an acceptable electronic format. If you cannot come to an agreement, then—and only then—can you give the patient paper copies of the information.
- You can charge the patient for copies of his or her information in the amount equal to labor and supply costs.
- You cannot send PHI in unencrypted emails unless you inform the patient of the associated risk and he or she still wants to receive the information via email.
2. Notice of Privacy Practices (NPP)
Make sure you incorporate all Omnibus directives into your NPP and distribute it to all new patients as well as any existing patients who request it. If your practice has a website, be sure to post it there, too.
3. Business Associate (BA) Agreements
Because this ruling amended the definition of a Business Associate to include Patient Safety Organizations and others involved in patient safety; health information organizations (e.g., health information exchanges); and personal health record vendors, you should take a second look at your relationship with any vendors that create, receive, store, maintain, or transmit PHI for your practice. You might need to enter into new BA Agreements before the Sept. 23 Omnibus enforcement date. Changes to BA Agreements include:
- Providers no longer have to report failures of BAs to the government because the BA is now liable for the violation.
- BAs are responsible for their own subcontractors.
- BAs must abide by the Security and Breach Notification Rules.
- Providers are liable for the actions of BAs who are agents, but not those who are independent contractors.
The ruling also established increased monetary penalties for civil (unintentional) violations, meaning you could incur a fine of up to $50,000 each offense. The table below (modified from the Federal Register) shows the range of penalty amounts for civil breaches. As for criminal violations—well, let’s just say you never, ever want to risk one of those.
TABLE 2—CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE
|Violation category—Section 1176(a)(1)||Each violation||All such violations ofan identical provisionin a calendar year|
|(A) Did Not Know||$100–$50,000||$1,500,000|
|(B) Reasonable Cause||$1,000–$50,000||$1,500,000|
|(C)(i) Willful Neglect-Corrected||$10,000–$50,000||$1,500,000|
|(C)(ii) Willful Neglect-Not Corrected||$50,000||$1,500,000|
There’s a lot of dense legal jargon included in the HIPAA Omnibus Ruling, but the bottom line is pretty simple: protect your PHI, and protect it well. This is crucial not only to your patients’ well being, but also to the continued success of your business.
Heidi Jannenga was a scholarship athlete at the University of California, Davis. Following a knee injury and subsequent successful rehabilitation, Heidi developed a passion for physical therapy. She started her 16-year physical therapy career after graduating with her Master’s from the Institute of Physical Therapy in St. Augustine, Florida. In 2008, Heidi and her husband Brad launched WebPT, the leading web-based Electronic Medical Record (EMR) and comprehensive practice management service for physical therapists. As the company’s COO, Heidi is responsible for product development/management, billing services, and customer support. She resides in Phoenix with Brad and their daughter.