HIPAA Update – July 2010

The Department of Health and Human Services’ Office for Civil Rights has released a proposed rule to modify and strengthen provisions of the HIPAA privacy, security and enforcement rules. Changes proposed in the new rule from OCR are authorized under the HITECH Act. Links to the rule and announcement below: Press Release: www.hhs.gov/news/press/2010pres/07/20100708c.html Proposed Regulations: http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480b195a0 HHS Launches Privacy Website: http://www.hhs.gov/healthprivacy/index.html HHS has launched this privacy website to help individuals have easy access to information about existing HHS privacy efforts and the policies supporting them. This site links individuals to the many resources on how their personal health information is being protected, as well as links to sites giving them their rights related to the privacy and security of their personal health information. Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information. For example, patient safety organizations would now be considered Business Associates. As you remember, Business Associates under HITECH bear similar responsibilities in protecting protected health information. A new term you will see is ONC – Office of the National Coordinator for Health Information Technology. The HITECH Act established the position of Chief Privacy Officer in ONC, and Joy Pritts recently assumed this new position that will aid in HHS’ efforts to develop and implement privacy and security programs and policies related to electronic health information. A quick overview of the provisions of the rule include: Broadens the entities defined as Business Associates, and makes requirements under the privacy and security rules applicable to Business Associates in the same manner they presently apply to covered entities. Business Associates are civilly and criminally liable now in the same ways as Covered Entities. Requires Business Associates to obtain “satisfactory assurances” from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between Business Associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. It also clarifies if a subcontractor has a breach, then the breach is reported to the Business Associate, who then reports to the Covered Entity partner, who then is accountable for notifications related to the breach. Redefines “marketing” which will limit health-related communications that may be considered “health care operations.” The proposed rule would require covered entities receiving payment for making certain communications to obtain authorization from individuals before making the communications. Asks for additional public comments on uses and disclosure of PHI for research purposes, and thus will more clearly define uses and disclosures of protected health information for which individual authorization is required, such as the sale of PHI. It also asks for public comments on “minimum necessary” and requests covered entities and Business Associates continue to use limited data sets until any further guidance is issued. Provides recipients of fundraising communications to have a clearly stated opportunity to opt out of receiving future communications, making it clear that opting out will not affect future treatment of the individual. Fundraising communications may not be sent to individuals who have not expressly opted to receive them. Provides that Privacy notices must be updated to include a statement if an organization intends to send such communications, and that an individual can opt out of them. Requires notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization. This further explains members’ rights in how information can be used and disclosed. Ensures individuals who request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket. Strengthens the right of individuals to obtain their electronic health records. Increases civil money penalties for violations of requirements to protect the privacy and security of protected health information, with fines of up to $1.5 million in a single calendar year for violations of the same requirement. Clarifies the Covered Entity’s role. Defines “reasonable cause,” “reasonable diligence,” and “willful neglect.” These definitions are the basis for setting monetary penalty amounts. The regulations also clarify that HHS will fully investigate where a preliminary review of the facts indicates a possible violation due to willful neglect. It is important for our health plans to recognize that they ARE Covered Entities, and do have to meet the HIPAA requirements for a Covered Entity. Integra Employer Health is still offering our covered health plans the opportunity to purchase an online tool to help with your HIPAA compliance and required staff training. Please contact Leigh Ann Furr, Compliance Analyst at ext 3158 or Jennifer Proko, QI Coordinator, at ext 3150 if yo would like to have additional information on this cost-effective resource tool.