The Department of Health and Human Services flicks the “on” switch today for the updates to the HIPAA Omnibus Final Rule to take effect. Enforced by the Office of Civil Rights, the rule changes are designed to improve patients’ access to their medical records and boost security of their medical history and other patient data, known as protected health information.
On the surface it’s a win for patients designed to make providers and the health IT companies think about how they disseminate patient information and protect that data. But the consensus is the biggest winners will be the risk managers, lawyers and health IT companies that can respond to payers, providers and other healthcare companies’ compliance needs.
If you had to pick a group that is seeing the most dramatic changes with the rule implementation, it would have to be the smaller health IT companies who are facing liability issues and costs to ensure compliance they never had before. Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, made that observation in a press conference last week. She hopes that regulators will cut them some slack and give them some time to comply.
Behavioral Health, Interoperability and eConsent: Meeting the Demands of CMS Final Rule Compliance
In a webinar on April 16 at 1pm ET, Aneesh Chopra will moderate a discussion with executives from DocuSign, Velatura, and behavioral health providers on eConsent, health information exchange and compliance with the CMS Final Rule on interoperability.
Here’s a summary of the new rules and their potential impacts, mainly for providers.
Who is a business associate? The new rule expands the definition of business associate to include changed the standard for determining which groups are considered business associates. The answer is any company that sends or routinely accesses patient health information. These groups could be health IT companies,e-prescribing gateways; vendors of personal health records. It also includes subcontractors who create, receive, maintain or transmit protected health information for business associates.
Anne M. Lavelle, an attorney with Pittsburgh law firm Cohen & Grigsby, said one problem she has noticed is overenthusiastic health IT vendors that work directly with hospitals. In some cases, these “first tier” business associates have been sending business associate agreements to all of their subcontractors — downstream business associates– whether they actually need to sign these agreements or not, just in case they neglect to send one to a company that needs to sign it.
Providers’ new obligations
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Electronic access to medical records The new rule underscores providers obligation to give patients access to their medical records in the electronic format they prefer. That means that despite the sensitivity over data security, the patient can request that the data not be in an encrypted format. McGraw added that the hospital need only notify the patient of the security risk if the data isn’t encrypted.
Marketing Before a provider markets a third party service to patients based on their PHI, or to sell or provide access to PHI for payment, the provider must request permission to do so from each patient whose PHI it wishes to use, according to McGuire Woods. Business agreements that were in place before January this year have a one year extension — they need to be updated by September 23, 2014.
Immunization disclosure to schools Providers can also release patients’ immunization records to schools if state or another law requires it, but have to inform parents or guardian before they do.
New rule for deceased patients PHI no longer covers people who have been dead for more than 50 years. Providers can release PHI of a patient who has died to the patient’s family members, relatives, or close friends, and other individuals that the patient indicated was involved either in the deceased’s care or the payment of care. Providers may disclose only PHI that is relevant to the family member, relative, or friend’s involvement in the deceased’s care.
Change in definition of PHI breach The Omnibus Rule changes the way PHI breaches are defined, according to an overview of the changes from law firm, Cooley. It’s a broader interpretation from a breach that poses significant financial or reputational harm to one where there’s a presumption that an acquisition, access, use, or disclosure of PHI in a manner not permitted under the privacy rule is a breach, unless the covered entity or business associate can demonstrate there’s a low probability that the PHI has been compromised. To date the majority of breaches have been caused by “walkable” breaches in which mobile devices with unencrypted patient data has been lost or stolen.The “easiest” way to prevent these kind of breaches is by encrypting PHI.
Who gets punished if PHI breach is identified? The source of the breach. “The authorities will go after the source of the violation,” McGraw said. “Hospitals are not responsible for hovering over their business associates.” Still, breach reporting remains the responsibility of the hospital.
Do a risk analysis assessment In the event that there is a data breach the first thing the Office of Civil Rights will ask for is proof that the company has done a risk assessment identifying potential PHI security risks and how they can be fixed. Lavelle said if groups can’t produce this document the audit will go much worse than if regulators can see they have at least taken the trouble to make this initial step of risk assessment. “If I were advising a group on where to put their resources, risk analysis would be a great start,” she said. For a physician practice, for example, that could include an inventory of mobile devices with patient information.
What’s being delayed or left out for now?
- Refill Reminders: The wording of the marketing rule change was enough to persuade CVS to suspend its refill reminder earlier this year over concerns that it could be perceived as a violation of the new rules. But McGraw pointed out that HHS was persuaded to delay implementation to allow time to work out a compromise. There are concerns that the wording would have a chilling effect on the pharmaceutical industry’s push to improve medication adherence.
- Patient direct access to test results As Akerman’s Health Rx Law blog noted, HHS is delaying enforcement of the requirement that certain labs provide patients with direct access to lab results. It said the enforcement delay will relieve CLIA and CLIA-exempt labs from potentially having to revise their policies twice within a relatively short time and the associated burdens that would impose. As McGraw pointed out, it’s been a thorny issue with providers who believe it’s important for patients to receive these results when they can be interpreted and put in context. The concern is that patients will react badly to these results if they are delivered without medical interpretation.
