Q&A: The Latest Updates on HIPAA Final Rule
David Roe, Director of Risk Services at Bridgepoint Consulting LLC, weighs in on the new HIPAA regulations and what companies should do to address these requirements.
Q: What is HIPAA, and why are we hearing about it now?
A: HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This legislation requiring security/confidentiality to patients’ personal health records has been around a long time—some of the Act has been in effect since 2001. Then, in 2008 and 2009, Congress passed additional legislation that broadened the scope of the original HIPAA legislation, to address technology and genetic testing issues:
- Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology; and
- The Genetic Information Nondiscrimination Act (GINA) of 2008 prohibits group health plans and health insurers from denying coverage to a healthy individual or charging that person higher premiums based solely on a genetic predisposition to developing a disease in the future.
Q: What are the new HIPAA rules everyone is talking about?
A: These updates are considered the “final rules” of the HIPAA legislation as well as aspects of the HITECH AND GINA legislation. The U.S. Department of Health & Human Services (HHS) issues the rules and monitors compliance. The health care providers in the U.S. must meet these requirements to receive federal funding and have the authority to operate.
Q: So, what’s the gist? What are health care providers going to have to do to meet these new requirements?
A: In broad terms, the HIPAA rules requiring health care providers to safeguard personal health records and information are still the focus. The new rules broaden the issue in a couple of ways:
1. Business Associates – Health care providers now have an obligation to ensure that others in their network also maintain safety and security of health care records.
2. Information Technology (IT) Security – Health care providers must have robust programs around their IT systems and organizations.
3. Privacy – The rules broaden and define requirements about privacy issues.
4. Breach Notifications, Enforcement and Penalties – the rules define reportable events and actions that the health care provider must take.
Q: What is the deadline?
A. The deadline was September 23, 2013 for health care providers to implement these programs.
Q: Tell me more about the “Business Associates” rule, what is required for health care providers?
A: Business Associates, including their subcontractors, who create, receive, maintain or transmit Protected Health Information (PHI) on behalf of covered entities, are subject to and must comply with the Final Rule provisions. Business Associate agreements should set forth terms to comply with the Final Rule. Relevant updates to existing Business Associate agreements should be completed by no later than September 22, 2014. Covered entities can be held liable for non-compliance violations in addition to the business associate and/or its subcontractor. Therefore, business associate agreements and procedures should be reviewed and routinely monitored, including but not limited to:
- Security and Privacy written policies in place
- Documented training of workforce
- Security requirement procedures in place for PHI (see Security highlights below)
- Privacy use and disclosure limitations (e.g., minimum necessary principal; see Privacy highlights below)
- Requirement to provide copy of electronic PHI to covered entity, the individual or individual’s designee as set forth in the agreement
- Maintain an accounting of disclosures
Q: What are some specific requirements of the security aspect of the rules?
A: Comprehensive security procedures should be in place to protect individuals’ health information with consideration to size; capability; cost and nature of risks. These include, but are not limited to, the following:
- Performance of periodic security risk analysis outlining risk management procedures and controls in place
- Authorization, supervision, modification and termination of workforce access to PHI
- System logins and workstation security through unique user ID’s and passwords and activity monitoring
- Documented training of workforce
- Backup data plans, contingency plans, disaster recovery plans, emergency access plans
- Mobile media; encryption; and integrity controls – intranets, extranets and internet all considered electronic media forms
Q: How do the Final Rules refine the privacy requirements?
A: The Final Rule encompasses multiple privacy issues for uses and disclosures of PHI. Disclosure expressly includes “read or view only” access under the Final Rule modifications. Implementation or updates to written policies, notices of privacy practices, training programs and research authorizations should be in place. The use and disclosure Privacy rules set forth the following:
- Marketing and treatment, and fundraising communications
- Individual rights to restrict PHI certain disclosures to health plans
- Individual rights to request access to electronic PHI
- Disclosures of PHI to persons involved in patient’s care or payment for care and student immunizations to schools
- Exchanging PHI for remuneration
- Individually identifiable genetic information is included in the definition of PHI
- Deceased individuals covered under the definition of PHI up to 50 years
Q: What are health care organizations required to do to address Breach Notifications? What are the enforcement requirements and penalties?
A: Any use or disclosure of PHI not permitted by the Privacy Rules is presumed to be a reportable breach. The prior criteria of “significant financial, reputational or other harm to the individual affected” no longer applies. The presumption of a reportable breach may be cleared only if a risk analysis, addressing specific requisites, demonstrates low probability of compromise. However, the expectation is that such uses and disclosures will likely be reportable.
Compliance reviews will be conducted by HHS to investigate complaints when preliminary facts suggest violations due to willful neglect of the covered entity, business associate or sub-contractor of business associate. Monetary fines may be assessed by HHS based on a per person affected and per day basis, taking into account the nature of harm. Potential fines can range from $100 to $50,000 per violation. Multiple violations may be assessed for a single breach event. Fines may be decreased for violations discovered and corrected within 30 days. The maximum annual cap for monetary penalty is $1.5 million applied on a per provision basis (e.g., violations of two provisions equal $3 million cap).
Q: How can Bridgepoint help?
A: Bridgepoint’s Risk Services professionals are skilled at assessing risks and implementing solutions to address compliance issues. Our team can provide assistance to address the impact of the HIPAA Final Rule from implementation to monitoring compliance within organizations.
By Jeanne Metz
Jeanne has managed the successful implementation of many internal audits and Sarbanes-Oxley 404 compliance projects. Her organized and efficient execution of compliance work has given her experience in analyzing, remediating deficiencies, and testing financial processes.