Update Your Anesthesia Compliance Program: The Final HIPAA Privacy, Security and Breach Notification Rules Are Here

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius in the Department of Health and Human Services’ January 17th press release announcing the publication of the long-awaited final omnibus rule with Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The final omnibus rule will go into effect on March 26, 2013. Covered entities such as anesthesia and pain medicine practices and billing companies including ABC—and their business associates—must be in compliance by September 23, 2013.

The final rule changes HIPAA in several important ways:

1. It toughens the definition and consequences of failure to notify affected parties of security and privacy breaches;
2. It strengthens the government’s ability to enforce the breach notification rules and establishes an increased monetary penalty tiered structure, with penalties ranging from $100-$50,000 per violation;
3. It contains numerous revisions to the HIPAA privacy and security rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act; and
4. It amends the HIPAA privacy rule as required by the Genetic Information Nondiscrimination Act.

Breach Notification

The omnibus final rule redefines a breach of the security of protected health information (PHI) by creating a presumption that an impermissible use or disclosure of PHI is a breach unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised. Under the interim rule, which has been in place since September 2009 and will continue in effect until March 26th, a breach is defined as an inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The breach provisions only apply to PHI that is unsecured, i.e., not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of the HHS-specified technology or methodology.

Under the final rule, the following four factors, at a minimum, must be considered when determining if there has been any compromise of PHI:

1.The nature and extent of the PHI involved; 2.The unauthorized person who used the PHI or to whom the disclosure of PHI was made; 3.Whether the PHI was actually viewed or acquired, and 4.The extent to which the risk to the PHI has been mitigated (for example, by obtaining reliable assurances by a recipient of the PHI that the information will be destroyed or will not be used or disclosed).

The threat of breaches is very real. More than 21 million victims of "large" healthcare breaches (affecting 500 people or more) have been notified since 2009. Most of us can imagine how easy it might be to lose a laptop containing PHI, whether by theft or accidentally.

Earlier this month, HHS announced the first settlement agreement involving a breach of unsecured electronic PHI affecting fewer than 500 individuals. The Hospice of North Idaho (HONI) and the government reached the $50,000 settlement following an investigation into the theft of an unencrypted laptop computer and the potential exposure of 441 patients’ PHI. HONI had not conducted a risk analysis to safeguard PHI. In addition, the hospice didn’t have the required policies or procedures in place to address mobile device security.

Action item: Anesthesia and pain practices should update their policies and procedures to protect against potential loss of confidential patient data. They should also revise their compliance plans to include the four factors listed above for consideration in evaluating impermissible uses or disclosures of PHI.

According to HIPAA Security Rule and Breach Notification: Navigating the Compliance Mine Field, an interesting paper submitted to the American College of Medical Practice Executives (ACMPE) in July 2012, only 87.3% of practices responding to a survey posted on the ACMPE page on the Medical Group Management Association (MGMA) website were aware of the breach notification requirements of the interim final rule and 74.6% had written policies and procedures. The final rule is receiving so much attention in the media that no one needs to be caught by surprise going forward. Indeed, last week ABC had already received inquiries about whether PHI breach insurance was advisable. We are still working on that question.

Note also that the final rule reduces covered entities’ exposure in one respect. In breaches involving fewer than 500 affected individuals, the interim final rule required notification to HHS no later than 60 days after the end of the calendar year in which the breach occurred. Because some breaches may go undetected for long periods of time, notifications will be timely if made within 60 calendar days after the end of the year in which the breach was discovered.

Business Associates and their Associates under the Revised Privacy and Security Rules

The 2009 HITECH Act extended the definition of “business associate” (BA) to include subcontractors. Recall that the HIPAA Privacy and Security Rules allow covered entities to disclose PHI to BAs, and allow BAs to create and receive PHI on behalf of the covered entity, subject to the terms of a BA agreement between the parties.

The final rule implements the HITECH Act’s expansion of BAs’ HIPAA responsibilities by applying the Privacy and Security Rules directly to them, as well as by subjecting BAs to civil and criminal penalties for HIPAA violations. Additionally, the final rule extends HIPAA obligations and potential penalties to subcontractors of BAs by expanding the definition of “business associate” to include direct or indirect subcontractors if a BA delegates a function, activity or service to the subcontractor and the subcontractor creates, receives, maintains, or transmits PHI on behalf of the BA. A BA that delegates any function involving the use or disclosure of PHI to a subcontractor will need to enter into a formal BA agreement with the subcontractor.

Existing BA agreements may be “grandfathered” under transition provisions in the final rule. These transition provisions will allow covered entities and BAs to continue to operate under existing BA agreements for up to one year beyond the compliance date (until September 22, 2014) if the BA agreement:

1. Is in writing;
2. Was in place prior to January 25, 2013 (the publication date of the Final Rule);
3. Complies with the Privacy and Security Rules as in effect immediately prior to January 25, 2013, and
4. Is not modified or renewed.

Other Privacy and Security provisions of note include:

• Notice of Privacy Practices. The final rule requires the Notice of Privacy Practices to include statements regarding uses and disclosures that require a patient’s authorization. The Notice must contain a statement indicating that most uses and disclosures of (i) psychotherapy notes (where appropriate), (ii) uses and disclosures of PHI for marketing purposes, and (iii) disclosures that constitute a sale of PHI require authorization. The Notice must also include a statement that other uses and disclosures not described in the Notice will be made pursuant to the patient’s authorization. Moreover, the Notice must contain a statement informing patients that following a breach of unsecured PHI, affected individuals will be notified.
• Access to an individual’s PHI. If an individual requests an electronic copy of PHI that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or in a format as agreed to by the covered entity and the individual.

Action item: this summary of the final rule should alert readers to the need to review their data privacy policies, practices, agreements, and incident response plans, and also their BA agreements and notices of privacy practices. We emphasize that anesthesia and pain medicine groups should plan to conduct this review using 138-page publication in the Federal Register hyperlinked above, and not just a summary. ABC will have a webinar for our ABC clients prior to the March 26th deadline to discuss the final HIPAA privacy and security rule.