September 23 is the compliance date for the HITECH Omnibus Rule issued by the Department of Health and Human Services (HHS) on January 25 of this year. Our summary, with a link to the rule, is available here. This bulletin lists the actions that HIPAA-covered entities and their business associates should be taking to comply with the regulation.
Notice of Privacy Practices. The rule requires covered entities to make the following changes to their notices of privacy practices by the compliance date:
If the covered entity uses protected health information (PHI) for fundraising, its notice of privacy practices must inform individuals that they have the right to opt out of fundraising solicitations.
- The notice must inform individuals of the covered entity’s obligation to notify them following a breach of unsecured protected health information.
- Currently, the notice must advise the individuals of their right to request restrictions on use or disclosure. It must also include a statement that the covered entity is not required to comply with the request. This second statement must now state that the covered entity is required to comply with a request not to disclose health information to a health plan for payment or health care operations where the individual pays out-of-pocket for a service.
- If the covered entity intends to use or disclose psychotherapy notes in circumstances requiring authorization, or to use or disclose PHI for marketing, or to sell PHI, the notice of privacy practices must inform the individual that an authorization is required for these purposes.
- If the covered entity is a health plan that intends to use or disclose PHI for underwriting purposes, the notice must contain a statement that the plan is prohibited from using or disclosing genetic information for such purposes.
The notice of privacy practices no longer has to inform patients that the covered entity may contact them to provide appointment reminders or information about treatment alternatives or health-related benefits or services. However, there is no requirement that this be removed.
HHS says that these changes are material, and they therefore trigger the requirements for notification in the event of a material change. Health care providers must provide the revised notice to all new patients and to anyone else on request, and post it and make it available at their service delivery sites and on their web site if they maintain one. Previously, health plans were required to notify covered individuals within 60 days of a material revision to the notice. For health plans that have a web site this is replaced with a requirement to post the revised notice on the web site, and to include it in the next annual mailing to covered individuals. A health plan that does not have a web site must still provide the revised notice, or information on how to obtain it, within 60 days.
Business Associate Agreements. The new rule requires covered entities to amend their business associate agreements. Our form of business associate agreement containing just the required provisions, with the required amendments underlined, is available here. HHS has also published a form here. The implementation rules are as follows:
- Business associate agreements that were entered into before January 23, 2013, and were not renewed or modified after March 26, 2013 must be amended by the earlier of either: (i) the date the contract or arrangement is renewed or modified after September 23, 2013; or (ii) September 22, 2014.
- Other business associate agreements must be amended to conform to the new requirements by September 23, 2013, and all business associate agreements entered into, renewed or modified after September 23, 2013 must comply with the regulation.
Policies, Procedures and Training. HIPAA requires covered entities to implement policies and procedures to comply with the rules, and to change their policies and procedures as necessary and appropriate to comply with changes in the rules. HIPAA also requires covered entities to train affected workforce whose functions are affected by a material change in policies and procedures. Here is a summary of significant changes that will likely affect policies and procedures:
- Data breach reporting. The rule changed the standard for determining whether a report is required: it replaced the “significant risk of harm” standard with a presumption that a breach is reportable unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised, based on a risk assessment. Covered entities and their business associates should revise their data breach notification policies to reflect the new standard.
- Sale of Protected Health Information. Formerly, the privacy rule did not prohibit a covered entity from receiving payment for PHI where the rule otherwise permitted the disclosure. Now it does, with some exceptions. Covered entities need a policy implementing this change.
- Marketing. The HITECH rule eliminated the ability of a covered entity to receive remuneration for the following treatment or health care operations communications: (1) communications to describe a health-related product or service that is provided by the covered entity; (2) communications for the treatment of an individual, and (3) communications for case management or care coordination for the individual. Under the revised rule, a covered entity can still make these communications, but it cannot receive remuneration for doing so without an authorization from the individual. The rule has an exception for communications that describe a drug or biologic currently prescribed, such as a refill reminder, as long as any payment received by the covered entity for making the communication is reasonably related to the cost of making the communication (so no profit margin is permitted). However, California law, which also prohibits remunerated marketing, does not have this exception.
- Fundraising. Covered entities that use PHI for fundraising will need to change their policies, as well as their notices of privacy practices:
- The rule formerly required fundraising solicitations to notify the patient of his or her right to opt out of future solicitations; now this must be in the notice of privacy practices, and the rule has new provisions on the implementation and effect of an opt-out that should be reflected in policies and procedures.
- Disclosure of immunization proof to schools. HIPAA now allows this with the informal consent of the parent or guardian if the school is required by law to obtain it. Previously, a formal authorization would have been required.
- Decedents. The amendments allow a covered entity to discuss health information about decedents with friends and family, unless the covered entity knows that this would be inconsistent with the decedent’s previously expressed preferences. The amendment also removes all protections on PHI of persons who have been deceased for 50 years.
- Genetic Information. Health plans are now prohibited from using genetic information for underwriting purposes. Health care providers may, however, use and disclose genetic information for treatment and other permitted purposes.
- Research Authorizations.
- A covered entity may now combine conditioned and unconditioned research-related authorizations, as long as the authorization distinguishes between the two categories and allows the individual to opt in to the unconditioned research activities. For example, a single authorization could now cover a clinical study that includes both treatment (a conditioned authorization) and tissue banking of specimens (an unconditioned authorization).
- A research authorization need no longer be study-specific, and may also encompass future research.
- Individual Rights. In addition to revising their notices of privacy practices, covered entities will need to revise some policies and procedures relating to individuals’ rights:
- As a general rule, covered entities are not required to agree to requests for additional restrictions on otherwise permitted uses and disclosures of PHI. Now, however, health care providers must comply with the request of an individual not to disclose PHI to a health plan if the disclosure is for payment or health care operations (but not treatment), and the individual pays out of pocket in full for the service to which the information relates.
- If a covered entity maintains PHI in an electronic designated record set, an individual now has the right to obtain a copy of the PHI in an electronic form and format requested by the individual, if such form is readily producible. If the form requested is not readily producible, the covered entity must provide access in another readable electronic form as agreed to by the covered entity and the individual (e.g., MS Word, Excel, text, HTML, text-based PDF). The individual may also direct the covered entity to transmit the electronic copy directly to the individual’s designee. The request must be in writing, signed by the individual, and must clearly identify both the designee and where to send the copy of PHI.
- The final rule also describes in more detail the types of PHI that a covered entity may use for fundraising purposes. Previously the rule allowed use of demographic information and dates of service only. It now also permits covered entities to use department of service information, including the treating physician, outcome information, and health insurance status. It now also says what it means by demographic information--this includes an individual’s name, address, other contact information, age, gender and date of birth.
Business Associates. Business associates must—
- Comply with the HIPAA Security Rule.
- Implement formal business associate contracts with their subcontractors.
- Comply with the data breach reporting rule.
Business associates are also now legally required to comply with the core privacy provisions of their business associate contracts including, for example, provisions restricting the business associate’s use and disclosure of PHI. Although the regulation does not require policies and procedures implementing these requirements, they are an important instrument of compliance, and business associates should consider developing them.
Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including compliance counseling, policies and procedures, workforce training and managing data breaches.
For more information, please contact: In San Francisco, Paul Smith, Steve Phillips or Clark Stanton at 415.875.8500; in Los Angeles, Hope Levy-Biehl, Karl Schmitz or Amy Joseph at 310.551.8111; and in Washington, D.C., Bob Roth at 202.580.7700.