Even stronger controls have just been set out for HIPAA. They come in the final regulations for the Omnibus Health Insurance Portability and Accountability Act, or the HIPAA rule. The new rules became effective March 26. However, medical offices and business associates have until September 23 to comply.
Mostly, the changes affect patient requests and approvals, breach reporting, and business associates. Along with that, the penalties for noncompliance have gone up. And accompanying the penalty increases is a promise from the government to search out violators with a vengeance.
Three somewhat small changes
First are three relatively small changes that just about all offices will encounter.
- Patients can now ask for copies of their electronic medical information in electronic format. Also, with both paper and electronic record requests, the office has only 30 days to produce the information. There’s no more 30-day extension for records that are inaccessible or kept off site.
- When patients pay for services personally and in full, they can require that the office not share information about the treatment with their health plans.
- The office can give immunization information to a school if the school is required by law to have it and if the parent or guardian gives written permission.
Guilty till proved otherwise
There’s also a change in how to determine when a breach has to be reported to the government. Until now, offices have followed the harm standard, which said a breach was reportable only if it posed a significant risk of harm to the patient’s finances or reputation.
The new regulations turn that around. They say that any loss or inappropriate disclosure of data is presumed to be a breach unless the office (or hospital or business associate) can show there is a low probability the information will be used improperly.
To determine that, the office has to do a documented risk assessment that covers four elements.
- The type of information. Information about sexually transmitted diseases, for example, could harm a patient’s reputation. Credit card numbers and Social Security numbers could be used for identity theft. Risk is high. Yes, there’s been a reportable breach.
- The recipient of the information. If the office doesn’t know who has accessed the information, assume there has been a breach. However, if the other person is a HIPAA-covered entity, misuse probability is low and so is the risk.
- Whether the data was actually seen or used. Suppose a stolen computer is recovered and forensic analysis shows the data was never accessed. Risk is low. No breach. Another example: suppose a patient’s record is mailed to the wrong person. If the envelope is returned unopened, risk is low. But if it’s returned opened or not returned at all, risk is high, and the office has to assume there has been a breach.
- How well the risk has been mitigated. The mitigating factor might be that the office gets assurance the information won’t be used or disclosed or will be destroyed. That makes the risk low and probably not reportable. However, who that other party is makes a difference. Assurance from a business associate is probably worth relying on; assurance from an unrelated person or company with no obligation to comply with HIPAA is another story.
HIPAA for business associates too
Business associates are now required to comply with HIPAA just as offices are. They have to have safeguards and policies and procedures for keeping data secure. They have to have business associate agreements with their own subcontractors. And they can get hit with penalties if they don’
That’s a logical move, because some of the greatest breaches to date have involved business associates.
The penalties get higher
The penalties for noncompliance have gone up – way up.
The amount depends on the level of negligence. Previously, the limit was $25,000 per violation; now it’s $50,000, with an annual limit of $1.5 million.
And the Office of Civil Rights, which enforces HIPAA, cautions that it’s looking hard for violations and plans to enforce HIPAA “vigorously.”
And three final changes
There are also changes that are of less significance to offices but worth noting all the same.
- There are more restrictions on getting patient authorizations to use personal information for marketing and fundraising. The same also applies to permissions to sell personal information.
- The process for getting patient authorization to use health data for research is now simpler.
- Insurance companies cannot use genetic information for coverage and cost determinations. This does not apply, however, to long-term care plans.
The new HIPAA regulations are found in the January 25 issue of the Federal Register.
Susan Crawford is editor, Medical Office Manager.