It has been nearly a year since the federal government published its long awaited final regulations (Final Rule) for the Health Information Technology for Economic and Clinical Health (HITECH) Act, described by the head of the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” In general, the new rules expand the obligations of health care providers to protect patients’ protected health information (PHI), extend these obligations to a host of other companies who, as “business associates,” have access to PHI, and increase the penalties for violations of any of these obligations. Now, three months since the final compliance deadline of September 23, 2013, many medical records storage vendors are just beginning to understand how the Final Rule impacts them. The following outlines the changes HIM Directors should consider as they evaluate their medical records storage vendor.
Business Associates (BAs) and Business Associate Agreements (BAAs)
The Final Rule significantly modifies the definition of a business associate. Previously, BAs were limited to entities that “use or disclose” PHI in order to provide a service on behalf of a covered entity. Now, the definition includes any organization that “creates, receives, maintains, or transmits PHI for a function regulated by HIPAA.” Entities that, under the expanded definition, are considered business associates include all medical records storage companies. A medical records storage company that has access to PHI (electronic or hardcopy) is a business associate even if the entity does not view the information or does so on a random or infrequent basis.
Trigger for Breach Notification
The provision of the omnibus regulation that has generated the most discussion is the elimination of the “risk of harm” standard for breach notification. The breach notification regulations have not changed, however the breach notification trigger has changed substantially. The Final Rule removed the harm standard and modified the risk assessment to focus more objectively on the risk that the PHI has been compromised. Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate “demonstrates that there is a low probability that the PHI has been compromised.” Breach notification is necessary in all situations except those in which the covered entity demonstrates that there is a low probability that the PHI has been compromised. If PHI is encrypted, then no breach notification is required. Failure to comply with the minimum necessary provision may implicate the obligation for a risk assessment and possibly a data breach notification.
A hybrid entity is an organization that performs both covered functions and non-covered functions. For example, a document storage company that stores medical records and corporate records can designate itself as a hybrid entity and define its covered functions, thereby avoiding the application of HIPAA to its corporate line of business. The Final Rule requires that a hybrid entity that performs business associate functions include the business associate functions in the covered functions of the hybrid entity. In a hybrid entity, an improper disclosure of PHI from the covered entity to the non-covered entity is still a breach, possibly requiring notification.
Determination of Civil Monetary Penalty (CMP)
Previously, CMPs were capped at $100 per violation, with the annual amount of penalties for all violations of one provider capped at $25,000. Now, the CMP imposed is based upon case-by-case investigations according to the table below. Furthermore, there has been a change in terminology from “history of violations”, to “previous indications of non-compliance.” The clear implication is that OCR can impose penalties upon indications of prior non-compliance even when there was no formal finding of a violation. Additionally, the Office of Civil Rights must initiate an investigation if a preliminary review indicates a possible violation due to willful neglect, such investigations were discretionary prior to the Final Rule.
The Final Rule was published January 25, 2013 and became effective March 26, 2013. Healthcare providers were given six months, until September 23, 2013, to become compliant.
Robert Lynch is president of EvriChart.