HIPAA Final Rule Spells Big Changes

After great anticipation and apprehension, the HIPAA Omnibus Rule was published in January. For those of us who tracked the previously published Proposed Rule and its changes, the Final Rule contained several surprises, especially for business associates (BA). In fact, for the HIPAA BAs who have not already conformed to the previously published Proposed Rule, they will now have monumental changes to implement in a narrow window of time.

The effective date for the Final Rule is March 26, with the compliance (enforcement) date set for Sept. 23. The only exception to this would be for business associate agreements (BAAs), which are currently in place. That deadline is Sept. 23, 2014. When existing BAAs are renewed or revised before Sept. 22, 2014, they must then confirm to the Final Rule. New BAAs will be required to follow the Final Rule so all BAAs are in full compliance with the Final Rule by Sept. 23, 2014.

The definition of BAs has been expanded to include health information organizations, e-prescribing gateways, storage of protected health information (PHI), and others that provide data transmission and storage services with respect to PHI. This change will impact such businesses as shredding companies, EMR providers, healthcare equipment companies, companies that warehouse PHI (even if they never access the data), etc., as they will now become HIPAA BAs under the Final Rule.

For medical transcription (MT), the most anticipated proposed change was that related to subcontractors. The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors. It states, “A business associate also is a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate.” This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous, and for a single practitioner these new obligations could be overwhelming.

BA Requirements

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

  • A written BA agreement. This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA. HHS posted an updated sample of a BAA consistent with the Final Rule on its website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
  • Comply with the HIPAA Security Rule. This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.
  • Maintain written HIPAA policies and procedures.
  • HIPAA training and proof of it.
  • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.
  • If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.
  • Comply with all notification requirements related to the Data Breach Rule.
  • Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).

Scope of Liability

The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs. Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA and execute an updated BAA with each subcontractor. Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written policies and procedures (P&Ps) and proof of their HIPAA training for your records. BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.

You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor. The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA, regardless of whether they have or have not entered into a written BAA.

This change related to subcontractor BAs also has an impact on the CEs. The scope of liability for the CE includes the actions of their BAs, and could also include the actions of their BA’s subcontractor BAs. CEs that use BAs, and have allowed them to use subcontractors, should make certain their BAAs obligate their BA to require their subcontractor BAs to protect and secure any PHI received, maintained or transmitted. It would also behoove the CE to request a copy of their BA’s subcontractor BAAs to assure they are indeed in place and compliant with the new Final Rule.

Other key ways CEs could demonstrate due diligence related to HIPAA compliance is to review their BA’s HIPAA P&Ps and their HIPAA training materials. Be sure to file all of these materials received from each BA in case of a random HIPAA compliance audit by the Office of Civil Rights (OCR).

The Definition of Breach

If that was not enough change, the Final Rule has made a significant modification to breach notification. This is not unexpected given the number of breaches occurring in the healthcare industry and the inconsistent way the previous threshold of harm analysis was being applied by some of the organizations that had experienced a breach.

In the previously used threshold of harm analysis, the organization (CE or BA) would consider the factors related to the breach (i.e., elements of PHI involved, where did it go, who did what with it, etc.) to determine if the breach would cause the patient any significant risk of financial, reputational or other harm. If it was determined that there was no significant risk to the patient, there was no notification required to be made to the patient related to the breach.

The Final Rule has instead replaced this significant risk of harm analysis with a presumption that all impermissible uses and disclosures of unsecured PHI are breaches unless the organization can establish there is a low probability the PHI has been compromised.

Free Webinar

The Top Five HIPAA/HITECH Compliance Gaps to Avoid

Join us Wed., May 8 and learn how to help your organization establish a culture of compliance. Register today!

Because of this change, the definition of breach was clarified in the Final Rule:

. . . an acquisition, access, use or disclosure of protected health information in a manner not otherwise permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • the nature and extent of PHI involved, including the types of identifying elements, and likelihood of re-identification;
  • the person who received the PHI or to where the disclosure was made;
  • whether the PHI was actually viewed or accessed;
  • the extent to which the risk to PHI was mitigated.

It is important to emphasize the use of encryption with PHI. The benefit of using encryption was clearly stated in the Final Rule: “If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.” The time has come for evaluating the use of encryption of PHI within your organization. If it seems unaffordable to do this, realize that organizations that have experienced breaches have stated that the costs related to breach remediation is far greater than the cost of using encryption for their PHI.

No Time to Waste

The HIPAA Final Rule has set the bar very high for all of those who handle PHI, from the CE to the BA, to the subcontractor BA. For all of those organizations (CEs, BAs and subcontractor BAs) that have adopted a “wait and see” attitude related to HIPAA compliance, you have painted yourselves into a very small corner. The date of compliance is on the horizon. For those of you who are BAs and think no one will notice if you skimp on your path to HIPAA compliance, the OCR announced in late 2012 that random HIPAA audits will continue and be expanded to include BAs. If you handle PHI, there is no place to hide. You have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to waste; HIPAA compliance is not an option.

Brenda J. Hurley is the president of Hurley Makes It Happen!, a consulting company specializing in HIPAA compliance for business associates, and a member of the ADVANCE for Health Information Professionals Editorial Advisory Board. She can be reached at bjhurley@aol.com.

About The Author