It’s here! As of September 2013, hospitals, physicians, healthcare providers, and anyone in the medical community (all “covered entities”) must comply with the HIPAA Omnibus Final Rule. The U.S. Department of Health and Human Services (HHS) has strengthened the privacy and security for health information established under what most of us know as HIPAA (Health Insurance Portability and Accountability Act of 1996).
The first round of HIPAA audits resulted is some serious fines and devastating headlines. “Small Dermatology Practice Fined $150,000 For Failure to Have HIPAA Policies & Procedures in Place” was just one recent headline resulting from the new Rule. And, now the second round of HHS audits is beginning. Many experts say, this round will focus on smaller medical practices. The fines that accompany a violation or breach would put most practices out of business. It begs the question, are you ready?
The new HIPAA rule makes “the most sweeping changes to the HIPAA Privacy and Security Rules since they were implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthens the ability of my office to vigorously enforce HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates,” said Rodriguez.
Breach Notification Requirement
The new rule’s breach notification requirement legally requires practitioners to alert authorities and patients when their protected health information (PHI) is put at risk, and specifically when it is discarded in an unsecure manner. “To say HIPAA requires data destruction is not accurate. It’s better to say HIPAA requires the prevention of unauthorized access to PHI, which in turn, necessitates destruction,” says Bob Johnson, CEO for the National Association of Information Destruction (NAID).
The breach notification requirement is probably the most feared in the medical community. Every day, the nightly news exposes another medical practice for its violations of HIPAA in negligently discarding protected information. Not only does this new breach notification requirement mean the media may catch word of a breach faster, but “if the HHS or state attorneys general receive a credible report of an incident that could rise to the level of willful neglect, it’s mandatory they investigate,” says Johnson.
Mandatory Fines for Willful Neglect
Penalties are also increased for noncompliance under the new rule based on the level of negligence. The maximum penalty is $1.5 million per violation. “Health and Human Services has announced that there will be a formal unannounced auditing program of both covered entities and business associates,” Johnson says. “Everybody’s on notice that they’re going to be checked by Health and Human Service at some point or they stand the possibility of it, and you never know where it is going to come from,” he says.
Business Associate Agreements Requirements Revised
The new rule also modifies the requirements for business associate agreements. A covered entity, which includes healthcare providers, health plans, and healthcare clearinghouses, must have a business associate agreement (BAA) with any service provider, including subcontractors. However, the obligation to have a BAA lay with the covered entity, not the service provider. Under the Health Information Technology for Economic and Clinical Health (HITECH), all BAA’s currently in effect must be revised by September 2014.
Individuals’ Rights Expanded
Individuals’ rights are also expanded under the Omnibus Final Rule because patients can ask for a copy of their electronic medical record in an electronic form. And, when an individual pays with cash, they can instruct their provider not to share information about their treatment with their health plan. New limits have also been set on how information can be used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
Educating staff is a critical element of compliance with the Omnibus Rule for covered entities and business associates. Staff training should cover the significant changes to the organizations operations and practices as a result of the Omnibus Rule and be tailored for staff’s roles and responsibilities within the organization. Training should be documented.
Playing it Safe
Service providers, such as document destruction and document imaging and storage companies, among others, are also covered by this new rule. The new rule states that business associates can be subject to mandatory fines for “willful neglect.” Service providers need to train their employees and have policies and procedures in place to address privacy and security concerns. “A service provider’s only responsibility is to inform their customer,” says Johnson. The data breach notification requirement falls on the HIPAA covered entity. Thus, “It’s going to be the primary data custodian that has to clean up the mess, even if it’s caused by the service provider,” Johnson notes.
The lesson is to pick your data destruction service provider carefully. Shred Nations, a network of more than 500 shredding companies across North America gives this advice, “Employ a AAA NAID certified contractor, and shred everything as soon as permitted.”
Time is running out for HIPAA covered entities and business associates to comply with the Omnibus Rule requirements. In a recent training on the effects of the new Omnibus Rule, NAID’s Johnson suggested that HIPAA covered entities protect themselves by shredding everything, all the time, the same way and selecting a data security vendor that is AAA NAID certified.
The full rule can be found in the Federal Register at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
Dawn Connelly, Esq., Owner All Points Mobile Shredding, a NAID AAA Certified Company