New HIPPA Mandates
How will the changes affect you?
The privacy — and security — of patient health information has recently become more complicated. In January, the U.S. Department of Health and Human Services issued a final rule that will formalize changes to HIPAA.1
HIPAA requires that covered entities, such as radiology and radiation oncology practice, comply with standards that govern the privacy and security of patient health information (PHI), which the practices maintain electronically or on paper.
The new rule implements amendments to the HIPAA provisions that Congress enacted in its 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. After issuing proposed and interim final rules on the HITECH amendments, the government has proposed a comprehensive final rule on how ACR members and other stakeholders must comply with the law. Significantly, in the new regulation, the government included a section on enforcement to toughen the HITECH rules. While the rule took effect March 23, 2013, radiology and radiation oncology practice and their business associates generally will have until September 23, 2013, to comply. In this column, we will discuss the HIPAA modifications that ACR members should review with their practice staff and qualified counsel.
Conduit vs. Business Associate
HIPAA has typically classified organizations that interact with covered-entity physician groups and hospitals as "business associates." A "covered entity" is a health care professional, such as an individual radiologist or radiation oncologist, who transmits patient information electronically for a transaction, like treatment or payment. A "business associate" is an individual or organization that performs for ACR members a health-care activity or function, such as billing or utilization review, that involves the use or disclosure of PHI. Under the final rule, HHS has established a more definitive test for determining whether service providers qualify a "conduits" that have only incidental access to patient PHI, such as telephone companies or post offices. Conduits do not have to follow HIPAA's business-associate provisions. However, a service provider that routinely provides electronic communication services to a radiology practice, such as a billing company or a cloud company that stores patient health data, would constitute a business associate. The government will focus on how regularly a service provider handles PHI, not the type (if any) of access.2
According to the final rule, "down-stream contractors" of the business associate also must meet the business-associate requirements of the new privacy and security rules, even if they do not actually view PHI. A radiology or radiation oncology group only has to enter into a business-associate agreement with its billing company. A business associate or downstream subcontractor in turn must obtain written "satisfactory assurance" from its immediate subcontractor that the latter will protect any PHI it receives.3
The final rule imposes direct obligations on business associates to limit the use and disclosure of PHI to the terms of the business-associate agreement or the HIPAA Privacy Rule's requirements. Business associates also have the same legal duty to disclose PHI to HHS so the government may investigate the associates' HIPAA compliance.
Time to Comply
Fortunately, the government will give practices and their business associates up to one year beyond the compliance date, or until September 23, 2014 to maintain their current agreements. To qualify for this safe harbor, such agreements must have existed as of January 17, 2013. Agreements must also comply with the HIPAA standards and cannot be modified or renewed during the transition period. Once that period ends, radiologists may renegotiate their agreements to meet the final rule's new provisions.
The government likely will enforce HIPAA violations more consistently because it has unveiled a system of additional — and tougher — penalties. The penalties range from $100 to $500 fines for "did not know" violations to up to $50,000 for violations in which a radiologist or radiation oncologist is found to have willfully neglected HIPAA duties and failed to correct deficiencies. Although HHS issued an interim enforcement rule in 2009, it has brought few cases against individuals or businesses. The final rule enables HHS to investigate and directly enforce cases in which a physician or group has willfully neglected HIPAA compliance. HHS will continue to informally resolve matters that do not involve willful neglect. Importantly, a covered entity or business associate now has "upstream vicarious liability" for the activities of a downstream contractor that faces HIPAA criminal or civil penalties. This applies if the practice or business associate had the authority to control its downstream contractor's conduct in performing a health-care service.
Into the Breach
The HITECH Act required radiology and radiation oncology practices to notify affected patients and HHS of a breach of unsecured PHI. In certain situations, HITECH also mandated that covered entities notify the media of such breaches. For example, if a business associate committed a breach, the business had to notify its covered entity. "Breach" meant any unauthorized acquisition, use, or disclosure of PHI that compromised the patient's privacy and security. HHS exempted unintentional acts or omissions that occurred within an employment or professional relationship with a covered entity or business associate. Inadvertent acts or omissions that did not result in further unauthorized use or disclosure were also exempted.
The final rule largely implements a 2009 interim final breach notification rule, with one major exception: HHS changed its "breach" definition from a "harm standard" and established a more objective test to see whether a radiology practice's or its business associate's conduct compromised the PHI.
What does this mean for ACR members? More breaches of PHI may have to be disclosed between covered entities and business associates and reported to the government. Additionally, the reporting provisions of these changes take effective immediately because HHS only clarified an existing position. We urge practices to confer with their attorneys and advisors in analyzing any actual or potential PHI breach. There are serious legal and business consequences for reporting a breach to patients, the government, and media. For more information on the HHS final rule, please call the ACR Legal Office or visit HHS' HIPAA web site at http://bit.ly/HHS-HIPAA.
By Bill Shields, JD, LLM, CAE, and Tom Hoffman, JD, CAE
1. U.S. Department of Health and Human Services. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; 45 Code of Federal Regulations, Parts 160 and 164; Federal Register; Vol. 78; No. 17, pp. 5565–702 (January 25, 2013).
2. Wieland JB, Swank SE, and Freemire JJ. “HHS Overhaul of HIPAA: Summary of Obligations for Covered Entities and Business Associates.” Ober Kaler; January 24, 2013. Available at http://bit.ly/HHS-HIPAAsummary. Accessed Feb. 13, 2013.
3. Fed. Reg., Vol. 78, No. 17, p. 5578–9.