Soaring penalties and new privacy, security, and breach-notification provisions intended to modernize HIPAA have raised the stakes in the patient-privacy arena and rewritten the HIPAA rulebook. Radiology departments, practices, and their business associates are well advised to sit up and take notice.
Adam Greene, JD, MPH, formerly an attorney with the US DHHS Office for Civil Rights, offered an overview of the changes in a February 21 session at the annual meeting of Health Information and Management Systems Society in Orlando, Florida. Some changes, such as the exponential increase in penalties and the responsibility for breach notification for business associates, are already in effect, but others will kick in after the final rule is published (sometime this year).
“It is quite a different playground that we are working in,” Greene says, than it was before the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Adapting circa-2000 policies to the era of the electronic health record (EHR) and cloud computing presents new opportunities to meet patient privacy and data-security requirements, but also new challenges, Greene says. At the very least, these changes call for providers to revisit and update their risk-management programs, to reassess what the reasonable and appropriate safeguards mandated by HIPAA regulations are, and to implement new forms of data-integrity maintenance and availability of information.
A final rule covering privacy, security, and breach-notification provisions of the HITECH Act—as well as a final Genetic Information Nondiscrimination Act—will be published simultaneously, sometime this year, to minimize the changes that providers must make to their notices of privacy practices.
Based on the Notice of Proposed Rulemaking to Implement HITECH Act Modifications¹ (privacy, security, and breach-notification provisions), health-care providers can anticipate the multiple changes.
Business associates: The final HITECH rule will provide for direct liability for business associates. Business associates currently are liable for breach notifications (up to $1.5 million annually for violations of an identical provision) and will be held liable for privacy and security provisions. While the Office for Civil Rights will give health-care providers ample time to adapt their business-associate agreements—up to one year and 240 days—providers should not delay in adding this task to their planning agenda.
“We are going to publish a rule that will become effective 60 days after publication, and then pursuant to our statute, we provide an additional 180 days for people to come into compliance, and that is where you get the 240 days,” Greene explains. “In our proposed rule, we propose to provide up to a year after that compliance date, so with a year and 240 days, we will give people some opportunity to get their houses in order on that front.”
Greene notes that some have questioned the need for a business-associates agreement, now that business associates are directly liable, and he suggests that the business-associates agreement continues to be an important opportunity to clarify roles. For instance, in the case of breach investigations, when is a breach reported? Does the business associate conduct its own investigation and then report the covered entity, or does it report the breach to the covered entity? In the area of patient access, what are its roles and responsibilities, especially if someone comes to visit the associate and requests access to his or her records?
Subcontractors: The HITECH rule proposes that subcontractors would have the same liability as business associates. In the past, HIPAA required a chain of contracts stipulating that if business associates are going to share information with a subcontractor, then they need to have the same privacy and security restrictions in place. This would cement that provision, in that subcontractors would become business associates.
Marketing, sale of patient health information, and fundraising [Robert: please make the preceding words a different color]: Under HITECH, the government is expanding what is considered marketing (and would, therefore, require occasional authorization). Much of this involves things for which the provider receives remuneration from a third party and that previously would not have been considered health-care operations. If you are receiving money for the service, it becomes marketing.