New Guidance Released on the Eve of the HIPAA Compliance Deadline
October 2013—Monday, September 23, 2013 marked the deadline for radiologists and other imaging providers to comply with a number of changes implemented by the HIPAA Omnibus Rule, which was published on January 25, 2013 by the Department of Health and Human Service’s Office for Civil Rights (OCR). As discussed in prior Link articles, the HIPAA Omnibus Rule finalized regulations that modified and clarified HIPAA’s privacy, security, and enforcement rules. Imaging providers have, ideally, already complied with the new regulations – for providers that have not yet done so, however, this should be a first priority. Those who find themselves past the deadline should generally first focus on the “public-facing” aspects of their HIPAA compliance program. Specifically, we recommend that most clients immediately focus on updating their HIPAA Notice of Privacy Practices (NPP) and their Business Associate contracts (BAC), and attendant matters.
To further complicate things, OCR released a number of new “guidance” documents on the eve of the HIPAA compliance deadline. We have briefly reviewed the most recent guidance below.
Notices of Privacy Practices
The HIPAA Omnibus required changes to a covered entity’s NPP. Revised NPPs must include notice of the following:
- The right for a patient to be notified in the event of a breach of their protected health information (PHI);
- A description of the uses and disclosures that require a patient’s authorization, including use of PHI for marketing purposes and the sale of PHI;
- A statement that a patient may revoke their authorization;
- A statement that the radiologist must agree to certain restrictions on the disclosure of PHI to third party payors if the patient has paid out of pocket in full; and
- If applicable, a notice that the radiologist or the practice may contact the patient for fundraising purposes and the right of the patient to opt out of such communications.
Further, based on the regulatory text and the commentary associated with the Omnibus Rule, most healthcare attorneys were counseling their clients that their NPPs had to be more comprehensive, and much longer. Fortunately, however, on September 16, 2013 (seven days before the compliance date), OCR released additional guidance relative to NPPs, including issuing a “model” NPP. The guidance is welcome, in that it appears that OCR is taking a “less is more” approach with the NPP, which will give providers leeway to adopt slightly shorter NPPs. We are not recommending that clients utilize OCRs model NPP, however, since it misses several key nuances that can act in a provider’s favor, and in several areas it contains language that appears to be in excess of what HIPAA requires. If adopted, the broader patient’s rights and other language could be binding on those who utilize the OCRs Model NPP.
If you have not already done so, revising and replacing your old NPP should be a top priority for imaging providers.
The HIPAA Omnibus Rule also implemented a number of changes in regards to Business Associates, including clarifying that Business Associates are now directly liable for compliance with certain requirements, and that covered entities (including imaging providers) may be held liable for the acts or omissions of a Business Associate acting as an agent within the scope of their authority. Most importantly, the HIPAA Omnibus Rule expanded the definition of Business Associate. The new definition includes:
- Entities that transmit and need routine access to PHI;
- Personal health record vendors who serve covered entities; and
- Any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
Imaging providers should examine their vendor and other relationships to determine whether the relationship requires entering into a BAC. In particular, you should examine vendor agreements with data management and storage companies, such as cloud based back-up services, who may not have been previously required to enter into a BAC. You should also be updating your BAC to ensure compliance with the new HIPAA Omnibus Rule. There are certain “grandfathering” provisions in the HIPAA Omnibus Rule, but pragmatically providers need to replace/revise and utilize updated BACs immediately.
Other New Guidance
The OCR also released several new/updated guidance materials that may be of interest to imaging providers. We have briefly summarized the relevant guidance below.
Deceased Individuals. The HIPAA Omnibus Rule limited the protected status of a decedent’s PHI to 50 years after the date of death. The purpose of this change was to balance the rights of decedents while permitting the important research of decedent information for historical and archival purposes. OCR issued further guidance on the application of the rule together with helpful FAQs.
After the 50-year period, the Privacy Rule no longer applies to a decedent’s PHI. During the 50-year period, the HIPAA Privacy Rule applies much as it always does, with some special exclusions particular to a deceased individual.
Law Enforcement. OCR has provided guidance for a particularly thorny area – how PHI may be disclosed to law enforcement officials. The OCR recently released a special guidance for law enforcement. The two-page guidance identifies what HIPAA is, when it applies, and when PHI may be disclosed to law enforcement.
Though not necessarily applicable to imaging providers, the OCR also released other guidance recently related to school immunizations disclosures, marketing/prescription reminders, and guidance related to CLIA regulated laboratories.
While the compliance deadline has passed, in the event any imaging provider has not updated their HIPAA policies, forms, and procedures pursuant to the HIPAA Omnibus Rule, they should take the time now to work with their compliance officers and healthcare attorneys to update those policies as soon as possible in order to avoid future enforcement actions and penalties. This is acutely important in an environment where the OCR has shown that its HIPAA enforcement has real “teeth,” and is continually issuing new guidance related to the HIPAA rules.
Adrienne Dresevic, Esq. graduated Magna Cum Laude from Wayne State University Law School. Practicing healthcare law, she concentrates in Stark and fraud/abuse, representing various diagnostic imaging providers, eg, IDTFs, mobile leasing entities, and radiology and multi-specialty group practices.
Clinton Mikel, Esq. graduated from the University of Michigan Law School. Practicing healthcare law, he concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.