September 23, 2013 marked the deadline for Covered Entity1 compliance with the HIPAA/HITECH Final Rules (“Final Rules”).2 The Final Rules, which became effective March 26, 2013, granted Covered Entities a 180-day window to comply with the bulk of the Department of Health and Human Services’ (“HHS”) new HIPAA requirements. The requirements impose significant responsibilities on Covered Entities to revise HIPAA policies and corresponding documentation in line with the HHS’s heightened standards for protecting patient privacy and enhancing patient information access rights. Accordingly, Covered Entities must immediately—if they have not already—update their privacy and security policies and procedures, Notice of Privacy Practices, and Business Associate Agreements. Here is a more detailed description of these new requirements and a checklist for tracking their implementation:
Privacy and Security Policies and Procedures
The Final Rules call for various changes to HIPAA policies for Covered Entities in several key areas, including:
- Breach Notification—Have you updated your breach response process to take into consideration the new “risk of compromise” test and the factors that go into determining the likelihood that protected health information (“PHI”) has been compromised? Covered Entities have increased responsibilities for notifying patients in the instance of breaches of their PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity (or its Business Associate, as applicable) demonstrates that there is a low likelihood that PHI has been compromised. The Final Rules provide a list of factors that should be considered in making that risk assessment analysis.
- PHI Disclosures—Have you modified your policies and procedures to allow patients to instruct you to refrain from sharing PHI about treatment with a health plan if they paid out-of-pocket in full for the services? Covered Entities must now honor patient requests to restrict the disclosure of their PHI to a health plan in all instances where: 1) the disclosure is for the purpose of carrying out payment or health care operations; 2) the PHI in question solely concerns a healthcare item or service for which the patient (or a person other than a health plan and on behalf of the patient) has fully paid the Covered Entity out-of-pocket; and 3) the disclosure is not otherwise required by law.
- Marketing—Have you reviewed relationships with pharmaceutical and device manufacturers and with other providers of healthcare services or products to ensure that you are not receiving payment in exchange for making a marketing communication that would require authorization? The Final Rules significantly changed HIPAA’s approach to marketing. Patient authorization is now required for all treatment and healthcare operations communications where the Covered Entity receives financial remuneration for making the communication from a third party whose product or services are being described in the communication (with limited exceptions).3
- Sale of PHI—Have you examined your relationships to ensure that you are not engaging in the sale of PHI without authorization? Covered Entities must receive patient authorization before they may sell PHI to third parties. A “sale” of PHI covers any instance where a Covered Entity directly or indirectly receives payment from the third party recipient of the PHI in exchange for the PHI. The patient authorization must explicitly state that the Covered Entity may receive remuneration for the PHI disclosure. These sale restrictions become applicable to PHI disclosures beginning on September 25, 2013.
- Fundraising—Have you updated your fundraising forms to provide a clear and conspicuous opportunity to opt out of receiving further fundraising communications? Covered Entities must provide a method by which individuals can opt out of receiving further fundraising communications. They are free to designate any type of method by which individuals may do so, as long as the method does not impose an undue burden or more than a nominal cost on individuals (e.g., a toll-free number or email address).
- PHI Access Rights—If you store PHI electronically, have you modified your processes so patients can request and receive a copy of their PHI in electronic form? Upon a request for access, you are now required to provide all PHI contained in an electronically-maintained designated record set. Covered Entities should also be forewarned that the Final Rules have shortened the time frame in which patients must be granted such access, regardless of whether the PHI is maintained on-site. Covered Entities now have 30 days to respond to an individual’s written request for access (with a one-time extension available upon written notice to the individual).
- Training—Have you trained your personnel on the updated policies and procedures?
Notice of Privacy Practices (“NPP”)
The Final Rules also require both the modification and redistribution of a Covered Entity’s NPP:
- Updated NPP—Have you revised your NPP to reflect the changes to your privacy and security practices and procedures? Your NPP must advise patients of the following: that (i) they will be notified if their PHI is subject to a breach; (ii) you may contact them to raise funds, and they have the right to opt out of such communications; (iii) you may communicate PHI to a health plan except where the individual has made a full, out-of-pocket payment and requested that such treatment information not be shared with the health plan; (iv) uses and disclosures beyond those described in the NPP require authorization, including uses and disclosures of psychotherapy notes, uses, and disclosures for marketing purposes, and disclosures that constitute the “sale of PHI”; and (v) if you are a health plan and perform underwriting, you are prohibited from using and disclosing genetic information for such purposes4
- Distribution of NPP—Have you distributed or made the updated NPP available in accordance with the Final Rules?Covered Entities must make the modified notice available upon request, must distribute the modified notice to new patients, and must display the modified notice prominently at the location where care is delivered (including on your website). A health plan that maintains a website must prominently post the revised notice (or information regarding the material changes made and how to obtain a copy of the revised notice) on its website, and provide the revised notice (or information about the material changes and how to obtain the revised notice) in its next annual mailing to individuals covered by the plan. If the plan does not have a website, then the plan must provide the modified notice (or information about the material changes and how to obtain a copy of the modified notice) to individuals covered by the plan within 60 days of the revision to the notice.
Business Associate Agreements (“BAAs”)
The Final Rules additionally require a review of existing Business Associate relationships and modifications of BAA forms:
- Relationship Review—Have you reviewed your relationship with vendors to ensure compliance with the Final RulesIt is further important to note that the Final Rules set forth a more expansive definition of “Business Associate.” Therefore, it is essential for a Covered Entity to review all relationships with vendors to ensure BAAs are in place for all vendors who create, receive, maintain, or transmit protected health information on behalf of the Covered Entity as defined by HIPAA.5
- BAA Forms: Have you updated your BAA forms to reflect Final Rules requirements?—A Covered Entity must use an updated BAA form for all BAAs entered into after January 25, 2013. The Covered Entity has until September 22, 2014 to amend BAAs entered into prior to January 25, 2013. Updated BAAs must include provisions that reflect a Business Associate’s shared responsibility with a Covered Entity with respect to breach notifications and, overall, to safeguard PHI. Notably, the BAA must also contain a provision setting forth the Business Associate’s obligation to enter into agreements or other arrangements with its subcontractors to ensure that the latter secures PHI.6