The following article is an EMS Insider exclusive from the March 2013 issue. The Insider, the premier publication for EMS managers, supervisors, chiefs and medical directors, is a must-have resource for the critical, accurate information EMS leaders need. The monthly publication offers quality investigative reporting, exclusive articles, management tips and the very latest news on legislative issues, grants, current trends and controversies. For more about how to become an Insider, click here.
In January, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a final rule that implements a number of provisions to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The changes, designed to strengthen the privacy and security protections for health information, incorporate rules from the Health Information Technology for Economic and Clinical Health (HITECH) Act, legislation passed as part of the American Recovery and Reinvestment Act of 2009.
“These are the regulations we’ve been waiting for,” says Doug Wolfberg, attorney and founding partner of Page, Wolfberg & Wirth, a national EMS industry law firm. Noting that a good deal has changed in the area of healthcare and technology since HIPAA was first enacted, Wolfberg says the modifications will result in sweeping changes for EMS agencies that will cost both time and money to implement.
According to the HHS press release, “The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information and strengthens the government’s ability to enforce the law.” The majority of the new rules place additional restrictions on how protected health information (PHI) can be used, such as limiting its use for marketing or fundraising purposes. The new rules also modify the notice of privacy practices and expand many of the requirements of a “covered entity” to include business associates, such as contractors and subcontractors.
Probably the most far-reaching of the changes for EMS involve new regulations regarding security breaches, where PHI, accidently or willfully, is released to non-covered entities.
Enforcement of the rule changes was also strengthened. Covered entitiescan face a tiered enforcement scheme that escalates based on the number of breaches. “The penalty can hit seven figures fairly easily,” Wolfberg says. Penalties for noncompliance are based on the level of negligence, with a maximum penalty of $1.5 million per violation.
A finding of willful HIPAA violation could leave an agency open to state enforcement as well as federal actions. The HITECH Act gave state attorneys general the authority to bring enforcement actions and obtain damages on behalf of state residents for HIPAA violations.
The effective date of the final rule is March 26, 2013. However, covered entities and business associates have until Sept. 23, 2013—a mere 180 days after the effective date—to be in compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.
History of HIPAA
The HIPAA legislation was originally passed under the Clinton administration, but before it could be enacted by the Bush administration, many of the provisions meant to protect patients were rolled back in favor of less regulation for the business community.
One of the first bills passed by the Obama administration, the American Recovery and Reinvestment Act, which included the HITECH Act, restored many of the original provisions. “These regulations complete that swing of the pendulum from the very ‘pro-provider’ side to ‘pro-patient side,’” says Wolfberg. “It’s been a full circle, reflecting the party in power.”
The original intent of HIPAA’s Privacy Rule was to provide federal protections for personal health information and give patients an array of rights with respect to that information. At the same time, it allows the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical and technical safeguards to be used by covered entities to ensure the confidentiality, integrity and availability of electronic PHI. According to the HHS website, a covered entity is defined as a healthcare provider conducts certain transactions in electronic form; a healthcare clearinghouse; or a health plan.
However, the interpretation of these rules has often been confusing and inconsistently applied at a number of levels. As recently as January, following the tragic mass shooting in Newtown, Conn., Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), felt compelled to send a message to the nation’s healthcare providers clarifying HIPAA policy regarding disclosing patient information, including information from a patient’s mental records.
“The rule does not prevent your ability to disclose necessary information about a patient to law enforcement, family members of the patient or other persons, when you believe the patient presents a serious danger to himself or other people,” the letter reads.
It went on to say that patient health information can be shared “when necessary to treat a patient, to protect the nation’s public health and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient.”
The “good faith” of the provider protects him or her under the law, Rodriguez says.
Notification of a breach
In the past, the HHS has focused its investigations on specific incidents. The new regulations give the agency a broader reach.
The new standard eliminates the “no significant risk of financial, reputational, or other harm” standard and replaces it with a “low probability” standard. Previously, a provider could judge whether or not the breach harmed the patient. Now, almost any wrongful disclosure of PHI is presumed to be a breach. “It narrows the flexibility that covered entities have with regard to breach reporting. Most breaches are probably going to have to be reported,” Wolfberg says.
He also expects to see an uptick in reported breaches due to the proliferation of portable technology, especially for services that provide mobile healthcare, increasing the opportunities for PHI to be stolen or lost.
To identify potential breaches before they happen, the new laws require a thorough HIPAA risk assessment. These will be reviewed by enforcement auditors. A risk assessment must include a gap analysis and documentation that the workforce has been made aware of their HIPAA obligations through regular training and in-service. “A lot of places do cursory training. If personnel truly don’t know how to protect the confidentiality of a patient’s information, you really aren’t compliant,” Wolfberg says.
Internal information systems must also be reviewed, including network security, encryption and reminding personnel to change login and passwords regularly. Security policies and procedures must be up to date.
If a breach involving more than 500 individuals occurs, the offending entity must notify each affected individual within 60 days of the discovery of the breach. Wolfberg says that, typically, the investigation of a breach is triggered by a patient, employee or third-party complaint to the HHS Office of Civil Rights.
Security rule applicability to business associates
The Security Rule imposes a substantial new provision on the business associates of covered entities. All business associates of covered entities that receive PHI must now adhere to the same administrative, physical and technical safeguard requirements that apply to covered entities. They can no longer simply be placed under contract to maintain the confidentiality of the EMS agency’s PHI.
Not only do the HIPAA rules apply, but so do the law’s enforcement provisions.
Wolfberg recommends reviewing the contracts of business associates, such as billing agencies.
“Insist that they become trained on notifying the provider in the case of a breach,” he says. “You are also probably going to be held accountable for breaches made by business associates.”
Business associates that maintain PHI on behalf of a covered entity, even if they do not actually view it, will need a Business Associate Agreement (BAA). This could include electronic patient care report vendors, clearinghouses, healthcare exchange organizations and cloud servers. Exceptions are couriers, such as the U.S. Postal Service, UPS or Internet service providers, who only serve as a conduit for PHI, but do not have direct access to it.
Subcontractors for a business associate, such as a collection agency that is subcontracted by a billing company, require a BAA with the business associate.
Notice of privacy practices
Changes in the Notice of Privacy Practices will require agencies to revise and re-post their HIPAA statement. Don’t forget to distribute it to frequent EMS users, Wolfberg recommends. The revised notice must indicate:
- Uses and disclosures the covered entity is permitted to make;
- Covered entity’s legal duties under HIPAA;
- How the covered entity treats PHI; and
- The patient’s rights concerning PHI.
Patients can now ask for a copy of their electronic medical record in an electronic form. Further, individuals who pay out of pocket in full for the service can instruct their provider not to share PHI about their treatment with their healthcare plan. Covered entities cannot submit a claim on their behalf, unless required by law.
The recent changes in the HIPAA privacy and security rules will require EMS agencies to step up compliance efforts, particularly in the areas of training and electronic security. Some agencies may need to bring in consultants and legal counsel to assist with the risk assessment, technical security issues and the legal review of contracts and privacy notices.
Guidance may be available through industry resources, such as state and national associations and private sources. These include the Ambulance Service Guide to HIPAA Compliance, a well-known publication from Page, Wolfberg & Wirth, which will soon be releasing the fourth edition of this guide.
The HHS Office for Civil Rights has published new HIPAA Privacy Rule guidance. It is available at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html.
Wolfberg strongly suggests seeking education from reliable sources. “At the end of the day, your organization is going to have to get on top of these changes,” he says.