“If you can’t convince them, confuse them.” — Harry S. Truman
If you do not recognize the acronyms HIPAA and HITECH, you must read this column. Even if you do recognize them, but you provide any type of health or human service, I would strongly recommend that you read on.
I met recently with our firm’s information-technology experts: Carl Cadregari, Mark Battaglia, and Brett Coburn. Since you probably know that I am a technology dinosaur, I was being educated in the following interview process and thought it would be most helpful to provide to my readers.
Gerald: I was recently reading about this Omnibus Final Rule that the U.S. Department of Health and Human Services published and that it has something to do with HIPAA’s Privacy and Security rules and the HITECH Act. Can you help set the context and explain who needs to comply with this regulation?
Mark: First, let’s start by refreshing your understanding of what HIPAA entails. HIPAA is the Health Insurance Portability and Accountability Act, and it was enacted by the U.S. Congress in 1996. The purpose of HIPAA is to improve the efficiency and effectiveness of the nation’s health-care system by leveraging Electronic Data Interchange.
HIPAA is broken up into five separate rules: the Unique Identifiers Rule, the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, and the Enforcement Rule. In general, the Privacy and Security rules are what are most commonly referred to as “HIPAA rules.” These rules are designed to ensure the security and privacy of hard copy or electronic protected health information (PHI).
Brett: Also, it’s helpful to remember that HIPAA applies to a covered entity (CE). A CE is normally defined within HIPAA as any health plan including insurers and privately funded plans, health-care clearinghouse, or health-care providers like hospitals, nursing homes, doctors, pharmacies, clinics, mental health, substance abuse, and disability service providers that store, transmit, or process any health-related information.
Gerald: So, now that I understand more about the HIPAA regulation, can you explain the differences between the HIPAA Privacy and Security Rules and also HITECH?
Mark: The HIPAA Privacy rule is contained within the full HIPAA regulation in section §164.500 of the Code of Federal Regulations, usually abbreviated as CFR. The Privacy rule applies to all covered entities, and focuses on their use and disclosure of PHI. The HIPAA Security rule focuses on electronic PHI and the administrative, physical, and technical safeguards associated with protecting this data in electronic form. The Security rule is contained within section CFR §164.300.
Brett: In addition, the Health Information Technology for Economic and Clinical Health, the HITECH Act, was established in 2009 as part of the American Recovery and Reinvestment Act. HITECH expands on the HIPAA Privacy and Security rules, and enhances the controls around breach notification and Electronic Health Record (EHR/EMR) access and increases the responsibility of BAs to comply with the HIPAA Privacy and Security Rules. HITECH was also designed to promote the meaningful use of health information technology and address the privacy and security concerns associated with electronic transmission of PHI.
Gerald: I think I understand, but given all that we’ve talked about, I just saw there was an update to the rules, the Omnibus Final Rule change. What does that cover?
Brett: Where the HIPAA Privacy and Security rules focused on health-care providers, health plans, and other entities, the Omnibus Final Rule from the Department of Health and Human Services (HHS), is based on changes made under the HITECH Act and includes a number of rulings designed to “provide the public with increased protection and control of PHI.”
The rule changes several of the required actions, including expanding the existing HIPAA requirements to their business associates (BAs), strengthening of the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. It also provides direction on how a CE must measure and document the harm caused from a breach. For example, a patient can now ask for a copy of their EMR in electronic form and an increased penalty applies for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
Mark: One other area that is expanded upon is that of genetic information. With the Omnibus rule, HIPAA has now incorporated the Genetic Information Nondiscrimination Act of 2008 (GINA) into both the HIPAA Privacy and Security rules. GINA prohibits discrimination based on an individual’s genetic information for both health coverage and employment.
The HIPAA Privacy rule now incorporates language that prohibits health plans, health-insurance issuers, and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes. These provisions to the HIPAA privacy rule have been adopted in section § 164.502(a)(5). Additionally, HIPAA has modified the definition of the term “health information” to make it clear that “genetic information” is now included within its scope.
Gerald: I see — these rules are focused on protecting an individual’s PHI and ensuring that it is used appropriately. I’m assuming that if information is stolen or misused, this could be a violation of HIPAA?
Mark: Yes. HIPAA violations stem from a breach of PHI. The Omnibus Final Rule modified the definition of a breach to be “the acquisitions, access, use, or disclosure of PHI in a manner not permitted … which compromises the security or privacy of the PHI. “So, you most likely have a breach if a computer hacker gains access to an EMR system and copies the information; or if you lose an unencrypted laptop or USB drive, backup tape, or smartphone with PHI.
It is interesting to note that even when an employee of a covered entity or business associate intentionally accesses an individual PHI record without a valid business purpose to do so, you most likely have a breach. You may have read recently where a hospital employee looked up a celebrity’s information after a visit without proper authorization.
Brett: These examples and other violations of HIPAA regulations result in fines of varying amounts up to $1.5 million annually per violation, based on pre-defined violation categories. For breaches with the intentional purpose of profiting from the information, criminal penalties may also apply.
Gerald: That is a lot of information; can you break it down for me? Let’s start with what business associates are and what are their responsibilities.
Mark: Basically, HIPAA defines a business associate (BA) as any third party who works with or for a CE to create, receive, maintain, or transmit PHI. This would include functions such as claims processing, data analysis, administration, billing, and collections. Once a BA is identified, a Business Associate Agreement (BAA) must be established and formally documented. A BAA serves as a binding agreement for the CE that ensures that the BA will conduct business under the same scope of controls as the CE, thereby providing assurance that HIPAA requirements are being met. Within the HITECH Act, all BAAs are now required to contain language that essentially holds each BA in compliance with the HIPAA Privacy and Security rules at the same level as a CE.
Gerald: What did the Omnibus Final Rule change for BAs?
Brett: In many aspects, every section of the privacy and security rule was updated. For existing BAs there were a few minor adjustments, and they still need to meet all the sections of the rules that apply to them. However, the definition of a BA has been expanded to include those that simply store PHI but do not use it. For example, an off-site storage or archival company would be required to have a BAA and comply with the HIPAA Privacy and Security Rules. However, there is a “conduit” exception in which a company that transports information but doesn’t use it would not be subject to a BAA. Internet Service providers and couriers are good examples.
Gerald: What about some of the other changes you listed — increased penalties, breach notification requirements, and individual rights?
Mark: Let’s just say, it’s going to increase costs for a CE or BA if they allow a breach of PHI. Regarding breach notification, BAs and their sub-contractors, who also need to have agreements, must follow notification rules like those that CEs must. The main reason for this change and the increase in penalties is that some of the largest breaches reported to HHS have involved BAs. Also, an individual has the right to request that their EMR be provided in electronic format, such as on a CD-ROM.
As you reflect on the foregoing information, these areas represent a significant expansion of compliance risk for your organization. Don’t let these regulations fall off the table or slip to the back burner. And, in case you were wondering Carl, Mark, and Brett can be reached for further assistance at (315) 214-7575. Good luck. It is times like these that I am glad to be a technology dinosaur.
Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or via email at firstname.lastname@example.org