One of the major changes resulting from HIPAA HITECH is that business associates of covered entities are now directly covered by HIPAA. Under the original HIPAA requirements, it was up to the covered entities to ensure that their business associates complied with the HIPAA restrictions on patient information provided to them. As a result, under the original HIPAA requirements, criminal penalties could be applied only to the employees of the covered entities. Now, however, business associates of ASCs that obtain or disclose protected health information without authorization could be subject to criminal penalties. Therefore, these business associates will need to comply with all of the HIPAA security rules, including all of the administrative, physical and technical safeguards and some parts of the HIPAA privacy rules.
Under the new provisions, your business associates must file a report with your ASC when they reasonably believe that protected health information has been accessed, acquired or disclosed without authorization. These reports must identify each individual affected. Your business associates must also file a report with the US Department of Health and Human Services (HHS) if the breach cannot be cured.
ASCs should review their existing business associate contracts. Your ASC may want to consider amending its business associate contracts to require compliance with the new HIPAA requirements and to require the business associate to indemnify the ASC for any costs resulting from a breach by the business associate. Be prepared to respond to questions from business associates that may not have been much concerned with HIPAA violations in the past.
Changes also expand the types of vendors considered business associates. As a result, if your ASC works with the following entities, you may need to enter into HIPAA agreements with them for the first time.
-
health information exchange organization
-
regional health information organization
-
e-prescribing gateway
-
personal health record vendors
Civil monetary penalties for HIPAA violations were increased. Under the original HIPAA rule, civil monetary penalties were limited to $100 per occurrence and a maximum of $25,000 for all identical violations in the same calendar year. Now, civil monetary penalties are tiered depending on the seriousness of the HIPAA violation, with a maximum of $1.5 million for identical violations in a calendar year. (See chart below.) A corrective action can be required in lieu of a penalty if the person who or entity that committed the violation is unaware that a violation occurred.
Penalties per violation:
|
Type of Violation
|
Minimum Penalty Per Violation
|
Maximum Penalty Per Violation
|
|
Did not know
|
$100
|
$50,000
|
|
Reasonable cause
|
$1,000
|
$50,000
|
|
Willful neglect (if corrected within 30 days)
|
$10,000
|
$50,000
|
|
Willful neglect (not corrected within 30 days)
|
$50,000
|
$50,000
|
Also as a result of the HIPAA HITECH amendments, HHS must investigate any complaint related to a violation that may have resulted from “willful misconduct.” If a violation due to willful misconduct is found, HHS must assess civil monetary penalties. The civil monetary penalties that are collected will go to HHS to fund HIPAA enforcement.
State attorneys general may also bring suit for privacy and security violations on behalf of state residents. In addition to damages to affected individuals, costs and attorney fees can be awarded to the state.
In the event of an inappropriate disclosure of a patient’s protected health information, HIPAA requires ASCs to
Now, ASCs are also required to notify any individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired or disclosed and make reports to HHS.
Basic Requirements
An ASC must now notify individuals about a breach involving their “unsecured” protected health information. Protected health information is unsecure unless it is encrypted or destroyed. For paper, film or other physical copies, the copy must be shredded or destroyed in such a way that protected health information cannot be read or recovered. For electronically stored data, the electronic media must be cleaned, purged or destroyed per NIST Special Publication 800-88 (available here).
ASCs should note that while securing protected health information is not required, doing so limits an ASC’s liability in the event of a disclosure and creates a sort of “safe harbor” for the ASC. In other words, the electronic information should be encrypted per the standard, and paper information should be shredded in such a way that it cannot be recovered (crosscut or confetti).
A breach is defined as the unauthorized access, use or disclosure of protected health information that compromises privacy or security. The access, use or disclosure must pose a significant risk of financial, reputational, or other harm to the affected individual.
Certain exceptions to the notification requirement apply when
-
Access is inadvertent or unintentional, by a workforce member of a covered entity or business associate, in good faith, and the information is not further used or disclosed
-
The disclosure of protected health information occurs and a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not have reasonably been able to retain the protected health information. For example, a patient having a momentary viewing of a computer screen that contains a large amount of information.
In summary, for a breach to require notification, there must be
-
A Breach. The acquisition, access, use, or disclosure of protected health information in a manner not permitted by the HIPAA privacy rules that compromises the security and privacy of the protected health information
-
A Significant Risk. The security or privacy of protected health information poses “a significant risk of financial, reputational or other harm to the individual”
-
Unsecured Information. Unsecured protected health information must be involved
-
Neither Exception Applies.
When & How to Notify
The notification to affected individuals must occur as soon as possible but no later than 60 days after discovery of the breach. The ASC has discovered a breach when any employee other than the one committing the breach knows. The notification must be
-
in writing
-
mailed to the affected individual’s last known address (or email if the individual has consented)
-
accomplished using another means if address not known (Note: If the addresses for more than 10 individuals affected by the breach are unknown, you must make notice on your web site or through media.)
The notice must include
-
a description of the incident, including the date of the breach and the date of the discovery of the breach
-
a description of the type of the protected health information involved
-
suggested ways an affected individual should protect himself or herself from possible harm resulting from the breach
-
a description of what the ASC is doing to investigate the breach and mitigate the loss
-
a description of what the ASC is doing to prevent similar breaches in the future
-
ways an individual potentially affected by the breach can contact the ASC, including a toll-free phone number, an email address, a web site or a postal address
Special rules apply to breaches involving more than 500 individuals within a state. In this case, the ASC must also inform prominent media outlets in the region.
HHS Reporting
Another new requirement is that ASCs report all breaches to HHS. Except in cases of breaches involving information regarding 500 or more individuals, the ASC must maintain a log and file an annual report with HHS. HHS has issued a specific form that must be completed for each breach. In cases involving more than 500 individuals the report must be filed at the same time the individuals are notified.
Marketing
HIPAA HITECH also makes changes in the use of protected health information for marketing purposes. In general any communication that encourages the purchase of a product or service is considered marketing. As marketing, the patient must authorize such communications.
Under the new amendments, if an ASC receives any compensation (direct or indirect) in exchange for making the communication, it is considered marketing rather than health care operations unless
-
it involves a drug or biologic that is currently prescribed to the individual and the payment is reasonable
-
communication is made by your ASC’s business associate and is consistent with your ASC’s agreement with that entity
Fundraising
Under the HIPAA HITECH amendments, when protected health information is used for fundraising, the recipient must be provided, in a “clear and conspicuous manner,” the ability for patients to opt out of future fundraising communications.
Sales of Protected Health Information
Your ASC and your ASC’s business associates are barred from selling protected health information unless
-
the patient has signed an authorization
-
the disclosure is required due to public health, research, due diligence in the sale or merger of an ASC, providing an individual with copies of his or her own protected health information, for health care operations or for treatment
Additional regulations governing the sale of protected health information are due out in 2010.
Individuals have the right to obtain a copy of their protected health information in electronic format if the provider uses electronic health records (EHR). EHRs are electronic records of health-related information created, gathered, maintained or consulted by authorized clinicians within an institution.
Under HIPAA, covered entities are required to notify patients about certain disclosures of protected health information. Disclosures made for treatment, payment or ASC operations do not need to be included in the disclosure.
Under HIPAA HITECH, some changes are made for covered entities using EHR. Specifically, the accounting will need to include all disclosures, including those for treatment, payment and ASC operations. In addition, the accounting will need to either include all disclosures by the ASC's business associates or a list of business associates. Instead of being required to keep a list for six years, the accounting will only need to include disclosures for the last three years. This provision will also apply to any entities that use paper records that are scanned.
Individuals can request restrictions on the use and disclosure of their protected health information but the covered entity retains the right to decide whether or not to honor those requests. HIPAA HITECH changes this with regard to one type of information. Individuals can prohibit covered entities from disclosing protected health information to a health plan if the protected health information is related to an item or service that the patient paid in full, in other words, if an insurer did not contribute to payment.
If your ASC receives payment as a result of actions it takes related to any of those exceptions, patient authorization to use that information is required unless
HIPAA has traditionally required ASCs to restrict uses, disclosures and requests for protected health information to the amount required for the purpose or to a limited data set. ASCs were allowed to rely on the requesting entity’s delineation of minimum necessary information.
The HIPAA HITECH amendments make changes in this provision.
-
Your ASC is also required to have policies in place that definehow to interpret “minimum necessary” for routine and nonroutine requests.
-
Instead of relying on the requesting entity or provider, your ASC must make its own determination of the minimum necessary information for the purpose requested.
-
HHS will issue guidance on what “minimum necessary” means by August 2010.
This limitation on disclosure does not apply to:
-
disclosures and requests for treatment
-
disclosures to the patient
-
uses or disclosures with patient authorization
-
uses or disclosures required by law
ASCs are only beginning to learn all they will need to know about the HIPAA HITECH amendments and the new practices and policies those amendments will require ASCs and their business associates to adopt. With the assistance of the ASC Association, your ASC needs to watch for updates as they become available and ensure that your ASC is in compliance with any new regulations as they become effective. This article provides a general overview of new requirements to assist you in adopting your policies to conform with the new law, but does not provide legal advice. You may wish to consult a lawyer or other expert in applying these complex requirements to the specifics of your ASC.
The HIPAA HITECH amendments demand ASC attention now and in the immediate future. It is imperative that ASC professionals learn about these amendments and dedicate the resources necessary to ensuring that their ASC remains HIPAA compliant.
By Dawn Q. McLane, RN, MSA, CASC, CNOR
Dawn Q. McLane, RN, MSA, CASC, CNOR, is the chief development officer for Nikitis Resource Group and a former member of the ASCA's Board of Directors and ASCA's HIPAA Task Force.