Special Showcase Edition April 2013

All Aboard the HIPAA Omnibus Rule
By Julie Knudson
For The Record
Vol. 25 No. 7 P. 14

With a September compliance date, the final rule expands the covered entity definition and revises data breach regulations.

In January, Health and Human Services released the final omnibus rule that represents the largest revamp of HIPAA regulations since the law’s inception in 1996. Designed to enhance patient privacy protections and address the many technology and data management innovations that have come about in the past 17 years, the final rule expands who must comply with privacy regulations and how much control patients can exercise over their protected health information (PHI), among other objectives.

Business Associates
One highlight of the new legislation is the increased compliance obligations for business associates and who is included in that category. “If a party has access to PHI, they may become business associates of the covered entity even though they may have no contractual relationship with the covered entity,” says Patricia Calhoun, JD, health care attorney at law firm Carlton Fields’ Tampa, Florida, office.

This change may affect companies that offer transcription services, billing support, and even cloud storage. “I’ve seen a lot of information talking about clouds and those kinds of IT issues and whether or not they’re going to be business associates,” says Calhoun, who believes cloud providers eventually will fall under that umbrella, although the industry is waiting for clarification. Including cloud providers as business associates depends on factors such as whether they actually manage and have access to PHI or are just conduits for transport.

Angela Dinh Rose, MHA, RHIA, CHPS, director of HIM practice excellence at AHIMA, says providers must ensure their business associates understand their increased obligations. Existing contracts will need additional, detailed language to be sure everyone is bound by the appropriate terms.

Business associates also should remember that specific portions of the final rule apply much farther down the covered entity chain than before, including how the release of information is handled and who can face penalties for breaches. In addition, Rose says that the “sale of PHI for remuneration requires an authorization from the patient” no matter where that sale happens in the data chain.

Breach Notifications
One notable change in the final rule is the removal of the harm standard and its replacement with a disclosure assessment. For the past three years, the potential impact of unauthorized disclosures was evaluated on a case-by-case basis. “You had to determine whether that inappropriate disclosure would create a harm—financial, reputational, or some other type—to that patient,” says Mary Poulson, MA, RHIT, CHC, CHPC, cochair of the privacy and security practice council at AHIMA and director of compliance for western regions at MEDNAX Services.

If it was decided that no harm was created, then patient notification of the inappropriate disclosure wasn’t required. Under the new legislation, the harm standard no longer exists, and providers instead must determine whether PHI was compromised. Additional guidance will likely be forthcoming, Poulson says, adding that the Office for Civil Rights didn’t give any further clarification, such as defining “compromised.”

Rita Bowen, MA, RHIA, CHPS, SSGB, senior vice president of HIM and privacy officer at HealthPort, believes the new rule creates a better landscape to deal with potential breaches going forward because the previous version may have allowed organizations to stretch the definition of what was likely to cause harm. “The final rule eliminates those interpretations,” she says. “The playing field is now level.”

Providers and business associates will be required to report inappropriate disclosures where PHI was compromised, resulting in more consistent reporting, she adds.

Patient Information Requests
Patients now can request their health information in a format of their choosing, whether it’s electronic or paper. “Providers have to try to accommodate the individual request if possible,” says Kim Murphy-Abdouch, MPH, RHIA, FACHE, a clinical assistant professor at Texas State University in San Marcos. Examples include downloading information to a USB drive, copying it to a CD, or formatting it as a PDF. Providers may have alternatives if a patient’s request is outside their capabilities. “[In those cases,] they will need to work with the individual to figure out another way to give them the information they’re asking for,” Murphy-Abdouch says.

The time frame to respond to requests for patient information also has changed, dropping from 60 days to 30 days. However, the shorter window will have little impact on most providers, says Kelly McLendon, RHIA, CHPS, president and founder of Health Information Xperts. “Covered entities are probably handing off copies of PHI to patients within 30 days already,” he notes.

Still, requests now can come from a wider variety of places and with different types of authorization. For example, an oral agreement with a student (or a parent) is acceptable for a covered entity to disclose proof of immunization to a school. Previously, written authorization was required.

Disclosure Dilemmas
Patients who pay in full at the time of service now can request a disclosure restriction for that particular visit, meaning the information culled from that trip can’t be released to a patient’s health plan. But Murphy-Abdouch says there still are permissible disclosures even when a patient requests privacy. “Interestingly, it doesn’t apply when the health care organization is sending information to another provider; it’s just to the health plan,” she explains.

And if the individual wants to control disclosure further down the chain? “It’s up to the patient to notify the second provider that they want that information restricted,” Murphy-Abdouch says. Providers that violate the privacy request will be subject to penalties for impermissible disclosure of information under the privacy rule.

According to Poulson, under the initial HIPAA rules, providers had the right to deny privacy restriction requests, but that’s no longer the case in the final rule. “Organizations must agree to that privacy restriction,” she says, adding that the information can’t be released to the patient’s health insurance company even if the existing EHR system—which may not yet be set up for detailed control of information disclosures—makes compliance at the individual-visit level difficult.

Workflow Detours
There will be some additional work involved for most hospital systems, both around patient communication and administrative oversight. Providers likely will spend more time compiling information in multiple formats while responding to patient requests. Changes to breach notification requirements will place an additional strain on staff. “I believe the new harm standard will result in a much higher level of notification,” says Calhoun, who believes this will result in more time being devoted to determining the probability that PHI was compromised and notifying patients about unauthorized disclosures.

Workflows inside HIM departments likely will need to be reevaluated to ensure compliance with the final rule, Bowen says. One area of concern is how different groups within the same hospital system share information and send data back and forth. “The problem that I see is that usually there’s a one-way feed,” she says. When one system sends data to another, any alert that information was released on the receiving end may not make its way back to the primary system. When this occurs, disclosure rules may be overlooked. “The whole process of releasing information needs to be evaluated in totality,” Bowen says. “It’s PHI regardless of where it’s currently being stored.”

Complying with the disclosure restrictions on paid-in-full visits also will require staff to devote additional time to ensuring that records are properly flagged. Workflows may need to be modified to allow for the discovery and appropriate handling of flagged records when data are sent out for processing. “How will the system keep track of that restriction to make sure the information never goes to the health plan?” Rose asks. “Staff are going to have to be trained and operational processes will need to be changed to identify those restrictions.”

Educating Staff
Poulson says the first step toward compliance is to compare the final rule with current policies, procedures, and forms. Once any necessary revisions are made to bring existing processes into compliance, “then go back and educate staff not only on the overall changes but on how those changes affect their specific job duties,” she says, adding that face-to-face meetings work best, but other communication methods can also be effective. “I’ve developed talking points for directors and managers to take back to departments to review at staff meetings, and we put out HIPAA privacy alerts to employees on our intranet and in our organization’s newsletter to keep them updated on privacy changes.”

Training methodologies should be tailored for different types of staff to ensure they’re given the essentials without overwhelming them with unnecessary information. For some, there may not be much in the way of direct rule changes requiring education, while for others, specific parts of the final rule will have a direct impact. “If you’re an HIM person—anyone that releases information or has compliance responsibilities—then you’ll have more involved training,” says McLendon, who recommends finding guidance from various sources, including the webinars being offered by several industry groups to help hospitals navigate the changes.

Murphy-Abdouch suggests a two-pronged approach to training that reflects the different intents behind patient information requests and other disclosures. When patients have their health information, they can better manage their chronic conditions and understand their medications, enabling them to make better decisions about their health care. “Under meaningful use, the patient has to be able to get a copy of their health information if they request it, and we should train staff to be more permissive of that,” she says. For requests from third parties that use patient information as a normal course of business, Murphy-Abdouch recommends a stricter approach to ensure that disclosures don’t run afoul of the new regulations.

Overall Impressions
Few changes in the final rule are likely to be onerous for hospitals to implement—hopefully. Many business associates and covered entities already are on board with their compliance obligations, although Bowen says a review of those partners is in order. “[Providers] do need to reevaluate their business associate agreements to make sure the specifications are included now to include the new language of the rules,” she says, adding that providers should look at renewal dates to determine which requirements to tackle first. (For those that renew before the September 23 compliance deadline, they have until 2014 to be compliant.)

The new mandate regarding privacy of visits that were paid in full could pose challenges. “I think compliance could be logistically hard for the entity,” Calhoun says. One hurdle will be how to handle the HIPAA agreement because patients likely will not want to sign anything that includes disclosure language. Another obstacle is identifying information from a single visit in an integrated EHR system. “How do you put a note on that one piece of the patient’s record?” Calhoun asks. “I think logistically that is going to be very complex.”

The details of the final rule didn’t catch many by surprise. “It’s been such a long time coming,” says Bowen, who’s relieved that the release of access logs wasn’t included, largely because of the confusion it probably would have caused. “I don’t think the average consumer knows just how many people legitimately have to touch their medical information.”

She says a proposed guidance that would have offered patients information on who accessed a record and what was viewed but not why a record was accessed had the potential to cause patients needless worry. “I think it was a good sign that it was delayed, and I hope the next version will include that access logs can be limited to specific requests,” Bowen says.

Poulson was glad to see that breach notifications for all unauthorized disclosures weren’t included in the final rule. “That would have been very onerous,” she says, adding that the ultimate ruling—determining harm by whether PHI had been compromised—was a bit of a surprise, only because there had been intense pressure to adopt an all-or-nothing approach. “I think the Office for Civil Rights tried to find some middle ground by coming up with this.”

McLendon says the greatest source of controversy stems from the new breach determination standard, where the probability that a breach compromised PHI is used to determine notification obligations. “I don’t know that they made it a more objective standard, which is what they were trying to do,” he says. “It isn’t what they call a ‘bright line standard,’ where there’s a line that says if you had a wrongful disclosure you have to report it.”

McLendon expresses concern that calculating PHI release probabilities and increased reporting might occupy too much of a staff’s time. “They’re expecting more reporting of breaches under this new rule, but we’ll see if that happens,” he says.

— Julie Knudson is a freelance business writer based in Seattle.