By SYLVIA HSIEH, Lawyers USA, the
national sister paper of Lawyers Weekly
Health-care entities can expect to keep busy in the coming year reviewing and revising their privacy notices and updating their contracts with related businesses in light of new proposed HIPAA rules.
Most of the rules were expected, explaining how covered entities must update their privacy notices and detailing how penalties will be assessed for privacy breaches.
One surprise in the rules was the scope of the business associate rule, which is more expansive than expected.
That rule makes clear that the requirements under HIPAA – the Health Insurance Portability and Accountability Act – that already apply to business associates of health-care providers, such as medical data contractors, auditors and law firms that represent providers, now also apply to subcontractors of those business associates.
“The requirements that previously applied to covered entities, such as health-care providers, under HIPAA now apply in full force to business associates and subcontractors,” said David Harlow, an attorney in Newton, Mass., and principal of The Harlow Group, who blogs about health-care law.
Business associates and their subcontractors must not only comply with privacy and data breach rules but, like covered entities, are now exposed to the full panoply of HIPAA penalties, which can reach as high as $1.5 million per year.
“It covers a whole lot of different businesses that didn’t previously think they were covered. It could expand [HIPAA] exponentially,” said Amy Fehn, an attorney at Wachler & Associates in Royal Oak, Mich., who represents health care providers.
New notices ‘burdensome’
Covered entities will have to update notices of their privacy practices to reflect changes in the rules.
For example, the rules clarify that the sale of health information, such as for use by marketers, is prohibited without a patient’s authorization. There are also new limits on the disclosure of health information for fundraising purposes.
“The notices of privacy practices that are handed out to every patient and posted on the wall and on [a covered entity’s] website will have to be revised to include [the] changes. … It’s just burdensome,” Fehn said.
Entities will also have to update notices to allow patients to opt out where allowed.
“It’s a significant undertaking for the provider community,” said Harlow, who noted that the Department of Health and Human Services has invited comment on the finer points of notice provisions and timelines for compliance. Comments are due by Sept. 14.
“The changes are not required now. When the rules are finalized [a few] months from now, then there will be a timeline for compliance,” he said.
Policies are a must
The rules are a warning to the many health-care providers that still don’t have policies or have inadequate procedures for HIPAA compliance.
“I’ve seen a lot of providers’ compliance manuals and they have one page about HIPAA,” Fehn said.
She added that the agency that will enforce the rules, the Office of Civil Rights, will have less discretion than suggested in the past and will be more likely to impose penalties.
One area where covered entities often make mistakes is not fully addressing requirements for obtaining a patient’s authorization.
“I still see a lot of authorization policies that don’t comply with all the requirements. [Health-care providers] are still confused about when they need authorization. There are very specific requirements to have a valid authorization,” Fehn said.
A typical error would be failing to specify the reason for disclosing protected health information or the person to whom it will be disclosed.
Health care lawyers said that the rules contain many helpful examples of how penalties will be assessed, but the main takeaway is that providers with policies in place are less likely to be harshly penalized.
“If you have compliance procedures in place and at least are making a good-faith effort, but for some reason something goes wrong – like maybe an employee didn’t do what he was supposed to do – that would fall within ‘reasonable cause,’ a lower penalty,” Fehn said.
The penalties for privacy breaches are tiered based on “reasonableness” and “willfulness.”
Violations resulting from a “reasonable cause” incur a $1,000 penalty per violation, whereas violations due to “willful neglect” incur penalties of $10,000 or $50,000 minimum per violation, depending on whether the problem was corrected.
Contract revisions galore
Agreements between covered entities and business associates must be reviewed and updated to comply with the new requirements.
The rules give providers who already have a business associate agreement 240 days from the date of a final rule to make the changes, and even those without an agreement have six months from the final rule’s effective date to include HITECH provisions in the agreement.
“It benefits covered entities to get an agreement before the final rule,” Fehn said.
A final rule is expected by this fall.
Covered entities should also consider going further than the contract and make sure their business associates have HITECH policies and procedures in place.
“In the past simply having an agreement in place with a business associate was enough. Now it’s incumbent on covered entities to engage in auditing business associates for their policies and operations. The alternative is potential exposure to significant liability,” Harlow said.
He added that the statute allows state attorneys general to sue for civil damages on behalf of individuals whose privacy is breached.
Even though business associates are independently liable, a breach of protected health information by a business associate is imputed to the covered entity under breach notification requirements. The covered entity has 60 days to report a breach from the time a business associate discovers the breach, even if the business associate doesn’t act.
One contract revision would be to include an indemnity provision in such a case.
“To the extent a covered entity is liable for a business associate dropping the ball, the covered entity would want to cover the cost,” said Elizabeth Litten, a partner at Fox Rothschild in Princeton, N.J.
Another contract provision might cover which party is responsible for determining if a breach has occurred.
The statute allows an exception to breach notification requirements if the breach carries no risk of harm.
“In some instances, the covered entity wants to make that determination even if the potential breach was made by the business associate. Other [contracts] might ask the business associate to decide and take full responsibility,” Litten said.
The fact that the rules now clarify that subcontractors of business associates are essentially treated as business associates themselves means that contracts between business associates and the companies they contract with must also be reviewed.
“Anything that would be in the business associate agreement or anything where there is a direct obligation pursuant to HITECH is now pertinent to subcontractors,” Litten said.