Under HIPAA regulations, individuals are granted specific rights with respect to the privacy of their identifiable health information, and HIPAA rules provides for the disclosure and sharing of that information with certain entities when they have a legitimate need to know.
The HIPAA HITECH Act revises parts of the Social Security Act to expand upon the privacy and security protections granted to individuals under the HIPAA. The HIPAA HITECH Act specifies that heath care providers must implement a system of Electronic Health Records (EHRs), and the act provides for monetary incentives to those healthcare providers who are able to show “meaningful use” of their established EHRs until the year 2015. After 2015, healthcare providers will be penalized for failing to show such use of their EHRs. HITECH also specifies that individuals, or specified third parties, be entitled to an electronic copy of all ePHI that pertains to them. HIPAA set guidelines for the disclosure of Protected Health Information (PHI), but it did not require disclosure to individuals when their personally identifiable information was breached. HITECH regulations require that breaches of health information be provided to impacted individuals via first class mail with an explanation of the breach and an indication of processes being put into place to resolve the breach. If a breach impacts 500 or more individuals, healthcare providers must notify those individuals and also the DHHS, the media and the State Privacy Officer.
Increased Penalties HIPAA HITECH establishes four categories of violations, associated penalties and maximum penalty amounts for violations of the law. The HITECH Act imposes penalties against health providers even in cases where they did not know or would not have known of a violation, and exempts them from penalties if a violation was not a result of willful neglect and it was corrected within 30 days.
Omnibus Final Rule The Omnibus Final Rule regulations went into effect on September 23, 2013 and made change to several aspects of the Privacy Rule. Listed below are highlights of the changes.
- The final rule expands patient rights by allowing them to ask for a copy of their electronic medical record in electronic form.
- Under the final rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan.
- If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare.
- The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individuals’ health information without their permission.
- Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.
- The breach notification final rule was amended with a requirement to determine the breach’s “risk of compromise” rather than harm. “Compromise” was considered a more objective test than harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised.
- To determine whether there is a low probability that PHI has been compromised, the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated.
- The final rule changed what incidents are exceptions to the definition of “breach.” Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain
- The final rule changed what incidents are exceptions to the definition of “breach.” Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets — regardless of their content — must be handled like all other breaches of PHI.
- Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach — thereby triggering notification requirements of the HITECH Act — if the PHI disclosed is “unsecured.”
- Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary through published guidance.
- Requirements for methods of breach notification remain unchanged. That is, providers and covered entities most provide notice to individuals, the media (if breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 individuals regardless of location). Business associates, or people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than 60 days after the discovery of a breach of unsecured PHI. (Read more about breach notification rules.)
- Covered entities’ Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPPs must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications.
- Business associate agreements and policies and procedures must address the prohibition on the sale of patients’ PHI without permission.
- Covered entities must modify and implement policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities.
- Covered entities’ business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.