HIPAA Final Rule highlights for practitioners

The rule mandates changes to privacy notices and modifies breach notification requirements, among other provisions.

By Legal & Regulatory Affairs staff

March 14, 2013—The Department of Health and Human Services (HHS) released the Health Insurance Portability and Accountability Act (HIPAA) Final Rule on Jan. 25, 2013. The Rule goes into effect March 26, 2013 and covered entities (CE) and business associates must comply with the requirements of the Final Rule by Sept. 23, 2013. The Final Rule enhances patient privacy protections, provides individuals with new rights to their health information and strengthens the government’s enforcement of and penalties under the law.

The APA Practice Organization (APAPO) will be making detailed guidance available for practitioners well in advance of the September 2013 compliance deadline. The following is a brief overview of some of the changes that will be coming. The last section provides more information on next steps.

For more information about the Privacy Rule and frequently used terms, please refer to the Privacy Rule Primer (PDF, 1.5MB) available on APAPO’s Practice Central website.

Changes to Notice of Privacy Practices

Changes were made to the information that is now required in the CE’s Notice of Privacy Practices (Privacy Notice). CEs will need to update their Privacy Notices as required by the law. The updated Privacy Notice need not be given to existing patients who have already received a Privacy Notice. However, a copy of the updated Privacy Notice must be posted in the practitioner’s office and all new patients must be given a copy.

Updated Privacy Notices must include the following statements, among others: 

  • Most uses and disclosures of psychotherapy notes, uses and disclosures of protected health information (PHI) for marketing purposes, and disclosures that constitute a sale of PHI require patient authorization; 

  • Other uses and disclosures not described in the Privacy Notices will be made only with authorization from the individual; 

  • Patients have the right to restrict certain disclosures of PHI to health plans/insurance companies if the patient pays out of pocket in full for the health care service; and 

  • Affected patients have the right to be notified following a breach of unsecured protected health information.

Modifications to the Breach Notification Rule

In the Final Rule, HHS clarifies that an “impermissible use or disclosure” of PHI is presumed to be a breach unless the CE or business associate demonstrates that there is a “low probability that the protected health information has been compromised.” Breach notification is not necessary under the Final Rule if a CE or business associate demonstrates through a documented risk assessment that there is a low probability that the PHI has been compromised.

CE’s and business associates must assess the probability that the PHI has been compromised based on a risk assessment that would be performed routinely following any security breaches. The risk assessment considers the following factors:

  1. Nature and extent of PHI involved; 

  2. To whom the PHI may have been disclosed; 

  3. Whether that PHI was actually acquired or viewed; and 

  4. The extent to which the risk to the PHI has been mitigated (for example, assurances from recipient that information has been destroyed or will not be further used or disclosed).

Providers are required to give notification of a breach unless the information was secure. If the risk assessment fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. This risk assessment should be documented in your records for all potential breaches.

Providers will need to update their incident response and breach notification processes to reflect the change from a “risk of harm” standard to a “presumption of breach” standard and to include the four factor assessment. It is important to note that HHS includes not just unauthorized access to PHI, but also impermissible uses by knowledgeable insiders in its definition of breach requiring an assessment.

Business Associates

The Final Rule requires that business associates and their subcontractors comply with the HIPAA rules in the same manner as covered entities. Any entity that “creates, receives or transmits” PHI on behalf of a covered entity may now be held directly liable for impermissible uses/disclosures. Business associates and subcontractors must conduct risk assessments under the HIPAA Security Rule.

Although business associates are now directly regulated under HIPAA, covered entities are still responsible for their business associates’ actions. Therefore, CEs must ensure that they obtain satisfactory assurances of HIPAA compliance through their business associate contracts and business associates must do the same for their subcontractors.

Penalty Structure

HHS set up a four-tier financial penalty structure for breaches deemed serious enough to warrant a penalty imposed by the federal government. Based on culpability, fines range from $100 to $50,000 per violation with a cap of $1.5 million on violations of identical provisions happening within the same calendar year. High-level penalties are targeted at CEs who are being willfully neglectful or making no attempt to correct problems.

Next Steps

APAPO is evaluating the best means for making compliance with the new requirements efficient for practicing psychologists. We will provide further details in upcoming issues of the PracticeUpdate e-newsletter. To let our few HIPAA experts focus on this task of making guidance available to all practitioners, we ask that individual members hold their questions on the new requirements while that guidance is being prepared.