The publication of new, dense, complicated regulations is not an occasion for celebration among hospices. Quite the contrary. As news began to spread of the January 25th, 2013 publication of the long awaited HIPAA omnibus rule (Final Rule), we could almost hear a collective "Now what?" groan echoing through the land.
With hospices already bombarded from all directions on the regulatory front, it is helpful to provide an overview now of what hospices need to know and, in a later post, of what hospices need to do. At Weatherbee and the Hospice Education Network (HEN), we use the "what you need to know and do" framework extensively to cut to the chase and try to help hospices understand, operationalize and comply with regulatory requirements.
Here is a broad overview (not guaranteed to be exhaustive) of things hospices need to know about the Final Rule:
- It was published in the Federal Register on January 25, 2013.
- The Final Rule is actually a combination of four final rules: Privacy, Security, Breach Notification and Enforcement.
- The actual title of the Final Rule provides a lot of clues about its purpose: "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules."
- The head of the Office for Civil Rights (OCR) said: "This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."
- Its publication ended a nearly three year wait to see exactly how the changes the HITECH Act brought to the HIPAA regulations would play out.
- The effective date is March 26, 2013 and the compliance deadline is September 23, 2013 (with the exception of a few requirements).
- The Final Rule did not address the potentially horrible changes proposed for the accounting of disclosures requirements, stating it will be the subject of future rule.
- There is no compliance deadline for the enforcement provisions because there are no standards associated with them - they just go into effect on March 26, 2013.
- The Final Rule provides additional expansion and clarification of the changes brought by the HITECH Act to strengthen HIPAA enforcement powers.
- Enforcement has ramped up since HITECH and is likely to ramp up even further in the months/years ahead.
- The government will investigate all complaints of breaches of protected health information (PHI) when there is an indication of willful neglect.
- The government may or may not attempt informal resolutions during compliance reviews - or it may immediately impose civil monetary penalties.
- The Final Rule clarifies the terms willful neglect and reasonable cause and factors considered in determining the amount of penalties for non-compliance.
- Business associates and their subcontractors are subject to liability and enforcement (including fines) in the same manner as hospice programs.
- Tighter restrictions on the use of protected health information (PHI) for marketing purposes.
- Changes to the requirements related to an individual's right to request a restrictions on the uses and disclosures of PHI.
- Hospices must grant an individual access to PHI in electronic form if the individual requests access to their PHI in an electronic format.
- New provisions related to fundraising including the types of PHI that might be used or disclosed for fundraising purposes; flexibility in selecting methods for opting in and out of receiving fundraising communications; and prohibiting (as opposed to allowing "reasonable efforts" ) sending further fundraising communications to individuals who have opted out.
- Significant changes to requirements related to business associates, many of which will require updating the contents of business associate agreements.
- Due to the extent of changes related to business associates, the Final Rule provides for a transition period for a hospice's existing business associates and grandfathering existing agreements until September 22, 2014.
- The period of time during which a hospice must comply with the Privacy Rule with regard to a decedent's PHI is now limited to 50 years following the individual's date of death (as opposed to forever). This does not require a new 50 year record retention requirement.
- The Final Rule permits (but does not require) a hospice to disclose a decedent's PHI to family members or others involved in the decedent's care, unless doing so would go against the decedent's previous wishes that are known to the hospice.
- The Final Rule includes enough significant changes to the privacy regulations that a hospice's Notice of Privacy Practices will need to be updated.
- Business associates and their subcontractors are directly liable for compliance with all standards and implementation specifications of the Security Rule.
- Business Associates must have a business associate agreement with their subcontractors that specifies the subcontractor must comply with the Security Rule.
- The hospice must have a business associate agreement with the business associate - not its subcontractors.
- The ability to consider security measure costs has been eliminated when determining which security measures to use.
Breach Notification Rule
- An impermissible acquisition, access, or use or disclosure of PHI is presumed to be a breach unless the hospice (or business associate) can demonstrate, based on a risk assessment, that there is a low probability that the PHI has been compromised.
- A risk assessment must include 1) the nature and extent of the PHI involved and likelihood of re-identification; 2) the unauthorized person who used the PHI or to whom it was disclosed; 3) whether the PHI was acquired or viewed; and 4) the extent to which the risk to the PHI had been mitigated.
- Covered entities and business associates encouraged to use the safe harbor of encryption in order to avoid needing to notify the government of breaches (PHI that is encrypted appropriately can not be breached).
- The Final Rule provides clarification on notification to individuals, the media and the Secretary of HHS.
Clearly, this is a very broad overview of the HIPAA Omnibus Rule. We will continue our efforts to "unpack" the impact these regulations will have on hospices and do what we can to help facilitate compliance.
Posted by Heather Wilson, PhD CEO Hospice Education Network