EvriChart Compliance Brief
What Does The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule Mean For Medical Records Storage Vendors?
The federal government has published its long awaited final regulations (Final Rule) implementing the “Health Information Technology for Economic and Clinical Health (HITECH) Act,” enacted as part of the “American Recovery and Reinvestment Act of 2009” (ARRA), described by the head of the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” In general, the new rules expand the obligations of health care providers to protect patients’ protected health information (PHI), extend these obligations to a host of other companies who, as “business associates,” have access to PHI, and increase the penalties for violations of any of these obligations. The following outlines the changes HIM Directors should consider as they evaluate their medical records storage vendor in anticipation of the September 23, 2013, compliance date.
Business Associates (BA’s) and Business Associate Agreements (BAA’s)
The Final Rule significantly modifies the definition of a business associate. Previously, BA’s were limited to entities that “use or disclose” PHI in order to provide a service on behalf of a covered entity. Now, the definition includes any organization that “creates, receives, maintains, or transmits PHI for a function regulated by HIPAA”. Entities that, under the expanded definition, are considered business associates include all medical records storage companies. A medical records storage company that has access to PHI (electronic or hardcopy) is a business associate even if the entity does not view the information or does so on a random or infrequent basis.
Trigger For Breach Notification
The provision of the omnibus regulation that has generated the most discussion is the elimination of the “risk of harm” standard for breach notification. The breach notification regulations have not changed, however the breach notification trigger has changed substantially. The Final Rule removed the harm standard and modified the risk assessment to focus more objectively on the risk that the PHI has been compromised. Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate… “demonstrates that there is a low probability that the PHI has been compromised”. Breach notification is necessary in all situations except those in which the covered entity demonstrates that there is a low probability that the PHI has been compromised. If PHI is encrypted, then no breach notification is required. Failure to comply with the minimum necessary provision may implicate the obligation for a risk assessment and possibly a data breach notification.
A hybrid entity is an organization that performs both covered functions and non-covered functions. For example, a document storage company that stores medical records and corporate records can designate itself as a hybrid entity and define its covered functions, thereby avoiding the application of HIPAA to its corporate line of business. The Final Rule requires that a hybrid entity that performs business associate functions include the business associate functions in the covered functions of the hybrid entity. In a hybrid entity, an improper disclosure of PHI from the covered entity to the non-covered entity is still a breach, possibly requiring notification.
Determination of Civil Monetary Penalty (“CMP”).
Previously, CMP’s were capped at $100 per violation, with the annual amount of penalties for all violations of one provider capped at $25,000. Now, the CMP imposed will be based upon case-by-case investigations according to the table below. Furthermore, there has been a change in terminology from “history of violations”, to “previous indications of non-compliance”. The clear implication is that OCR can impose penalties upon indications of prior non-compliance even when there was no formal finding of a violation. Additionally, the Office of Civil Rights must initiate an investigation if a preliminary review indicates a possible violation due to willful neglect, such investigations were discretionary prior to the Final Rule.
|CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE|
|Violation Category – Section 1176 (a)(1)||Each Violation||All such violations of an identical provision in a calendar year|
|(A) Did Not Know||$100-$50,000||$1,500,000|
|(B) Reasonable Cause||$1,000-$50,000||$1,500,000|
|(C) (i)Willful Neglect-Corrected||$10,000-$50,000||$1,500,000|
|(C) (ii) Willful Neglect-Not Corrected||$50,000||$1,500,000|
The Final Rule was published January 25, 2013 and became effective March 26, 2013. The compliance date is six months from the effective date: September 23, 2013.
EvriChart specializes in secure, compliant medical records management. Today at our medical records centers we remain dedicated to managing only health information, and now we offer even more of the innovative medical records programs you’ve come to expect, and some you may be surprised to learn. If you are seeking more efficient and compliant ways to manage your medical records, or request and retrieve your existing paper records or electronic information, EvriChart may well be the solution. Contact us today for more information about our services.