In February 2009, the American Recovery and Reinvestment Act (“Stimulus Act”) provided significant financial incentives for healthcare providers to adopt and implement electronic health records. Because healthcare providers were encouraged to electronically store and transmit patient protected health information, patient advocates became concerned about the privacy and security protections for patient information. In order to improve the privacy and security requirements, the Stimulus Act included an entire section that enhanced the security requirements and increased the penalties if the providers failed to comply. This section of the Stimulus Act is the Health Information Technology for Education and Clinical Health Act (“HITECH”) and it modified the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA created the minimum privacy and security requirements. HITECH takes security and privacy to a new level. Over the last three years, hundreds of pages of proposed regulations were drafted and commented on to explain and finalize the HITECH requirements. Finally, on January 25th, 2013, the final HIPAA Omnibus Rule was released.
The federal government believes this HIPAA Omnibus Rule constitutes “sweeping changes” to privacy and security requirements in healthcare. Healthcare providers, healthcare plans, clearinghouses (“Covered Entities”) and their “Business Associates” should put this comprehensive law on the top priority list. Some of the critical changes include the following:
1. Modifications to the Authorization to Release Information;
2. Modifications to the Notice of Privacy Rights for each patient;
3. Limits on the use of patient information for Marketing and Fundraising;
4. Updated and modified Business Associate Agreements;
5. Enhanced Penalties for Breach of Patient Information;
6. Changes to the definition of what constitutes a “Breach” of patient information; and
7. Subcontractors of Business Associates must be brought into compliance with HIPAA.
All Covered Entities should review and update privacy and security policies and procedures. In addition, they should evaluate and update the Authorization to Release Information form and the Notice of Privacy Practices provided to each patient. The forms must comply with the new HIPAA requirements and Covered Entities must maintain documentation of its compliance. All of these administrative changes will require additional resources and will take significant time.
Business Associates will now be directly subject to the HIPAA penalties. In addition, Business Associates must comply with the Security Rule and sections of the Privacy Rule. These requirements include performing a full information risk assessment and addressing or implementing the reasonable administrative, physical and technical safeguards defined by the HIPAA Security Rule. Moreover, Business Associates must ensure their subcontractors also comply with the HIPAA requirements.
For most of the changes, Covered Entities are required to be in compliance by September 23, 2013; however, business associate agreements may continue until September 23, 2014 which is the deadline for compliance. Unfortunately, the government estimates the cost to modify the documents, forms, contracts and practices to comply with the HIPAA Omnibus Rule will be approximately $114 Million to $225.4 Million. This is a cost that will directly impact the healthcare providers who are currently receiving reduced government reimbursement and will impact the operations of both Covered Entities and Business Associates. Patients will likely start to see new documents and new processes during the summer and definitely by September.