"If you can't convince them, confuse them."
-Harry S. Truman
If you do not recognize the acronyms HIPAA and HITECH, you really must read this column. If you do recognize them and provide any type of health or human service, I would strongly recommend that you read on as well.
I met recently with our firm's information technology experts, Carl Cadregari, Mark Battaglia and Brett Coburn. Since you probably know that I am a technology dinosaur, I was being educated in the following interview and thought it would be most helpful for my readers.
JERRY: I was reading recently about this omnibus final rule that the Department of Health and Human Services published and that it has something to do with HIPAA's privacy and security rules and the HITECH Act. Can you help set the context and who needs to be in compliance with this regulation?
MARK: First, let's start by refreshing your understanding of what HIPAA is. HIPAA is the Health Insurance Portability and Accountability Act, and it was enacted by Congress in 1996. The purpose of HIPAA is to improve the efficiency and effectiveness of the nation's health care system by leveraging electronic data interchange. HIPAA required the issuance of five separate rules: the Unique Identifiers Rule, the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule and the Enforcement Rule. In general, the Privacy and Security rules are what are most commonly referred to as "HIPAA rules." These rules are for "protected health information" in hard-copy or electronic form, also known as PHI or ePHI.
BRETT: Also, it's helpful to remember that HIPAA applies to a "covered entity" or CE. A CE is normally defined within HIPAA as any health plan, including insurers and privately funded plans; health care clearinghouse; or health care provider, including hospitals, nursing homes, doctors, pharmacies, clinics and providers of mental health, substance abuse and disability services, that stores, transmits or processes any health-related information.
JERRY: So now that I understand more about the HIPAA regulations, can you explain the differences between the HIPAA Privacy and Security rules and HITECH?
MARK: The HIPAA Privacy Rule is contained within the full HIPAA regulation in Section 164.500 of the Code of Federal Regulations, usually abbreviated as CFR. The Privacy Rule applies to all covered entities and focuses on their use and disclosure of PHI. The HIPAA Security Rule focuses on electronic PHI and the administrative, physical and technical safeguards associated with protecting this data in electronic form. The Security Rule is in CFR Section 164.300.
BRETT: In addition, the Health Information Technology for Economic and Clinical Health Act, the HITECH Act, was enacted in 2009 as part of the American Recovery and Reinvestment Act. HITECH expands on the HIPAA Privacy and Security rules, enhances the controls that relate to breach notification and electronic health record access and increases the responsibility of business associates-BAs-to comply with the HIPAA Privacy and Security rules. HITECH was also designed to promote the meaningful use of health information technology and address the privacy and security concerns associated with electronic transmission of PHI.
JERRY: I think I understand, but given all that we've talked about, I just saw there was an update to the rules, the omnibus final rule change. What does that cover?
BRETT: Where the HIPAA Privacy and Security rules focused on health care providers, health plans and other entities, the omnibus final rule from the Department of Health and Human Services is based on changes made under the HITECH Act and includes a number of rulings designed to give people greater protection and control of PHI. The rule changes several of the required actions, including expanding application of HIPAA requirements from CEs to their BAs and strengthening the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. It also provides direction on how a CE must measure and document the harm caused by a breach. For example, a patient can now ask for a copy of his or her medical record in electronic form, and an increased penalty applies for noncompliance, based on the level of negligence, with a maximum penalty of $1.5 million per violation.
MARK: One other area that is expanded upon is that of genetic information. With the omnibus rule, HIPAA has now incorporated the Genetic Information Nondiscrimination Act of 2008 into the Privacy and Security rules. GINA prohibits discrimination based on an individual's genetic information for both health coverage and employment. The HIPAA Privacy rule now incorporates language that prohibits health plans, health insurance issuers and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes. These provisions of the HIPAA Privacy rule have been adopted in Section 164.502(a)(5). In addition, HIPAA has modified the definition of the term "health information" to make it clear that "genetic information" is now included.
JERRY: I see. These rules are focused on protecting an individual's PHI and ensuring that it is used appropriately. I'm assuming that if information is stolen or misused, this could be a violation of HIPAA?
MARK: Yes. HIPAA violations stem from a breach of PHI. The omnibus final rule modified the definition of a breach to be "the acquisition, access, use or disclosure of PHI in a manner not permitted ..., which compromises the security or pri-vacy of the PHI." So you most likely have a breach if a computer hacker gains access to an EMR system and copies the information or if you lose an unencrypted laptop or USB drive, backup tape or smartphone with PHI. It is interesting to note that you most likely have a breach even when an employee of a CE or BA intentionally accesses an individual PHI record without a valid business purpose. You may have read recently where a hospital employee without proper authorization looked up a celebrity's information after a visit.
BRETT: These examples and other violations of HIPAA regulations result in fines of varying amounts up to $1.5 million annually per violation, based on pre-defined violation categories. For breaches with the intentional purpose of profiting from the information, criminal penalties may also apply.
JERRY: That is a lot of information; can you break it down for me? Let's start with what business associates are and what responsibility they have.
MARK: Basically, HIPAA defines a BA as any third party that works with or for a CE to create, receive, maintain or transmit PHI. This would include functions such as claims processing, data analysis, administration, billing and collections. Once a BA is identified, a Business Associate Agreement (BAA) must be established and formally documented. A BAA assures the CE that the BA will conduct business under the same controls as the CE, meeting HIPAA requirements. Within the HITECH Act, all BAAs are now required to contain language that essentially binds each BA to comply with the HIPAA Privacy and Security rules at essentially the same level as a CE.
JERRY: What did the omnibus final rule change for BAs?
BRETT: In many aspects, every section of the Privacy and Security rules was updated. For existing BAs there were a few minor adjustments, and they still need to meet all the sections of the rules that apply to them. However, the definition of a BA has been expanded to include those that simply store PHI but do not use it. For example, an off-site storage or archival company would be required to have a BAA and comply with the HIPAA Privacy and Security rules. However, there is a "conduit" exception in which a company that transports information but doesn't use it would not be subject to a BAA. Internet service providers and couriers are good examples.
JERRY: What about some of the other changes you listed-increased penalties, breach notification requirements and individual rights?
MARK: Let's just say they are going to increase the cost for a CE or BA that allows a breach of PHI. Regarding breach notification, BAs and their subcontractors, who also need to have agreements, must follow notification rules like those for CEs. The main reason for this change and the increase in penalties is that some of the largest breaches reported to HHS have involved BAs. Also, individuals have the right to request that their EMR be provided in an electronic format, such as on a CD-ROM.
JERRY: Wow, that is a lot of information to digest. I think we should have a follow-up conversation if you have the time.
BRETT and MARK: Absolutely! Just let us know.
As you reflect on the foregoing information, know that handling protected health information represents a significant expansion of compliance risk for your organization. Don't let these regulations fall off the table or slip to the back burner. And in case you were wondering, Carl, Mark and Brett can be reached for further assistance at (585) 381-1000.
JERRY: Good luck! In times like these, I am glad to be a technology dinosaur!
4/5/13 (c) 2013 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email email@example.com.Gerald J. Archibald, a CPA, is a partner in charge of management advisory services at the Bonadio Group and is known for expertise in non-profit and tax-exempt accounting, management and governance. He can be reached at (585) 381-1000 or firstname.lastname@example.org. Download podcasts of his articles at http://viewpoints.bonadio.com.