In January, HHS announced the long-awaited final rule related to new privacy and security protections for health information established under the HITECH Act. Among other requirements, the regulations expand the reach of HIPAA to include business associates and subcontractors that have access to protected health information (PHI).
Hospitals and health systems potentially must change existing business associate agreements, update HIPAA compliance programs and policies, and amend privacy practices in response to the new regulations. We sat down with Jennifer Breuer from the law firm Drinker Biddle & Reath to discuss the impact of the final rule on the provider community and strategies for achieving compliance.
1) Could you describe the most significant changes included in the HIPAA final rule that affect hospitals and health systems?
The most significant change for providers included in the final rule involves updated breach notification requirements related to the unauthorized release of PHI. Previously, the standard for notification relied upon whether a breach resulted in a substantial risk of financial or reputation harm to one or more individuals as a basis for reporting. Under the new regulations, this "harm threshold" has been replaced with a more objective risk assessment process to evaluate if PHI has been compromised. We expect that this will greatly increase reporting and notification obligations for hospitals and health systems, with investigations by the Office for Civil Rights (OCR) for those breaches impacting over 500 individuals.
Second, because the updated regulations place greater liability and responsibility upon business associates for ensuring the confidentiality and security of PHI, the rules will impact the ability of providers to negotiate agreements. In particular, covered entities may be required to standardize business associate agreements across relevant third-party vendors, involving significant administrative resources and time. As a result, hospitals and health systems must take more care to ensure that underlying agreements contain all terms, including indemnification, which would apply to a business associate moving forward.
2) What types of agreements are covered under the expanded business associate provisions?
The final rule requires that any business associate that creates, receives, maintains, or transmits electronic PHI ensure the confidentiality, integrity and availability of the protected information, and guard against reasonably anticipated threats or hazards to the security or integrity of patient data. Under the new rules, this means that third-parties that maintain PHI through cloud software or remotely hosted electronic medical records are directly subject to HIPAA and associated responsibilities. Additionally, business associates are now accountable for the use and disclosure of PHI by any subcontractors, and business associate agreements are needed to govern these arrangements.
3) What steps should hospitals and physician groups take today in order to achieve compliance with the new regulations?
Hospitals should take inventory of their existing business associate agreements and evaluate areas that require changes or additions under the final rule. If a business associate agreement is renewed or modified at any time between March 26, 2013, and Sept. 23, 2013, the agreement must include the provisions in the final rule on or before Sept. 23, 2013. Conversely, for those agreements that were in place before Jan. 25, 2013 and were not renewed or modified after March 26, 2013, these arrangements are in compliance through Sept. 23, 2014. The most important—and resource-intensive—endeavor for hospitals will be to review all current contracts and agreements moving forward.
4) Where can even the most prepared organizations run into problems? What are the consequences of noncompliance?
Effective Sept. 23, 2013, the health care industry can expect to see audits of covered entities and business associates to ensure compliance with the new regulations. And the most significant penalties will be imposed for those institutions without any systematic policies to mitigate risk. As a result, it's paramount that hospitals and health systems ensure that effective privacy procedures are in place, and conduct a security analysis across the organization to identify gaps and weaknesses in existing protocol. Because updating business associate agreements is likely to be a time and labor intensive process, those institutions that begin the implementation process today will be in the best position to meet the new mandates. It's important to recognize the OCR has shifted its focus away from education and toward enforcement, elevating compliance efforts to a C-suite level priority for providers.