Oct. 1 --The final Health Insurance Portability and
Accountability Act omnibus rule requires hospitals and other health-care
providers to take action to protect personal health information and changes
their relationships with business associates (BAs), making documentation of BA
privacy efforts even more critical, according to the chief compliance officer
for UCLA Health System, Los Angeles.
UCLA's Marti Arvin spoke at the
American Health Lawyers Association/Health Care Compliance Association's Fraud
and Compliance Forum in Baltimore about the HIPAA rule changes called for under the Health
Information Technology for Economic and Clinical Health Act--which were
published in January and became enforceable Sept. 23 . In particular, she
focused on new requirements for business associates of HIPAA-covered entities
and those that subcontract with BAs.
Those types of entities now are
directly liable and accountable for the privacy and security of patients'
protected health information (PHI), Arvin said. Under the new final rule, she
said, covered entities no longer are required to notify the Department of Health
and Human Services Office for Civil Rights (OCR) of a breach by BAs, because the
BAs are directly covered by the rule and must report breaches themselves.
In addition, BAs are required now to notify the OCR if they are aware of
noncompliance by a subcontractor.
The University of California at Los
Angeles Health System in July 2011 agreed to pay $865,500 to the federal
government to settle allegations that the health system and its employees
violated the HIPAA Privacy and Security Rules. The settlement followed an
investigation by the OCR into complaints from two celebrity patients that
employees had improperly viewed the patients' electronic health records
containing their protected health information.
Discussing the new provisions of the final rule, Arvin
said the most substantial change is that the regulations now apply to a covered
entity's business associates and subcontractors of those BAs. BAs are entities
that create, receive, maintain or transmit PHI for or on behalf of covered
She said BAs should have written contracts with their
subcontractors that cover compliance with HIPAA rules. Before the final omnibus
rule, such a contract didn't have to be in writing, and it might even be an
e-mail, but because subcontractors are directly liable under the rule now, she
said, the contract should be in writing.
Arvin said she has heard that
the OCR, in its HIPAA audits, asked covered entities about how they are auditing
their BAs for compliance. She said she and her facility are considering sending
an annual questionnaire to its BAs to ask how they are complying with the
“OCR has the expectation that we are doing due diligence around
our BAs,” she said.
One of the questions a covered entity should ask
itself is whether it is comfortable with a BA making its own decision about
whether to self-disclose a breach. She said her contracts tell the BAs that the
covered entity has the right to see the BA's decision about a breach and decide
whether it is reportable.
The HIPAA rule requires that covered entities and BAs
notify the OCR of data breaches involving PHI unless there is a low probability
that the PHI was compromised. Before this final rule, she said, breaches had to
be reported only “if there was substantial risk of harm.”
In other words,
there “is a presumption that you will notify,” Arvin said.
for addressing a data breach include:
the breached information was later destroyed;
mitigation steps were taken;
or what entity received the information (wrong doctor or BA versus member of the
the information actually was accessed and viewed or just received.
Arvin advised that covered entities and BAs facing a data breach create
documentation of their processes for determining whether to notify the OCR of
the breach. If PHI was sent to a wrong doctor's office, for example, she said to
ask that office to send a fax verifying that the incorrectly received PHI was
shredded. Likewise, she said, the entity should request verification that the
incorrectly sent PHI wasn't read.
Arvin predicted that, on the whole,
there “will be an increase in instances where you notify.”
When it comes
to stolen laptops, Arvin recommended that a covered entity report the theft and
notify the OCR. She said most laptops are stolen for the computer itself, and
the thieves wipe the data on the device. Nevertheless, entities should notify
the OCR about such thefts.
Another top concern
for covered entities and BAs are new requirements in the omnibus rule--also
called for in the HITECH Act--that give patients greater ability to restrict the
circumstances under which their data may be disclosed, Arvin said.
the final omnibus rule, patients could request restrictions on uses and
disclosures on their information as it related to treatment, payment and
operations, but in many cases covered entities weren't obligated to comply with
those requests, she explained.
However, under the new rule, Arvin said,
covered entities are obligated to comply with such patient requests if patients
agree to pay on their own for the full cost of their medical services, and there
is no legal obligation to disclose the information. Covered entities still may
disclose PHI to health plans if patients expected their insurer to pay for the
But, Arvin said compliance with the new obligation, in
practice, is difficult.
For example, covered entities face uncertainty
with how to separate data for individual services that are part of a larger
encounter and for downstream services, such as laboratory tests and
electronically prescribed medications.
Furthermore, she said, entities
face questions about whether to comply with nondisclosure requests for insurers
if a patient's alternative payment method falls through. For example, she asked
rhetorically, what would a provider do if a patient's check bounced?
audience member said the situation also arises when college students go to
emergency departments for care or clinics for HIV tests and request the services
not be billed to their parents' insurance to avoid alerting their parents to
Covered entities then are faced with the problem of
how to restrict the data from going out and have few answers for dealing with
the situation, Arvin said.
“This is a mess, and I have not heard of any
good processes for this yet,” she said.
To contact the
reporter on this story: Lisa M. Rockelli at email@example.com
To contact the editor
responsible for this story: Kendra Casey Plank at firstname.lastname@example.org
To view additional stories from Health Law
Reporter™ register for a free trial now