UCLA Compliance Officer Offers Breach Notification, Compliance Tips

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Lisa M. Rockelli  

Oct. 1 --The final Health Insurance Portability and Accountability Act omnibus rule requires hospitals and other health-care providers to take action to protect personal health information and changes their relationships with business associates (BAs), making documentation of BA privacy efforts even more critical, according to the chief compliance officer for UCLA Health System, Los Angeles.

UCLA's Marti Arvin spoke at the American Health Lawyers Association/Health Care Compliance Association's Fraud and Compliance Forum in Baltimore about the HIPAA rule changes called for under the Health Information Technology for Economic and Clinical Health Act--which were published in January and became enforceable Sept. 23 . In particular, she focused on new requirements for business associates of HIPAA-covered entities and those that subcontract with BAs.

Those types of entities now are directly liable and accountable for the privacy and security of patients' protected health information (PHI), Arvin said. Under the new final rule, she said, covered entities no longer are required to notify the Department of Health and Human Services Office for Civil Rights (OCR) of a breach by BAs, because the BAs are directly covered by the rule and must report breaches themselves.

In addition, BAs are required now to notify the OCR if they are aware of noncompliance by a subcontractor.

The University of California at Los Angeles Health System in July 2011 agreed to pay $865,500 to the federal government to settle allegations that the health system and its employees violated the HIPAA Privacy and Security Rules. The settlement followed an investigation by the OCR into complaints from two celebrity patients that employees had improperly viewed the patients' electronic health records containing their protected health information.

Written Contracts, Documentation

Discussing the new provisions of the final rule, Arvin said the most substantial change is that the regulations now apply to a covered entity's business associates and subcontractors of those BAs. BAs are entities that create, receive, maintain or transmit PHI for or on behalf of covered entities.

She said BAs should have written contracts with their subcontractors that cover compliance with HIPAA rules. Before the final omnibus rule, such a contract didn't have to be in writing, and it might even be an e-mail, but because subcontractors are directly liable under the rule now, she said, the contract should be in writing.

Arvin said she has heard that the OCR, in its HIPAA audits, asked covered entities about how they are auditing their BAs for compliance. She said she and her facility are considering sending an annual questionnaire to its BAs to ask how they are complying with the rules.

“OCR has the expectation that we are doing due diligence around our BAs,” she said.

One of the questions a covered entity should ask itself is whether it is comfortable with a BA making its own decision about whether to self-disclose a breach. She said her contracts tell the BAs that the covered entity has the right to see the BA's decision about a breach and decide whether it is reportable.

“OCR has the expectation that we are doing due diligence around our BAs.”  
Marti Arvin, Chief Compliance Officer,
UCLA Health System

The HIPAA rule requires that covered entities and BAs notify the OCR of data breaches involving PHI unless there is a low probability that the PHI was compromised. Before this final rule, she said, breaches had to be reported only “if there was substantial risk of harm.”

In other words, there “is a presumption that you will notify,” Arvin said.

Considerations for addressing a data breach include:

• whether the breached information was later destroyed;

• whether mitigation steps were taken;

• who or what entity received the information (wrong doctor or BA versus member of the public); and

• whether the information actually was accessed and viewed or just received.


Arvin advised that covered entities and BAs facing a data breach create documentation of their processes for determining whether to notify the OCR of the breach. If PHI was sent to a wrong doctor's office, for example, she said to ask that office to send a fax verifying that the incorrectly received PHI was shredded. Likewise, she said, the entity should request verification that the incorrectly sent PHI wasn't read.

Arvin predicted that, on the whole, there “will be an increase in instances where you notify.”

When it comes to stolen laptops, Arvin recommended that a covered entity report the theft and notify the OCR. She said most laptops are stolen for the computer itself, and the thieves wipe the data on the device. Nevertheless, entities should notify the OCR about such thefts.

Patient Requests

Another top concern for covered entities and BAs are new requirements in the omnibus rule--also called for in the HITECH Act--that give patients greater ability to restrict the circumstances under which their data may be disclosed, Arvin said.

Before the final omnibus rule, patients could request restrictions on uses and disclosures on their information as it related to treatment, payment and operations, but in many cases covered entities weren't obligated to comply with those requests, she explained.

However, under the new rule, Arvin said, covered entities are obligated to comply with such patient requests if patients agree to pay on their own for the full cost of their medical services, and there is no legal obligation to disclose the information. Covered entities still may disclose PHI to health plans if patients expected their insurer to pay for the services.

But, Arvin said compliance with the new obligation, in practice, is difficult.

For example, covered entities face uncertainty with how to separate data for individual services that are part of a larger encounter and for downstream services, such as laboratory tests and electronically prescribed medications.

Furthermore, she said, entities face questions about whether to comply with nondisclosure requests for insurers if a patient's alternative payment method falls through. For example, she asked rhetorically, what would a provider do if a patient's check bounced?

An audience member said the situation also arises when college students go to emergency departments for care or clinics for HIV tests and request the services not be billed to their parents' insurance to avoid alerting their parents to medical situations.

Covered entities then are faced with the problem of how to restrict the data from going out and have few answers for dealing with the situation, Arvin said.

“This is a mess, and I have not heard of any good processes for this yet,” she said.


To contact the reporter on this story: Lisa M. Rockelli at lrockelli@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com

Request Health Care on Bloomberg Law