New HIPAA Rules Set for 2012
In the world of the highly-publicized “mega-breech” of medical information (e.g. large health plans and academic medical centers) it is easy to forget that small breeches occur on a regular basis.
According to HHS, in 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals.
What do medical practices and smaller covered entities need to report?
Writing in the EMR and HIPAA newsletter recently, Jan McDavid, general counsel at HealthPort notes that “smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year.”
McDavid adds that “The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches.”
“For example, the CE (covered entity) gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!”
The attorney advises that when a breach occurs, the CE must evaluate whether it is necessary to send a notification to the patient. When patients are notified, their reactions vary, the attorney said. “Sometimes we see ‘breach fatigue’ by patients. They hear so much about breaches that any leakage of their information is considered ‘no big deal’ and simply a reality of modern, high-tech times.
Complying with HIPAA privacy and security requirements will get harder for small medical groups in the next year.
Writing in a recent issue of Health Data Management, Joe Goedert reports that the HHS’ Office for Civil Rights (which enforces HIPAA) has published a proposed rule, mandated under the HITECH Act, to strengthen provisions of the HIPAA privacy, security and enforcement rules. OCR expects this year to release a final “omnibus” rule, which also will include changes to the breach notification rule.
Currently, CEs are liable for failure of their business associates to abide by HIPAA rules, but there are circumstantial exemptions. But under the proposed new rule those exemptions would be removed, exposing covered entities to liability for any violations by business associates.
The HDM reporter explains, “The exemptions were dropped in the proposed rule because legal liability under HIPAA would be expanded to business associates. The (new) rule also expanded the definition of ‘business associates’ to include health information exchanges, health information organizations, electronic prescribing gateways, patient safety organizations and vendors that contract with covered entities to offer personal health records to patients-making these entities also liable.”
This is a major expansion of HIPAA privacy protections to consumers, but also brings a new set of headaches to physician practices, which will now have to get new assurances from their business associates about privacy and security procedures.