HIPAA gets tougher on physicians
■ New privacy regulations mean practices face more legal scrutiny and higher fines in case of an information breach.
By Jennifer Lubell — Posted Feb. 4, 2013
Washington A revised set of federal privacy rules is expected to have a significant impact on the way physicians run their practices.
Revised privacy notices will need to be displayed in prominent areas of doctors' offices and on practices' websites. Patients will be able to ask for copies of their electronic health records or restrict the information given to health plans if they self-pay for services. And perhaps most important, practices might be subject to serious fines if any of their business associates cause security breaches.
On Jan. 17, the Dept. of Health and Human Services issued a final omnibus rule to strengthen the patient privacy protections established by the Health Insurance Portability and Accountability Act of 1996. The rules not only expand the individual rights of patients but also tighten federal breach notification requirements under the Health Information Technology for Economic and Clinical Health Act of 2009. The result is that physician practices potentially face more legal scrutiny by the federal government as well as new administrative burdens, said Robert Tennant, senior policy adviser with MGMA-ACMPE, the medical practice management association.
Under the new privacy rules, doctors now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. This raised concerns from privacy advocates that practices shouldn't have the discretion to determine these matters.
The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. Tennant said the new standard will result in many more official reports of breaches, as well as additional work and costs to physician practices.
A closer look at business associates
HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law's requirements to these entities, as well as their subcontractors.
For physicians, a business associate may be any firm that handles patient data, such as a storage provider, a shredding company or a benchmarking firm that measures physician performance. With contractors becoming as fully liable as everyone else affected by HIPAA, physicians' offices are going to take on additional legal responsibilities as well, Tennant said. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate, he said.
“To make matters even more challenging, there are significant potential fines associated with these violations, upwards of $1 million-plus for particularly egregious cases,” Tennant said.
The days of getting a slap on the wrist for a privacy breach are over, he added. “There's now the potential that the government will be more aggressive in enforcing this.”
Deborah C. Peel, MD, chair of advocacy group Patient Privacy Rights, however, said past fines had been too low and that raising them would help strengthen needed patient protections. The new $1.5 million maximum fine per calendar year for violations is still too low for many corporations, “but it's better than $25,000 a year,” Dr. Peel said.
There may be some relationships with business associates where the increased risk for liability won't apply, said Patricia Wagner, an attorney at Washington law firm Epstein, Becker & Green PC, who specializes in privacy issues. An example of this is an accreditation agency, which “can't be an agent of the entity they're surveying because they're supposed to be independent.” Still, doctors will need to spend a lot of time examining all of the contracts they have with various business associates to see if any need restructuring to reduce their own liability risk, she said.
Practices with limited time to tackle this could prioritize the relationships they're most worried about, Wagner said. These may be the ones that handle the most patient health information or the firms the practice isn't as familiar with.
Although the rules specify Sept. 23 as the compliance date for the new regulations, health care professionals have an extra year to revise existing business associate agreements to become compliant.
Notices of privacy need revising
Physicians will need to revise their notices of privacy practices to explain their relationships with business associates and their new status under the final rule. They also will need to explain the breach notification process, Tennant said. There are new stipulations on where these revised notices must be placed in physicians' offices.
“You have to put it in a prominent area and make it available for patients if they wish to review or keep a copy,” or on the practice's website, he said. While it doesn't need to be reissued to current patients, the revised notices must be given to all new patients.
This actually offers a good opportunity for a practice to review its notice for any needed updates, Tennant said. Many practices haven't revised these documents since HIPAA's original privacy regulations came out in 2003. “They may have changed to an electronic health record, or have contracts with health information exchange organizations. They may be involved in an accountable care organization.”
MGMA-ACMPE has asked that practices receive more time beyond September to meet all of the new requirements.
Other stakeholders said additional clarification is needed on language relating to patient requests. Patients, for example, can ask physicians' offices to transmit their health information to third parties, such as family members, but such requests must be in writing, said Shari Erickson, vice president of governmental and regulatory affairs with the American College of Physicians. This creates an obligation on the part of the physicians' offices to collect information on all of these types of third-party requests. The penalty for noncompliance remains unclear.
It's also not clear which vendors will support the provision that patients can have electronic access to their medical records, Erickson said. She suggested that practices follow up with vendors directly.
While they include important data security protections, the rules in other areas don't necessarily guarantee that certain new requirements will be followed, Dr. Peel said. She cited the provision that patients can restrict health data given to plans if they pay out of pocket for drugs or services. “HHS did not require segmentation technologies so that [patient health information] can be protected and selectively shared. Instead, the information should be 'flagged' so only the 'minimum necessary' information is disclosed,” she said.
The success of the rules is going to depend on whether contracts between covered entities are enforced, Dr. Peel said. “Contracts do not enforce themselves any more than laws do. Therefore, most enforcement of the rule depends on inside whistle-blowers.”