On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published a Final Rule implementing sweeping changes to the Health Insurance Portability and Accountability Act (HIPAA). This “Omnibus” Rule combines four different rulemakings and makes final a number of long-awaited proposed changes to the HIPAA regulations.  The bulk of the changes concerning the ambulance industry center around regulations proposed under the Health Information Technology for Economic and Clinical (HITECH) Act in 2010.  

The HITECH Act was part of a massive 2009 stimulus Bill - the American Recovery and Reinvestment Act (ARRA).  The HITECH Act instructed HHS to issue a number of regulatory changes to HIPAA and  HHS published proposed regulations back on July 14, 2010.  After nearly 2 ½ years, HHS is at last issuing final regulations.
 

The Omnibus Rule becomes effective on March 26, 2013.  However, HIPAA-covered entities (ambulance services) and their business associates (billing companies, consultants, software vendors, hardware support providers, etc.) have been given until September 23, 2013 to comply with the regulatory changes in this Final Rule.  The Final Rule also lumps a number of new organizations under the definition of “business associate” so these organizations will have to come into compliance by that date as well.  

Below is a summary of provisions of the Final Rule that directly affect the ambulance industry. We will cover all of these changes in great depth in our upcoming, two hour webinar: HIPAA II Webinar - The Big Overhaul of Security and Privacy.

 

Summary of Changes Under the Final Rule
 

 

Under the current regulations, all covered entities and business associates have notification obligations regarding any “breach” of unsecured protected health information (PHI) occurring on or after September 23, 2009.  This Final Rule significantly changes the definition of breach and makes several clarifications regarding the notice provisions in the breach rules.

 

Currently, to determine whether a breach has occurred (and whether the breach notification requirements kick in), a covered entity or business associate must decide whether the improper use or disclosure of PHI “poses a significant risk of financial, reputational, or other harm to the individual.”  The organization is supposed to go through a “risk assessment” to make that determination, and, if the organization concludes that the event does not pose a significant risk of harm, then it may forgo breach notice.  Some members of Congress and consumer advocacy groups took issue with this so-called “harm standard” and advocated for a more “objective” standard.    

 

In response, HHS made two significant changes to further strengthen the breach standard.  First, they added language to the regulation stating that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate “demonstrates that there is a low probability that the protected health information has been compromised.”  Second, HHS removed the harm standard and modified the risk assessment.  Under the new breach standard, breach notification is not required if a covered entity or business associate demonstrates, based on the new risk assessment, that there is a low probability that the PHI has been compromised. 

 

The new breach standard is likely to lead to more breach notifications from ambulance services and their business associates since the previous standard of “significant” harm was a higher threshold to meet (in order for notice to be required).  Agencies need to be familiar with the new standard and how to conduct the risk assessment so that they don’t find themselves in the untenable position of explaining to HHS why they didn’t make breach notice when an event occurred, or alternatively, in a position where they made breach notice and may not have been required to. 

 

HHS also made several clarifications and changes to the notice provisions of the breach notification rules.  HHS clarified that when a covered entity is required to provide media notice (for breaches involving more than 500 individuals): (1) a covered entity does not have to incur a cost to provide media notice; (2) the media is not required under the regulation to give notice; and (3) a covered entity cannot fulfill the requirement to provide media notice by simply posting a release on its website.  The Final Rule also changes the regulation regarding notice about breaches involving fewer than 500 individuals to clarify that such breaches must be reported not later than 60 days following the calendar year in which the breach was “discovered.”  

 

Definition of Business Associate (45 CFR §160.103)

 

The Final Rule expands and clarifies the types of organizations that are considered to be “business associates” under HIPAA.  Organizations that fall under the business associate umbrella are now subject to the same requirements that the Final Rule applies to all business associates, and they must comply with those obligations by the compliance deadline. 

 

Significantly, the Final Rule states that the following types of entities are business associates:

Application of HIPAA Directly to Business Associates (Various regulations at 45 CFR Parts 160 & 164)

 

Before the HITECH Act, the HIPAA Privacy, Security and Enforcement  Rules did not directly apply to business associates of covered entities.  Business associates were only contractually obligated to comply the with provisions of their business associate agreements.  As such, the penalty for violation of these obligations was damages from a contractual breach of the business associate agreement (unless the business associate was also a covered entity under HIPAA). 

 

The Final Rule applies the HIPAA Privacy, Security, and Enforcement Rules directly to Business Associates in the manner described below.   

 

The Final Rule revises several regulations under the HIPAA Security Rule to apply the core provisions of the HIPAA Security Rule directly to business associates so that they apply in the same manner as they apply to covered entities.  This means that business associates will now have to:

·         Implement written policies and procedures that address each of the Security Rule’s safeguard standards; and

·         Implement administrative, physical, and technical safeguards to protect electronic PHI (e-PHI).

 

This includes implementing a security awareness and training program for workforce members, designating a security official, and conducting a security “risks analysis.”  For business associates that have not already implemented security compliance programs, complying with the Security Rule’s provisions will be a significant task and one that should be undertaken as soon as possible. 

 

 

The Final Rule takes a different approach in applying the HIPAA Privacy Rule to business associates.  Instead of directly applying most of the provisions of the Privacy Rule to business associates, the Omnibus Rule amends the regulations to state that a business associate, like a covered entity, may not use or disclose PHI except as permitted or required by the Privacy Rule or Enforcement Rule.  In addition, if a business associate violates a provision of a business associate agreement, that contractual violation is now a HIPAA violation.  The Final Rule states that business associates must also comply with HIPAA’s “minimum necessary” standard and only use, disclose, or request PHI from another agency if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. 

 

In a nutshell, business associates are now bound by HIPAA to only use or disclose PHI:

·         As permitted or required by their business associate agreements or other contracts

·         As required by law

·         In a manner that would not violate the Privacy Rule if done by a covered entity

·         When required by the HHS to determine HIPAA compliance

·         To a covered entity, individual, or individual’s representative to comply with the new electronic access requirement under HIPAA

 

Any other use or disclosure could subject a business associate to liability under HIPAA and contractual liability under a business associate agreement.

 

 

Finally, the Omnibus Rule provides that if a business associate violates any HIPAA provision that is now directly applicable to it, the business associate is subject to all criminal and civil penalties under HIPAA, which were increased under the HITECH Act.   HHS went further in its comments to actually list the times when a business associate is directly liable for HIPAA compliance.  Business associates are directly liable under HIPAA for:

·         Impermissible uses or disclosures of PHI under HIPAA

·         Failure to provide breach notification to a covered entity

·         Failure to provide access to a copy of e-PHI to a covered entity, individual, or individual’s representative (whichever is specified in the business associate agreement)

·         Failure to disclose PHI when required by HHS to investigate the business associate’s compliance with HIPAA

·         Failure to provide an accounting of disclosures

·         Failure to comply with the applicable requirements of the Security Rule

 

Business Associate Agreements (45 C.F.R. §164.504)

 

The Final Rule will require several changes to existing business associate agreements (BAAs), and require that future BAAs comply with the new rules.  If covered entities and business associates have an existing BAA in force, the existing agreement does not have to be updated until September 23, 2014.   If a new BAA is executed or an existing BAA is revised, then the BAA must be in compliance with the new regulations by September 23, 2013.

 

Under the Final Rule, BAAs must now require that the business associate will: 

·         Comply, where applicable, with the Security Rule

·         Report breaches of unsecured PHI to the covered entity as required under the breach notification rules

·         Ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate

·         Comply with the requirements of the Privacy Rule that if the business associate is required to perform a covered entity's obligation under the Privacy Rule (such as provide access to PHI, distribute a notice of privacy practices, etc.)

 

The expansion of the definition of business associate and the changes to the BAA requirements mean that there must now be a BAA in place between business associates and their subcontractors (a new regulatory requirement).  Further, subcontractors will have to enter into a BAA with any subcontractor that they engage to perform work using PHI.   

 

 

 

The Privacy Rule currently requires covered entities to permit individuals to request that a covered entity restrict uses or disclosures of their PHI for treatment, payment, and health care operations purposes.  But, covered entities were not required to agree with these requested restrictions (although if a covered entity does agree, it is bound by that agreement).  The Final Rule implements a new provision aimed at giving patients the right to pay out of pocket for healthcare services and requires that the healthcare provider not submit a claim to insurance.   

 

Under the Final Rule, a covered entity is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the covered entity in full.  In other words, if a patient (or someone on behalf of a patient other than the patient’s health plan) pays your ambulance service in full for a transport and asks that you not submit a claim to their insurance, you must abide by that request. 

 

HHS also made several clarifications regarding this new rule in response to concerns about prohibitions in State and Medicare and Medicaid laws that prevent providers from billing and receiving payment from individuals for covered services over and above permissible cost-sharing amounts.  HHS states that if a provider is required by State or other law to submit a claim for a covered service and there is no exception for individuals who wish to pay out of pocket for the service, then the provider may still submit the claim despite the request.  But, with respect to Medicare, there is an exception to the mandatory claim submission rule.  That exception applies where a beneficiary refuses to authorize the submission of a claim to Medicare.  In cases where a Medicare beneficiary pays out of pocket and requests that a claim not be submitted to Medicare, the provider is not required to submit the claim to Medicare.  However, HHS does state that “the limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.” So, it appears that HHS believes that a provider is limited to the Medicare allowable amount in these circumstances. 

 

 

All patients currently have the right to access and inspect a copy of their PHI.  The Final Rule now gives patients the right to access that information in electronic form.  The new regulations state that if an individual requests an electronic copy of their PHI, then a covered entity must provide access to that information in electronic form if it is readily producible in that form. 

 

So, if a patient were to request a PDF copy of their trip report and the ambulance service is able to produce a PDF copy of the report, then the ambulance service must provide the PDF to the patient.  If the ambulance service cannot produce the PHI in the form requested, then the regulations require that it be provided in a readable hard copy form or another form and format agreed to by the ambulance service and the patient.  Notwithstanding, if an ambulance service maintains such records electronically, it will have to produce the PHI in an electronic format - hard copy is not an option under these circumstances.    
 

The regulations also provide that if an individual directs a covered entity, in a signed writing, to transmit a copy of the PHI to another person designated by that individual, then the covered entity must transmit the PHI to that party.  Finally, the regulations will now provide that a covered entity can only have one 30 day extension to respond to a request for access.   

 

Notice of Privacy Practices (45 C.F.R. §164.520)

 

The extent to which ambulance services will need to revise their Notice of Privacy Practices (NPP) is going to depend on the types of activities they engage in.  For example, if an ambulance service does not engage in “fundraising” activities that fall under HIPAA (see discussion on “Fundraising” below), then the new fundraising provision is not required to be added to the NPP. 

 

The Final Rule requires covered entities to revise their NPP to include a statement:

·         Describing the types of uses and disclosures that require authorization under HIPAA (if the covered entity intends to engage in any of them);

·         That informs the individual that he or she has the right to opt out of receiving fundraising communications (if the covered entity uses PHI to conduct fundraising activities);

·         Telling the patient that he or she has a right to pay out of pocket for a service and request that the covered entity not submit PHI to the individual’s health plan; and

·         Informing individuals that the covered entity has a duty to notify affected individuals following a breach of unsecured PHI

 

HHS did not issue a sample NPP with this Final Rule, but PWW will be developing one to account for these changes. 

 

Fundraising (164.514(f))

 

The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials.  Most ambulance services generally do not use PHI to conduct their subscription or membership programs, and instead, use publically available address information.  These new rules only apply to fundraising activities where the ambulance service uses PHI.  For example, if an ambulance service were to use PHI from trip reports to gather information for its membership or subscription drive, then the new fundraising rules would likely apply.  In that case, the ambulance service would be required under the new rules to provide a clear description of how to opt out of future solicitations.