HHS Publishes Final HIPAA II Regulations

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published a Final Rule implementing sweeping changes to the Health Insurance Portability and Accountability Act (HIPAA). This “Omnibus” Rule combines four different rulemakings and makes final a number of long-awaited proposed changes to the HIPAA regulations.  The bulk of the changes concerning the ambulance industry center around regulations proposed under the Health Information Technology for Economic and Clinical (HITECH) Act in 2010.  

The HITECH Act was part of a massive 2009 stimulus Bill - the American Recovery and Reinvestment Act (ARRA).  The HITECH Act instructed HHS to issue a number of regulatory changes to HIPAA and  HHS published proposed regulations back on July 14, 2010.  After nearly 2 ½ years, HHS is at last issuing final regulations.
The Omnibus Rule becomes effective on March 26, 2013.  However, HIPAA-covered entities (ambulance services) and their business associates (billing companies, consultants, software vendors, hardware support providers, etc.) have been given until September 23, 2013 to comply with the regulatory changes in this Final Rule.  The Final Rule also lumps a number of new organizations under the definition of “business associate” so these organizations will have to come into compliance by that date as well.  

Below is a summary of provisions of the Final Rule that directly affect the ambulance industry. We will cover all of these changes in great depth in our upcoming, two hour webinar: HIPAA II Webinar - The Big Overhaul of Security and Privacy.
Summary of Changes Under the Final Rule
Changes to the Breach Notification Rules(45 C.F.R §§164.402 – 164.410)
Under the current regulations, all covered entities and business associates have notification obligations regarding any “breach” of unsecured protected health information (PHI) occurring on or after September 23, 2009.  This Final Rule significantly changes the definition of breach and makes several clarifications regarding the notice provisions in the breach rules.
Currently, to determine whether a breach has occurred (and whether the breach notification requirements kick in), a covered entity or business associate must decide whether the improper use or disclosure of PHI “poses a significant risk of financial, reputational, or other harm to the individual.”  The organization is supposed to go through a “risk assessment” to make that determination, and, if the organization concludes that the event does not pose a significant risk of harm, then it may forgo breach notice.  Some members of Congress and consumer advocacy groups took issue with this so-called “harm standard” and advocated for a more “objective” standard.    
In response, HHS made two significant changes to further strengthen the breach standard.  First, they added language to the regulation stating that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate “demonstrates that there is a low probability that the protected health information has been compromised.”  Second, HHS removed the harm standard and modified the risk assessment.  Under the new breach standard, breach notification is not required if a covered entity or business associate demonstrates, based on the new risk assessment, that there is a low probability that the PHI has been compromised. 
The new breach standard is likely to lead to more breach notifications from ambulance services and their business associates since the previous standard of “significant” harm was a higher threshold to meet (in order for notice to be required).  Agencies need to be familiar with the new standard and how to conduct the risk assessment so that they don’t find themselves in the untenable position of explaining to HHS why they didn’t make breach notice when an event occurred, or alternatively, in a position where they made breach notice and may not have been required to. 
HHS also made several clarifications and changes to the notice provisions of the breach notification rules.  HHS clarified that when a covered entity is required to provide media notice (for breaches involving more than 500 individuals): (1) a covered entity does not have to incur a cost to provide media notice; (2) the media is not required under the regulation to give notice; and (3) a covered entity cannot fulfill the requirement to provide media notice by simply posting a release on its website.  The Final Rule also changes the regulation regarding notice about breaches involving fewer than 500 individuals to clarify that such breaches must be reported not later than 60 days following the calendar year in which the breach was “discovered.”  
Definition of Business Associate (45 CFR §160.103)
The Final Rule expands and clarifies the types of organizations that are considered to be “business associates” under HIPAA.  Organizations that fall under the business associate umbrella are now subject to the same requirements that the Final Rule applies to all business associates, and they must comply with those obligations by the compliance deadline. 
Significantly, the Final Rule states that the following types of entities are business associates:
  • Any person/entity that provides data transmission services of PHI to a covered entity andrequires access on a routine basis to such PHI.  Ambulance services will need to look to organizations like ePCR vendors and others who transmit PHI on their behalf and determine whether that organization requires access to its PHI on a “routine basis.”  HHS does not provide a lot of guidance regarding what it means to have “access on a routine basis.”  However, the Final Rule states that organizations that act as “mere conduits” for the transmission of PHI do not fall under the definition of a business associate.  HHS says that conduits are courier services such as the U.S. Postal Service and their electronic equivalents, such as internet service providers (ISPs).  Organizations that just transport data and do not access PHI other than on a random or infrequent basis are generally not business associates.  But entities that require access to PHI in order to perform a service for an ambulance service are.  Ambulance services will have to make a case-by-case determination about organizations that transmit PHI for them and enter into a business associate agreement where appropriate. 
  • A subcontractor of a business associate that handles PHI. The new regulations provide that if a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also a business associate under HIPAA. For example, an agreement between an ambulance service and its billing company may require the billing company to provide collection services as well.  If the billing company engages a collection agency to perform these services on behalf of the covered entity, then that collection agency becomes a business associate of the billing company and the agency is now subject to the applicable HIPAA provisions.  And, where a business associate delegates a function, activity or service involving PHI to a subcontractor,  there must be an agreement between the business associate and its subcontractor that contains the elements required to be included in business associate agreements and describes the subcontractor's permitted uses and disclosures of PHI.  In this scenario it is the business associate’s responsibility and not the covered entity’s responsibility to ensure that there is a business associate agreement in place.  
  • An entity that “maintains” PHI on behalf of a covered entity. The Final Rule also clarifies that a business associate includes a person or entity that “maintains” PHI on behalf of a covered entity, even if that person or entity does not access or view the PHI.  So, when a covered entity engages an outside organization to store its PHI, the covered entity is going to have to enter into a business associate agreement with that organization and that organization is going to have to put certain protections in place now required by HIPAA.  So, if your ambulance services uses physical storage facilities or “cloud” servers to store PHI, then you should have an agreement in place with those organizations.  
Application of HIPAA Directly to Business Associates (Various regulations at 45 CFR Parts 160 & 164)
Before the HITECH Act, the HIPAA Privacy, Security and Enforcement  Rules did not directly apply to business associates of covered entities.  Business associates were only contractually obligated to comply the with provisions of their business associate agreements.  As such, the penalty for violation of these obligations was damages from a contractual breach of the business associate agreement (unless the business associate was also a covered entity under HIPAA). 
The Final Rule applies the HIPAA Privacy, Security, and Enforcement Rules directly to Business Associates in the manner described below.   
Security Rule
The Final Rule revises several regulations under the HIPAA Security Rule to apply the core provisions of the HIPAA Security Rule directly to business associates so that they apply in the same manner as they apply to covered entities.  This means that business associates will now have to:
·         Implement written policies and procedures that address each of the Security Rule’s safeguard standards; and
·         Implement administrative, physical, and technical safeguards to protect electronic PHI (e-PHI).
This includes implementing a security awareness and training program for workforce members, designating a security official, and conducting a security “risks analysis.”  For business associates that have not already implemented security compliance programs, complying with the Security Rule’s provisions will be a significant task and one that should be undertaken as soon as possible. 
Privacy Rule
The Final Rule takes a different approach in applying the HIPAA Privacy Rule to business associates.  Instead of directly applying most of the provisions of the Privacy Rule to business associates, the Omnibus Rule amends the regulations to state that a business associate, like a covered entity, may not use or disclose PHI except as permitted or required by the Privacy Rule or Enforcement Rule.  In addition, if a business associate violates a provision of a business associate agreement, that contractual violation is now a HIPAA violation.  The Final Rule states that business associates must also comply with HIPAA’s “minimum necessary” standard and only use, disclose, or request PHI from another agency if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. 
In a nutshell, business associates are now bound by HIPAA to only use or disclose PHI:
·         As permitted or required by their business associate agreements or other contracts
·         As required by law
·         In a manner that would not violate the Privacy Rule if done by a covered entity
·         When required by the HHS to determine HIPAA compliance
·         To a covered entity, individual, or individual’s representative to comply with the new electronic access requirement under HIPAA
Any other use or disclosure could subject a business associate to liability under HIPAA and contractual liability under a business associate agreement.
Enforcement Rule
Finally, the Omnibus Rule provides that if a business associate violates any HIPAA provision that is now directly applicable to it, the business associate is subject to all criminal and civil penalties under HIPAA, which were increased under the HITECH Act.   HHS went further in its comments to actually list the times when a business associate is directly liable for HIPAA compliance.  Business associates are directly liable under HIPAA for:
·         Impermissible uses or disclosures of PHI under HIPAA
·         Failure to provide breach notification to a covered entity
·         Failure to provide access to a copy of e-PHI to a covered entity, individual, or individual’s representative (whichever is specified in the business associate agreement)
·         Failure to disclose PHI when required by HHS to investigate the business associate’s compliance with HIPAA
·         Failure to provide an accounting of disclosures
·         Failure to comply with the applicable requirements of the Security Rule
Business Associate Agreements (45 C.F.R. §164.504)
The Final Rule will require several changes to existing business associate agreements (BAAs), and require that future BAAs comply with the new rules.  If covered entities and business associates have an existing BAA in force, the existing agreement does not have to be updated until September 23, 2014.   If a new BAA is executed or an existing BAA is revised, then the BAA must be in compliance with the new regulations by September 23, 2013.
Under the Final Rule, BAAs must now require that the business associate will: 
·         Comply, where applicable, with the Security Rule
·         Report breaches of unsecured PHI to the covered entity as required under the breach notification rules
·         Ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate
·         Comply with the requirements of the Privacy Rule that if the business associate is required to perform a covered entity's obligation under the Privacy Rule (such as provide access to PHI, distribute a notice of privacy practices, etc.)
The expansion of the definition of business associate and the changes to the BAA requirements mean that there must now be a BAA in place between business associates and their subcontractors (a new regulatory requirement).  Further, subcontractors will have to enter into a BAA with any subcontractor that they engage to perform work using PHI.   
New Patient Rights
Patient’s Right to Restrict Disclosure (45 C.F.R. §164.522)
The Privacy Rule currently requires covered entities to permit individuals to request that a covered entity restrict uses or disclosures of their PHI for treatment, payment, and health care operations purposes.  But, covered entities were not required to agree with these requested restrictions (although if a covered entity does agree, it is bound by that agreement).  The Final Rule implements a new provision aimed at giving patients the right to pay out of pocket for healthcare services and requires that the healthcare provider not submit a claim to insurance.   
Under the Final Rule, a covered entity is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the covered entity in full.  In other words, if a patient (or someone on behalf of a patient other than the patient’s health plan) pays your ambulance service in full for a transport and asks that you not submit a claim to their insurance, you must abide by that request. 
HHS also made several clarifications regarding this new rule in response to concerns about prohibitions in State and Medicare and Medicaid laws that prevent providers from billing and receiving payment from individuals for covered services over and above permissible cost-sharing amounts.  HHS states that if a provider is required by State or other law to submit a claim for a covered service and there is no exception for individuals who wish to pay out of pocket for the service, then the provider may still submit the claim despite the request.  But, with respect to Medicare, there is an exception to the mandatory claim submission rule.  That exception applies where a beneficiary refuses to authorize the submission of a claim to Medicare.  In cases where a Medicare beneficiary pays out of pocket and requests that a claim not be submitted to Medicare, the provider is not required to submit the claim to Medicare.  However, HHS does state that “the limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.” So, it appears that HHS believes that a provider is limited to the Medicare allowable amount in these circumstances. 
Electronic Access to PHI (45 C.F.R. §164.524)
All patients currently have the right to access and inspect a copy of their PHI.  The Final Rule now gives patients the right to access that information in electronic form.  The new regulations state that if an individual requests an electronic copy of their PHI, then a covered entity must provide access to that information in electronic form if it is readily producible in that form. 
So, if a patient were to request a PDF copy of their trip report and the ambulance service is able to produce a PDF copy of the report, then the ambulance service must provide the PDF to the patient.  If the ambulance service cannot produce the PHI in the form requested, then the regulations require that it be provided in a readable hard copy form or another form and format agreed to by the ambulance service and the patient.  Notwithstanding, if an ambulance service maintains such records electronically, it will have to produce the PHI in an electronic format - hard copy is not an option under these circumstances.    
The regulations also provide that if an individual directs a covered entity, in a signed writing, to transmit a copy of the PHI to another person designated by that individual, then the covered entity must transmit the PHI to that party.  Finally, the regulations will now provide that a covered entity can only have one 30 day extension to respond to a request for access.   
Notice of Privacy Practices (45 C.F.R. §164.520)
The extent to which ambulance services will need to revise their Notice of Privacy Practices (NPP) is going to depend on the types of activities they engage in.  For example, if an ambulance service does not engage in “fundraising” activities that fall under HIPAA (see discussion on “Fundraising” below), then the new fundraising provision is not required to be added to the NPP. 
The Final Rule requires covered entities to revise their NPP to include a statement:
·         Describing the types of uses and disclosures that require authorization under HIPAA (if the covered entity intends to engage in any of them);
·         That informs the individual that he or she has the right to opt out of receiving fundraising communications (if the covered entity uses PHI to conduct fundraising activities);
·         Telling the patient that he or she has a right to pay out of pocket for a service and request that the covered entity not submit PHI to the individual’s health plan; and
·         Informing individuals that the covered entity has a duty to notify affected individuals following a breach of unsecured PHI
HHS did not issue a sample NPP with this Final Rule, but PWW will be developing one to account for these changes. 
Fundraising (164.514(f))
The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials.  Most ambulance services generally do not use PHI to conduct their subscription or membership programs, and instead, use publically available address information.  These new rules only apply to fundraising activities where the ambulance service uses PHI.  For example, if an ambulance service were to use PHI from trip reports to gather information for its membership or subscription drive, then the new fundraising rules would likely apply.  In that case, the ambulance service would be required under the new rules to provide a clear description of how to opt out of future solicitations.     
PHI of Decedents (45 C.F.R. §164.504(f))
The Final Rule makes two significant changes to HIPAA regarding PHI of deceased patients.  First, the regulations will now permit covered entities to disclose PHI to a decedent’s family members and others who were involved in the patient’s care or payment for that care prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the covered entity.  This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment. 
Second, the Final Rule would change the regulations to state that health information is no longer PHI after the patient has been dead for 50 years.  Under the current rule, PHI continues to be PHI indefinitely and covered entities are required to deal with legal representatives (or others individuals according to state law).  Under the new regulation, covered entities would no longer be required to treat the health information of the deceased patient as PHI once 50 years has passed since the patient’s death.
Steep Civil Monetary Penalties (45 C.F.R. §160.404)

The HITECH Act put more teeth into HIPAA enforcement by increasing civil monetary penalties, requiring investigations for certain violations, mandating HIPAA audits, and permitting state Attorneys General to bring actions for HIPAA violations. Over the past five years HIPAA enforcement has completely shifted from the old “slap on the wrist” approach to a much more aggressive and punitive posture.

The Final Rule retained the steep, tiered civil monetary penalty system for HIPAA violations that were set forth by the HITECH Act.  These penalties were increased substantially from the previous civil monetary penalties, which were capped at $25,000 for violations of the same HIPAA provision.  The new tiered penalties currently apply to covered entities and they will soon be applicable to business associates and their subcontractors. 

The penalty amounts range from $100 per violation up to a maximum penalty of $1.5 million for all violations of the same HIPAA provision in a calendar year.  Penalties in the four-tiered system increase based on the level of culpability.  The lowest level of penalties ($100- $50,000 per violation) applies to situations where the covered entity or business associate did not know about the HIPAA violation.  The highest penalty level, which starts at $50,000 per violation applies when the covered entity or business associate demonstrated “willful neglect” in violating HIPAA and it failed to correct the violation. 

The Office for Civil Rights (OCR) is already using this draconian penalty scheme and has imposed a penalty of $4.3 million on one healthcare organization.  The government  has also required numerous covered entities to pay settlement amounts of over $1 million over the past few years.  These steep penalties, coupled with the government’s new enforcement posture, underscore the urgent need to ensure HIPAA compliance at your organization.