HIPAA: New Requirements for Notice of Privacy Practice

The Final Rule requires Covered Entities (CE) to revise their Notice of Privacy Practices to include a statement that:

1)  Describes the types of uses and disclosures that require authorization under HIPAA (if the CE intends to engage in any of them)

2)  Informs individuals that they have the right to opt out of receiving fundraising communications (if the CE uses PHI to conduct fundraising activities)

3)  Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the CE not submit PHI to the individual’s health plan if they do so

4)  Informs individuals that the CE has a duty to notify affected individuals following a breach of unsecured PHI

Taken in part from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

HIPAA Expanded Patient Rights

Under the Final Rule, a Covered Entity (CE) is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the CE in full.  The new regulations also provide that if an individual requests an electronic copy of their PHI, then a CE must provide access to that information in electronic form, if it is readily producible in that form.  So a CE will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily reproducible in this circumstance).  Further, under the Final Rule, if an individual directs a CE, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the CE must transmit the PHI electronically to that party.  Additionally,  HIPAA now permits a CE only one 30-day extension to respond to a request for access.  Finally, the new regulations streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child’s immunizations with a school.

Taken in part from :  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

Application of HIPAA to Business Associates

The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates (BA), and provides that if a BA violates any HIPAA provision that is now directly applicable to it, the BA is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH.  Under the revised HIPAA regulations, BA’s are now directly liable for:

1)  Impermissible uses or disclosures of PHI

2)  Failure to provide appropriate access to electronic copy of PHI to a Covered Entity (CE), individual, or individual’s representative

3)  Failure to provide proper breach notification to a CE

4)  Failure to disclose PHI when required by HHS to investigate the BA’s compliance with HIPAA

5)  Failure to comply with the applicable requirements of the Security Rule

Perhaps most significantly, the Final Rule provides that if a BA violates a provision of a BA Agreement, that contractual violation is now a HIPAA violation.  The Final Rule also states that BA’s must comply with HIPAA “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure,or request.

Taken in part from:  Miller and Martin, PLLC   3/8/2013

Categories: HIPAA | Permalink.

New Android Trojan Downloaded by Millions – Dubbed BadNews

Here is some depressing news for all Android users.  Millions of Android users have been tricked into downloading a new Trojan masquerading a slew or legitimate apps directly from Google Play.   Marc Rogers warns that the newly discovered malware family has been dubbed BadNews.    http://www.net-security.org/malware_news.php?id=2473   and is capable of harvesting and sending information about the device and prompts users to install additional malicious applications.  YIKES!

Categories: General IT Topics | Permalink.

HIPAA: Increased Flexibility with PHI of Deceased Patients

Under the Final rule, covered Entities (CE’s) are now permitted to disclose PHI to a decedent’s family members and others who were involved in the patient’s care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the CE.  This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment.  Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.

Taken from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

HIPAA Civil Monetary Penalties

The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act.  The new tiered penalty system currently applies to Covered Entities (CE) and under the Final Rule it will be applicable to Business Associates (BA) and their subcontractors. The penalty amounts range from $100/violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year.  Penalties in the four-tiered system increase based on the level of culpability.  The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the CE or BA did not know about the HIPAA violation.  The highest penalty level, which starts at $50,000 per violation, applies when the CE or BA demonstrated “willful neglect” in violating HIPAA, and it failed to correct the violation.

Taken in part from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

HIPAA Expanded Definition of Business Associate

The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, 2013. The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:

1)  Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI.  (Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis.  Many Covered Entities will gain an expanded list of Business Associates through this clarification of the Final Rule and will need to put Business Associate Agreements in place by the compliance date).

2)  Any subcontractor of a business associate that handles PHI. (If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA.  The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place).

3)  Any entity that maintains PHI on behalf of a Covered Entity.  (Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI.  If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA).

Taken in part from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

HIPAA Breach Notification Standard Lowered

In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and whether the breach notification requirements are triggered.  Under the current HIPAA regulations, to determine whether a breach has occurred a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.”  Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations:

a)  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

b)  The unauthorized person who used the PHI or to whom the disclosure was made

c)  Whether the PHI was actually acquired or viewed

d)  The extent to which the risk to the PHI has been mitigated

The “presumption of breach” standard is a much lower standard than the previous “significant risk of harm” standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.

Taken in part from:  Miller & Martin, PLLC 3/8/2013

Categories: HIPAA | Permalink.