New Final HIPAA Rule Released -- a few surprises!

Well, the big news is that we've finally been treated to a new final HIPAA rule, issued last Thursday, true to form, just before a holiday weekend, all 563 pages.  A great deal is "as proposed" but there are some significant changes and some significant insights provided in the preamble.  Here's a link to the pre-publication version https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf  The actual date of issue of the official version in the Federal Register will be this Friday, January 25, whereupon the link above may stop working and links to the official version will be announced.

DISCLAIMER!  I am not a lawyer and everyone in the HIPAA world is still sorting out all the impacts and changes, and I'd be a fool to think that I know what all the issues are and have everything interpreted correctly at this early stage.  This is not a complete analysis, but just a few observations, and I'll have more information as things develop.  

So, what's up with the final rule?  For the most part, it's being finalized as proposed, but with some significant exceptions.  Here are some tidbits.

 -- Business Associate Agreement Compliance Timing

The new rule, as proposed, extends the HIPAA regulations to Business Associates, and there are changes in what is required in a Business Associate Agreement to reflect  the new status of BAs.  The sequence of compliance in HIPAA is usually that the rule is officially Published (as this one will be on Friday the 25th), it goes into effect 60 days later, and is enforceable 6 months after that.  The proposed rule said that if your BA agreement was in compliance with the old rules as of the effective date, you'd have 18 months to get your BA Agreement up to snuff, not just 6 months, so you'd have some time, once it was published, to at least nail down what you could under the old requirements and not have to look at it again for 18 months.

Well, surprise, surprise, the final rule says that if your BA agreement is compliant as of the day of publication, not the effective date, you get the extra year to get your agreements updated.  You don't get that 60 days before it goes into effect to sign agreements under the old rules and put off revisiting them for 18 months.  In other words, you have until this Friday to sign any agreements that are compliant with the old rules and not have to revisit them for 18 months.  Starting next week, you'll have to use agreements meeting the new requirements, or you'll have to revise them by September 23, 2013.

I've been recommending that folks include language that meets the new requirements for some time now, so if you have, you may be all set to continue into the future and have until September 24, 2014 to revise all the older ones.

 -- Breach Notification: The Harm Standard is Dead, Long Live the Harm Standard

We all knew that there would be some changes in the Harm Standard in Breach Notification because of the controversy around it, and a perceived lack of uniformity in the industry as to how to interpret it.  Well, there sure are some changes.  The Harm Standard has been unceremoniously dumped, replaced by the notion of a "low probability of compromise" using a risk assessment of each potential breach, considering four factors: what the information was, to whom it was released, whether or not it was actually accessed, used, or disclosed, and how the incident was mitigated.  OK, so far so good...

Interestingly, in the Preamble discussion of the new rule, one of the considerations in evaluating the information potentially breached is whether or not its exposure is adverse to the individual or benefits some other person.  It sounds like the "adverse to the individual" is a new harm standard, without the icky name.  Now, to be sure, you need to look at more than this to see if it's reportable -- any one of the four factors can drive notification.  But it does allow some room for consideration of the impact on the individual.

The big impact here is that you do need to establish a process for assessing the risk of every potential breach to see if it is reportable.

One of the best things I noticed in the new rule was in the Preamble discussion having to do with sending information to the wrong provider by mistake.  Under the interim rule there was not an exception for inadvertently sending to the wrong HIPAA-covered entity.  There still is no exception, but the Preamble discussion did make it clear that you can use a risk assessment considering the four factors to decide that there is not a reportable breach.  Just don't make it automatic!  You still need to do the risk analysis every time -- you may have situations where it's not something you can except.

 -- Some Guidance on Unencrypted E-mail (and Texting?)

One of the new requirements unchanged from that proposed is that if someone wants an electronic copy of their health information that's held electronically, you must provide that.  No news there -- it's in the HITECH Act and in the proposed rule, and also in the Meaningful Use requirements for anyone going for incentive funding for their EHR.  What is news is the discussion in the preamble about how to transmit that information to the individual.  In short, if the individual wants you to e-mail them any PHI, you need to explain that it is not necessarily secure and that the information may be exposed, and ask if they want to do that anyway.  If they say, "yes, e-mail me anyway, I understand and accept the risks," then e-mailing PHI is fine.  They note that individuals don't necessarily have the savviness to manage decryption processes, and they have a right to ask for their information however they want it (within reason), so e-mailing is fine.  Don't forget: DOCUMENT the discussion and agreement to accept the risk.

This logic may also be extended to texting.  If the individual says, "text me my test results", and you explain the risks and they say do it anyway, you may.  DOCUMENT it.

Note that this does not exempt professional communications!  Any professional exchange of PHI over the Internet MUST be encrypted to avoid breaches.  The ability to avoid encryption only applies to communication with the individuals.  Also, keep in mind that if you're going for incentive funding for your EHR, you need to provide a secure portal for patient access of information, which would minimize the need for e-mailing of PHI anyway.

Also note that I feel it would be foolish to not consider the content of any unencrypted e-mail or texting.  I would resist sending unencrypted information of a particularly sensitive nature, or any information that may be covered by more stringent regulations, such as substance abuse or HIV/AIDS information.  I think it is important to show that in your discussion to not encrypt that the nature of the information was considered.  If you're just wanting to text someone so you can say you're running 10 minutes late for their appointment, that's a low risk situation, and not the same as telling someone their oncology test was positive.  Use your judgement and document it!

 -- Is That All, Folks?

Not by a long shot.  I'm digging deep into this because I have webinars and seminars on HIPAA this week and next and on into the year.  Nothing like having to teach someone else to force you to really know your material!  I'm sure we'll all be finding little gems as we in the compliance community come to grips with the new rules.  Here is the obligatory link to my page of upcoming sessions: http://www.lewiscreeksystems.com/upcoming_public_seminars.html

Please let me know if you have any questions (how could you not... I certainly do!).  I'll do my best to sort things out for you, and I'll try to pass along any insights as they occur to me.  There is certainly a lot that can be found in 563 pages, to be sure!

Jim

              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us