As time goes by and we in the compliance community have the opportunity to digest the new rules a bit more and dig deeper into some of the tidbits hidden in the Preamble to the changes, new details will emerge, new understanding will develop, and framework for HIPAA update implementation will emerge. Here's how it looks so far:
-- A Framework for Implementing the HIPAA Changes
1) Policies will need to be modified or adopted to deal with the changes to business associates, individual access, breach notification, marketing and fundraising, and lots more. This will not be a simple job, depending on the complexity of your current policies, and must be executed by September 23, 2013.
2) Your Notice of Privacy Practices will need to be updated to reflect the new patient rights, and may be modified to remove language no longer required pertaining to some marketing activities that now will require an authorization instead. This also will need to be implemented by September 23, 2013. Providers will NOT have to mail out a new one to patients, but will need to use it and make it available and properly posted in their offices and on their Web sites.
3) Update your Business Associate Agreements to meet the new standards, and while you're at it, add in beefier protections for breaches, liability and indemnifications, so you don't get caught holding the bag if a BA plays fast and loose with your PHI. Luckily, the big news is that upon official publication of the new rules on January 25, 2013, they also released updated HIPAA Business Associate Agreement template provisions, available at the same Web address as the old, ancient, obsolete version: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html (Shorter link: http://tinyurl.com/7asm2qj )
Now, just as before, this language is hardly stuff your lawyer would like you to sign as is, but it does identify the elements that must be in a modern BAA meeting the new standards. Do not adopt it as is, but use it to look at your current template and agreements, identify needed changes, and work with your attorney to implement those changes in a way that is legally correct for you, in your state.
Compliant BAAs under the old rules in place as of January 25, 2013 have until September 23, 2014 to be updated, and this includes "evergreen" contracts that auto-renew without intervention. Any new or manually renewed contracts must meet the new requirements by September 23, 2013.
4) And then once you implement the new policies, NPP, and BAAs, you'll need to make sure the proper procedures are developed and training takes place so it all works.
-- Speaking of Business Associates...
I've long spoken of the issues of the proposed rules for Business Associates, providing an example of how the shredding company for a business associate that provides services using PHI on behalf of a covered entity could unwittingly find itself under the regulations of the US Department of Health and Human Services, with significant compliance obligations and penalties for non-compliance. I spoke of how difficult it would be to educate all the business associates and their subcontractors all the way down the chain to implement the rules fully.
Well, it's even more complicated than that. Here's a scenario: You have an official e-mail system that your office uses for all professional communications and you have a policy that says staff should ONLY use that system. One staffer goes outside of the policy and uses G-mail to send someone in another office some PHI. Under the new rules? BAM! Google is a Business Associate because they have access to your firm's PHI. Without any notice or intervention, and despite any terms of service they might wish to implement. With that one act, both you and Google are in violation of the HIPAA BA rules, without your or their knowledge.
Needless to say, there are some serious issues that result from this interpretation, and we will just have to see how this shakes out. Will there be forthcoming guidance that softens the blow? That doesn't seem likely given the wording in the preamble to the new rules, but it could happen. Here is a link to a good article by Health IT lawyer John Christiansen discussing this topic and the impacts in some cloud and ISP circumstances: http://christiansenlaw.net/2013/01/do-the-hitech-rules-really-make-all-healthcare-asps-and-cloud-services-providers-business-associates/ (Or use this short link: http://tinyurl.com/b29f4x2 )
Isn't HIPAA fun?
-- And if I've provided you any BAA or policy language in the past...
It probably needs updating. I'll try to be proactive and let you know, although a lot of policies and agreements have been developed over the last ten years of HIPAA. If you have questions about yours, please let me know and we can set up a review. Also, I have four Webinars this week and next, on Breach Notification, E-mail and Texting, the new Final Amendments, and Business Associates -- I'll be including the new rules in all of these. See my page for more information on these and many more: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
Please let me know if you have questions -- I'm always happy to help!
Jim