Significant Changes in Store
“One of the stranger changes I ran across is a patients’ rights one,” says Tom Corrao, an IT security analyst at Integrated Solutions. He’s talking about the final rules of the Health Insurance Portability and Accountability Act (HIPAA) that go into affect March 26.
Patients now have the right to request the restriction of uses and disclosures, says Corrao. “So if an individual pays by cash, they can request not to have information shared with their health plan provider,” Corrao says. “I don’t know how electronic medical records can manage that request and that’s going to have to be created.”
“It gets difficult because you have to request this before the treatment,” says Russ Dorsey, CEO of Integrated Solutions. “Otherwise, the physician can send your prescription to the pharmacy through e-prescribe while you’re in the exam room and they need to know not to bill your plan.”
Practices and vendors have 180 days to put the programming, policies and procedures into place to uphold these new HIPAA changes. “Once the September 26 deadline hits, there’s no more forgiveness for noncompliance,” Corrao says. Prior to that, penalties fall under the interim rule.
The complete final rule document runs a ponderous 563 pages. “That’s a lot of changes that managers have to read through,” Corrao says, “but there’s a 40-page summary by the American Health Information Management Association that’s a good place to start.” 
The biggest change falls under the definition of a business associate (BA). “It’s expanded. You’re now liable for anybody who deals with your patient health information, including those who subcontract with your BAs,” Corrao says.
“Say you have a BA with an IT company,” Dorsey says. “Your assumption is they hire bonded people, but they’re actually buying support out of India or a third party to do patches. All of a sudden people who are not direct employees of their company are handling your data. But you didn’t know, because they did not disclose that to you. If they do anything inappropriate with your data, you’re now liable. That’s why at Integrated Solutions, we don’t subcontract out anything.”
The same liability holds true for all BA agreements, including those who handle your lab work or the interface back to Medicare for billing.
This means healthcare facilities are responsible for violations that are beyond their control or knowledge. “Even the cleaning company and whoever they subcontract with. Even though they should not go into that office containing patient information, but they could,” Dorsey says.
To become compliant, get your attorney to amend the BA agreements so every vendor must fully disclose every subcontractor (and their subcontractors) that might have access to their data. Then get copies of those BA agreements with all their subcontractors.
“If the BA or subcontractor messes up and you have that agreement, you’re covered entirely,” Corrao says. “They’re the ones who have to notify HIPAA, send the press releases and pay the penalties.”
Another radical definition change in the final rules applies to “breach”. Instead of assessing a breach based on the potential harm to an individual, four standards outlined in the final rule will determine it. “Under the old rule, if someone stole a laptop and ran out in the parking, but you tackled them and brought the laptop back, no harm was done,” Dorsey says. “Under the new rule, it’s more subjective. You’d have to prove you had line of sight with the laptop the entire time, so they didn’t switch it.”
“The question now is did a breach take place versus did it potentially harm an individual. That’s what changed,” Corrao says. He interprets the new rule as favoring the practice because it’s less subjective. “But it’s not going to be easy. You’re going to have say this is what we did and how we know nothing came out. It’s a stringent way to prove it with those four qualifiers.”
A minor but potentially troublesome change in the final rules significantly shortens the time allotted to fill requests for information from patients. Previously, practices and hospitals had 60 days. Now they have 30 days with the possibility of only one 30-day extension.
However, how the information can be provided to patients notably broadened. Patients have the right to request their information electronically or via paper. “The patient can request any form they want, including email, even if it’s not encrypted,” Corrao says.
“All that security they rushed to put in place, and now it’s all open,” Dorsey says. “But I’ve always said that email is really not any different than dropping the paper version into the U.S. mail. You lose total control over it there too. The rule is all about legality rather than what’s necessarily technically secure or practical.”
When it comes to penalties, Corrao says HHR will be considering the overall history of compliance by the practice or hospital. “So keep your previous risk analysis and be able to show revisions to your documents over time,” he says. “If you can’t prove or demonstrate that than expect your penalties to go up accordingly.”
By March 26, HHS plans to have info to help with compliance available on their website at . To download the full final rule document go to .