HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year
(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

 $100-$50,0001,000-50,000

10,000-50,000

50,000

 $1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Portal not "Port-All"

doorBy: David Hirshfeld

Whether as a means of satisfying the Stage 2 “meaningful use” requirements of the HITECH Act, or in an effort simply to enhance the efficiency of their practices, many of our clients have been implementing electronic medical records software that includes patient portals.  A “patient portal” is an electronic doorway between patient and practice.  Portals often allow patients to check and download their own treatment records, and to use digital messages as a means of communicating with clinicians.  Portals can be awesome tools with which to enhance your practice, but they need to be implemented thoughtfully.

A portal is often an excellent way in which to add operational efficiencies that reduce costs, increase patient satisfaction, and increase positive outcomes; BUT, if not carefully monitored, they can become inadvertent points of entry for information, the meaning of which can only be appreciated when delivered in a face-to-face office visit, where other aspects of the patient’s condition would be evident (e.g. pallor, swelling, confusion).

Portals should be limited to more benign encounters, such as: patient registration, financial clearance, medical history, appointment scheduling / confirmation, specialty referrals, notification of test results, online bill payment, non-narcotic prescription renewals, follow-up of specific conditions for which there has been a course of in-person treatment that included an agreement as to the use of the portal for follow-up.

I recommend that practitioners train their patients how and to what extent they should use the portal by presenting patients with a “Terms of Use” agreement (that they must sign); and by reminding patients of the Terms of Use if and when they use the portal for an encounter that should have been handled by an in-office visit.

A good “Terms of Use” agreement ought to convey the following information to patients before they use the portal:

  • Identify the proper subject matter to be communicated through the portal and, just as important, the types of communications that should NOT be made through the portal.
  • In addition to communication, what other functions the portal will make available to the patient (e.g. what records can patients view, can they download, can they transmit to other providers, refill prescriptions, help practice to monitor an ongoing condition, etc.).
  • The portal is highly secure, more secure than conventional email, and should be the only way that patients should convey information to the practice other than in-person or, perhaps, on the telephone.
  • Everything conveyed to the practice through the portal will become part of the patient’s medical record.
  • Not only the physician, but other clinicians and practice staff may read communications made through the portal.
  • How quickly, and in what format, will the practice respond to patient communications made through the portal.
  • Whether and on what terms the practice will allow access to records of its minor patients.
  • How modifications to the “Terms of Use” and portal functionality will be conveyed to patients.
  • A primer, as simple as possible, on how to effectively use your practice’s portal.

Portals can be awesome tools with which to enhance your practice; but they need to be implemented thoughtfully, and in conjunction with patient training.