Possible HIPAA Changes Ahead Audiologists and speech-language pathologists should be aware of proposed changes to the regulations of the Health Insurance Portability and Accountability Act (HIPAA) that deal with enforcement, privacy, and business agreements. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of ... Bottom Line
Free
Bottom Line  |   June 01, 2011
Possible HIPAA Changes Ahead
Author Notes
  • Kate Romanow, JD, director of health care regulatory advocacy, can be reached at kromanow@asha.org.
    Kate Romanow, JD, director of health care regulatory advocacy, can be reached at kromanow@asha.org.×
Article Information
Practice Management / Bottom Line
Bottom Line   |   June 01, 2011
Possible HIPAA Changes Ahead
The ASHA Leader, June 2011, Vol. 16, 3-19. doi:10.1044/leader.BML.16072011.3
The ASHA Leader, June 2011, Vol. 16, 3-19. doi:10.1044/leader.BML.16072011.3
Audiologists and speech-language pathologists should be aware of proposed changes to the regulations of the Health Insurance Portability and Accountability Act (HIPAA) that deal with enforcement, privacy, and business agreements.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, contains a number of changes to HIPAA regulations. Some of these changes—regarding notification of affected individuals when there is a security breach of protected health information (PHI), a patient’s right to request restrictions of PHI, and the liability of health care providers’ business associates—are already in effect (see “The Impact of Recent HIPAA Changes,” July 6, 2010).
Other changes will be implemented through a rule-making process. In July 2010, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a proposed rule to implement further changes to HIPAA. HHS stated that a final rule would be released in March 2011. However, at press time the final rule implementing these changes had not been published.
Enforcement
Proposed HIPAA changes related to enforcement deal with civil penalties and complaints and compliance reviews.
Civil Monetary Penalty Basis
Under current regulations, a covered entity (a health care provider that transmits health information in electronic form) can incur a civil monetary penalty for violations committed by its agents (except when the agent is a business associate, a compliant business associate agreement is in place, and the covered entity was unaware of the practice and did not fail to act as required by HIPAA). The proposed rule eliminates this exception, leaving a covered entity liable for the acts of its business associate. This change may require covered entities to conduct due diligence and audits on business associates to ensure they are in compliance with HIPAA.
Civil Monetary Penalty Factors
The proposed rule changes the factors determining the amount of a civil monetary penalty. Two of the factors that now may be considered are whether the violation is the same or similar to previous violations, and whether or to what extent the covered entity has attempted to correct the previous violations. The proposed rule changes the wording “previous violations” to “previous indications of noncompliance.” If the final rule adopts this language, it will require an explicit definition to prevent confusion.
Complaints and Compliance Reviews
If an investigation or compliance review indicates the covered entity is not in compliance, under current HIPAA regulations the secretary of health and human services will attempt to resolve the matter by informal means whenever possible. However, the proposed rule changes “will” to “may,” which allows the secretary to proceed directly to formal enforcement without attempting informal resolution. This terminology changes the enforcement focus from compliance to sanctions.
Privacy Restriction Right
Prior to the HITECH Act, individuals could request that a provider (as a covered entity) restrict use and disclosure of their PHI but the provider did not have to agree to the restriction. Now, if an individual pays for a service out-of-pocket, the provider must grant the individual’s request to restrict the use and disclosure to a health plan of PHI related to that service. If an individual’s payment for the health care item or service is not honored, then the provider can submit the PHI to the health plan for payment because the individual has not fulfilled the requirements to request a restriction.
In the proposed rule, OCR states that it expects the covered entity to make a “reasonable effort” to resolve the payment issue prior to sending the PHI to the health plan. The final rule will define what constitutes a reasonable effort. In the proposed rule, OCR also requested comments on whether downstream entities (such as subsequent health care providers) should be notified of restrictions. That requirement, if included in the final rule, could add additional documentation and record-keeping obligations.
Business Associate Agreements
Under current rules, business associates must ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect any electronic PHI provided by the business associate. OCR proposes that business associates be required to enter into a contract or other agreement with a subcontractor to protect the security of electronic PHI.
OCR also proposes to remove the requirement that a covered entity report to the secretary of health and human services when termination of a business associate agreement is not possible. Because business associates are now liable for violations of HIPAA and must report breaches of PHI, these mechanisms will allow OCR to learn of any breaches or misuse of PHI by a business associate.
The proposed rule also would add a provision to the HIPAA regulations clarifying that a business associate is contractually liable not only for uses and disclosures of PHI, but also for all other requirements of the privacy rule as they pertain to the performance of the business associate agreement.
0 Comments
Submit a Comment
Submit A Comment
Name
Comment Title
Comment


This feature is available to Subscribers Only
Sign In or Create an Account ×
FROM THIS ISSUE
June 2011
Volume 16, Issue 7