Download a PDF of the Current Issue 2015 Volume 12 Number 3 July- September

Keeping Up with HIPAA

Elizabeth B. Ruszczyk, VP Compliance and Privacy
David M. Wilkens, Director of Privacy
UF Health Shands
The Department of Health & Human Services (HHS) released the HIPAA Omnibus Rule in January 2013 which modified the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. The HIPAA Omnibus Rule final rule implemented most of the privacy and security provisions of the HITECH Act and extended the reach of HIPAA. With a few exceptions, organizations were required to be in compliance with the final rule by September 23, 2013. Although many HIPAA provisions haven’t changed, the final rule made some significant changes that affected covered entities, business associates, and subcontractors of business associates. Specifically, there were significant changes to the breach notification standard, certain HIPAA provisions now apply to Business Associates and their subcontractors, patients now have enhanced rights to access their Protected Health Information (PHI) and to restrict the disclosure of their PHI, the rules regarding the use and disclosure of PHI were adjusted, and notably, the government’s ability to enforce HIPAA has been enhanced.  

Breach notification.

HHS eliminated the “harm threshold” provision from the Breach Notification Rule. Under that provision, covered entities were only required to provide notice of a security breach if it posed a significant risk of harm to the affected individuals. Under the final rule, any use or disclosure of PHI that is not permitted by the Privacy Rule is presumed to comprise a breach. A breach is generally an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. In instances where a breach has occurred, a covered entity must conduct a risk assessment and consider the factors set by HHS, which include:  assessing the nature and extent of the PHI involved, identifying the unauthorized person who used the PHI or to whom the disclosure was made, determining whether the PHI was actually acquired or viewed, and finally, determining the extent to which the risk to the PHI has been mitigated Changes to the definition of a breach may mean that covered entities will see an increase in the number of breaches that must be reported to HHS.  

Stronger requirements for Business Associates and subcontractors.

Much of the Privacy Rule and all of the Security Rule now apply directly to both Business Associates and their subcontractors. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to PHI.  A “business associate” is also a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. Business Associates and their subcontractors are now responsible for creating and implementing HIPAA compliance plans if they didn’t already have one in place.  Also, Business Associates must also conduct a thorough risk analysis of information systems containing electronic PHI.  

New limits on uses and disclosures of PHI.

The final rule addressed a number of privacy issues related to the uses and disclosures (sharing) of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records. One pleasant surprise for the health care industry was the expansion of the use and disclosure of PHI for fundraising purposes. Previously, a covered entity could use or disclose only demographic information and dates of service for fundraising purposes. The final rule expanded the categories of PHI that may be used and disclosed to allow for targeted fundraising communications. The new categories of PHI that may be used for fundraising now include: department of service, identity of the treating physician, general outcome information and health insurance status. Another positive change affects clinical research. The final rule allowed a blending of “conditioned” and “unconditioned” authorizations into a single document. The bottom line for those conducting research is that this change simplifies authorization paperwork. A challenge presented by the new HIPAA rules consists of additional restrictions on marketing and sale of PHI. The final rule expanded what uses and disclosures of PHI are considered to be “marketing” and therefore require a patient’s authorization.  

Expanded focus on patient rights.

The final rule expanded patients’ rights to access electronically stored PHI. Organizations are required to give patients their medical record in the form and format requested, if readily producible. If the medical record is maintained electronically, then covered entities must provide patients an electronic copy at the patient’s request. Also, a patient may designate a third party to receive a copy of his or her PHI. The request must be in writing, clearly identify the designated person, and clearly identify where to send the copy. The final rule also established that covered entities may charge patients a “reasonable, cost-based fee” for the release of electronic medical records. A covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of labor for copying the PHI requested, supplies for creating the paper copy or electronic media (if the patient requests that the electronic copy be provided on portable media), postage, and preparing an explanation or summary of the PHI. The reasonable, cost-based fee excludes charging patients for certain items, such as the records search, retrieval of the file, and other administrative costs.  

Restriction for out-of pocket payments.

The final rule also allowed patients to restrict information for items or services paid out-of-pocket. Covered entities must agree to a patient’s request to restrict disclosure of PHI to a health plan if the healthcare item or service has been paid out-of-pocket and in full, unless the disclosure is required by law. This applies if a patient or other person on the patient’s behalf pays for the item or service. Healthcare organizations must also recognize this type of restriction request if audited by a health plan, since there may be patient information that should not be disclosed to the health plan.  

Notice of Privacy Practices.

The final rule changed the requirements for what organizations must include in their Notice of Privacy Practices. Updated notices must advise patients of required changes in the final rule, including:

The prohibition on the sale of PHI without the written authorization of an individual

The duty of the CE to notify affected individuals of a breach of unsecured PHI

The patient’s right to opt out of receiving fundraising communications

The right to restrict disclosure to a health plan when the patient pays out-of-pocket

The final rule made it clear that genetic information is also included in the definition of “health information” and is subject to HIPAA rules. Under GINA, healthcare plans are prohibited from using and disclosing genetic information for underwriting purposes.


Increased enforcement.

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of HIPAA, and procedures for hearings. One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance and the OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules. Some of the significant modifications to the HIPAA Enforcement Rule include provisions that affected OCR  compliance investigations, the imposition of civil money penalties (CMPs), liability of covered entities for acts or actions by business associates, liability of business associates for acts or actions of their contractors, and mandatory civil monetary penalties for violations due to willful neglect. Business associates and their subcontractors are now subject to CMPs and other enforcement actions for noncompliance with applicable provisions of HIPAA. Also under the final rule, the OCR will investigate all cases of possible willful neglect, defined as a “conscious, intentional failure or reckless indifference” to the obligation to comply with HIPAA. OCR will impose a penalty for all violations of willful neglect. A table describing the various tiers of civil money penalties is shown below. Screen Shot 2016-04-07 at 2.32.41 PM