Are You Prepared to Implement HIPAA Mega Rule Requirements?

The new HIPAA Omnibus Rule, also referred to as the “Mega Rule,” was released on Jan. 17 and health care providers only have until Sept. 23, 2013 to implement the changes published by the Department of Health and Human Services.

The new rule significantly expands the government’s power to enforce the HIPAA rules and impose greater penalties. Changes to the enforcement rule include provisions that business associates and their subcontractors are subject to enforcement and fines. The new rule requires investigators to review complaints or compliance issues where there is possible willful neglect, and to assess fines if willful neglect is confirmed.

A business associate now includes all entities that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of a covered entity. Business associates are directly liable for uses and disclosures of PHI that violate the Business Associate Agreement or the privacy rule. Business Associate Agreements must be amended to include the new requirements, such as having written agreements with subcontractors, complying with the release of a request for an electronic copy of PHI, complying with the Breach Notification rule, and outlining to whom the practice’s PHI can be released.

The new HIPAA Mega Rule changes the definition of a breach of PHI to include any unauthorized access, use or disclosure of unsecured PHI, unless a risk assessment is performed that indicates there is a low probability that the PHI has been compromised. The risk assessment must be performed after both improper uses and disclosures, and include the nature and extent of the PHI involved, a list of unauthorized persons who used or received the PHI, if the PHI was in fact acquired or viewed, and the degree of mitigation. The Notice of Privacy Practices must include a statement of the individual’s right to be notified following a breach of unsecured PHI.

Patients now have the right to receive a copy of their PHI in an electronic format. If it is not readily available in an electronic format, the covered entity must produce the PHI in a readable hard copy format or other agreed upon format such as a Microsoft Word or Excel document, PDF or text file.

The revised HIPAA Omnibus Rule added a new provision for individuals to request restrictions to their PHI. It allowed a patient, who wishes to pay for an item or service out of pocket, to request that PHI related to that item or service not be disclosed to their insurance company. The Covered Entity has to agree to a requested restriction on disclosures of PHI about the individual to a health plan if disclosure is for purposes of payment or health care operations and is not otherwise required by law, and if the PHI pertains to a health care item or service for which the individual requests and pays for the service in full.

Providers can now communicate health information about a deceased patient directly to family members or others involved in the care of the patient unless it is contrary to the wishes of the patient prior to his/her death. The new rule also states that HIPAA regulations no longer apply after an individual has been deceased over 50 years.

The new rule increases restrictions for using PHI for marketing and fundraising activities so that a covered entity must obtain patient authorization for any marketing communication where the vendor receives payment. The Notice of Privacy Practice must state that an authorization is required for disclosure of psychotherapy notes, use of PHI in marketing and sales of PHI. The Privacy Notice must also include a statement that patients have the right to opt out of fundraising solicitations.

It is very important that covered entities and business associates be aware of the new rules that may affect their business. Additional information regarding changes to the HIPAA Omnibus Rule can be found at www.hhs.gov/ocr/privacy.

Carol Crews, CMPE, is the Director on Healthcare Consulting Services in the accounting and consulting firm of The LBA Group, located in Jacksonville, FL. Carol can be contacted at ccrews@thelbagroup.com or (904) 396-4015.

The LBA Group is a proud member of the National CPA Health Care Advisors Association (HCAA). HCAA is a nationwide network of CPA firms devoted to serving the health care industry. Members provide proactive solutions to the accounting needs of physicians and physician groups. For more information, contact HCAA at info@HCAA.com.