Last July, I summarized the significant changes in the Health Insurance Portability and Accountability Act (HIPAA). With the last of the deadlines mandated by those changes fast approaching, and a significant enforcement action levied against a dermatology group in the interim, an update is warranted.
The deadline is Sept. 23; by then, all of your business associate (BA) agreements must be modified to reflect the new privacy rules. A recent enforcement action involved a Massachusetts dermatology group that was hit with a substantial fine for violating one of those rules, sending a clear signal from the Centers for Medicare & Medicaid Services (CMS) and its enforcer, the Office for Civil Rights, that these tighter regulations cannot be taken lightly.
The criteria for identifying BAs remain the same: Nonemployees, performing "functions or activities" on behalf of the "covered entity" (your practice), that involve "creating, receiving, maintaining, or transmitting" personal health information (PHI).
Typical BAs include answering and billing services, independent transcriptionists, hardware and software companies, and any other vendors involved in creating or maintaining your medical records. Practice management consultants, attorneys, companies that store or microfilm medical records, and record-shredding services are BAs if they must have direct access to PHI in order to do their jobs.
Mail carriers, package delivery people, cleaning services, copier repairmen, bank employees, and the like are not considered BAs, even though they might conceivably come in contact with PHI on occasion. You are required to use "reasonable diligence" in limiting the PHI that these folks may encounter, but you do not need to enter into written BA agreements with them.
Independent contractors who work within your practice – aestheticians and physical therapists, for example – are not considered BAs either, and do not need to sign a BA agreement; just train them, as you do your employees. (More on HIPAA and OSHA training soon.)
What is new is the additional onus placed on physicians for confidentiality breaches committed by their BAs. It’s not enough to simply have a BA contract; you are expected to use "reasonable diligence" in monitoring the work of your BAs. BAs and their subcontractors are directly responsible for their own actions, but the primary responsibility is yours. Furthermore, you must now assume the worst-case scenario. Previously, when PHI was compromised, you would only have to notify affected patients (and the government) if there was a "significant risk of financial or reputational harm," but now, any incident involving patient records is assumed to be a breach, and must be reported.
Failure to report could subject your practice, as well as the contractor, to significant fines. That is where the Massachusetts group had trouble: It lost a thumb drive containing unencrypted PHI, and was forced to pay a $150,000 fine early this year as a result. There is no excuse for not encrypting HIPAA-protected information; encryption software is cheap, readily available, and easy to use. Had the drive lost in Massachusetts been encrypted, according to the CMS, the incident would not have been considered a breach, because its contents would not have been viewable by the finder. Stay tuned for a list of popular encryption programs. (As always, I have no financial interest in any company or product that I mention in this column.)
Patients have new rights under the new rules as well; they may now restrict any PHI shared with third-party insurers and health plans, if they pay for the services themselves. They also have the right to request copies of their electronic health records. You can bill the costs of responding to such requests. If you have EHRs, work out a system for doing this, because the response time has been decreased from 90 days to 30 – and is even shorter in some states.
If you haven’t yet revised your Notice of Privacy Practices (NPP) to explain your relationships with BAs, and their status under the new rules, do it now. You need to explain the breach notification process, as well as the new patient rights mentioned above. You must post your revised NPP in your office, and make copies available there; but you need not mail a copy to every patient.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a long-time monthly columnist for Skin & Allergy News.
