September 23, 2013. Today is the day that many of those who use protected health information (PHI) must comply with new Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which went into effect 180 days ago.
If you use PHI in your work, hopefully by now you are aware of those changes. For the first time, Privacy and Security rules apply not only to covered entities and business associates, but also to subcontractors who provide services to those business associates. This includes the security breach notification requirements when PHI is compromised.
An HHS press release earlier this year noted, “Some of the largest breaches reported to HHS have involved business associates.” With the expanded scope of the rules, look for more enforcement actions in the future.
The HIPAA Omnibus Final Rule changes go into effect on September 23. Covered entities have been required to provide Notice of Privacy Practices for several years. Those notices need to be revamped. The Final Rule clarifies and expands the obligation to report breach of protected health information (PHI) to patients. Covered entities must specifically notify patients of a right to be informed of breach. More importantly, there will now be a rebuttable presumption of breach unless the covered entity can show through a four-factor test that there is a low probability of PHI compromise.
There are also requirements for the notice of disclosures to health plans, marketing and sale of PHI, and the right to opt out of communications.
These are considered material changes, thus it is important to revise the notice to reflect the changes and make it available.
The HIPAA-HITECH Omnibus Final Rule has been released and was officially published January 25, 2013. Businesses need to take steps to be compliant with many requirements by September 23, 2013. And there will be much work to do. Among other issues:
- There will be a need for changes in Notices of Privacy Practices.
- There will be greater enforcement efforts, which is already being seen in many places, and more emphasis on penalties.
- There are changes to breach notification requirements with more events being reportable.
- There is direct liability for Business Associates and Covered Entities will need to monitor Business Associates more closely.
- The Rule contemplates electronic copies of electronically stored information.
In early 2009, the Department of Health and Human Services (HHS) published the final rule that requires the implementation of HIPAA Accredited Standards Committee (ASC) X12 version 5010 for electronic claims, referrals, enrollment, patient eligibility inquiries, coordination of benefits (COB), and remittance advices. This replaces version 4010Ai. The new version is required to allow the transition in 2013 from ICD-9-CM to ICD-10 coding. In order to ensure the submission of electronic claims, healthcare providers have been working to prepare for the transition.
Covered entities were required to comply beginning January 1, 2012 (small plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard). Covered entities include healthcare providers, health plans, and healthcare clearinghouses.
The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) will enforce the compliance standards. In November 2011, CMS announced, “While enforcement action will not be taken (until March 31, 2012), OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period. . . . If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” You can access the announcement here.
Unless extended again, enforcement of compliance ASC X12 v5010 will begin midnight March 31, 2012.