Medical Mutual Insurance Company of Maine: About Us » Publications & Announcements: Advocate - Providers and Business Associates Prepare for Changes in HIPAA Regulations

A quarterly review of Company and industry news for Medical Mutual member-policyholders.

About Us » Publications & Announcements

The Advocate
Winter 2009/2010

Providers and Business Associates Prepare for Changes in HIPAA Regulations

By Cinde Warmington

In general terms, every breach requires the provider to conduct an evaluation to determine if an actual breach has occurred. If so, the provider must perform a risk assessment to determine if the security or privacy of the patient’s protected health information ("PHI") was compromised.

The Health Information Technology for Economic and Clinical Health Act, commonly referred to as HITECH, was adopted as part of the economic stimulus bill last February. Among other things, HITECH includes changes to HIPAA that have a significant impact on both providers and their business associates. Key among the changes are the new breach notification requirements which obligate providers and business associates to track and report breaches. The Interim Final Rule governing breach notifications was issued on August 24, 2009 with an effective date of September 23, 2009. Although the law is already in effect, the Secretary of the US. Department of Health and Human Services has indicated that no sanctions will be imposed on providers who fail to comply with the breach notification requirements for breaches which occur

The breach notification requirements are very detailed but, in general terms, every breach requires the provider to conduct an evaluation to determine if an actual breach has occurred. If so, the provider must perform a risk assessment to determine if the security or privacy of the patient’s protected health information (“PHI”) was compromised. If the risk assessment reveals a significant risk of financial, reputational or other harm to the patient, the provider must follow the breach notification requirements. Notice of the breach must be given to the patients by first class mail unless the patient has agreed to receive electronic notice. There are additional requirements for giving notice when the patient is deceased, when the provider does not have the patient’s current contact information and when the breach involves 500 or more patients. Business Associates are required to give the provider notice of any breaches and are also required to comply with certain security standards to protect any electronically stored data. The new changes to the law impose significant sanctions on both the providers and business associates for breaches and for the failure to comply with the breach notification requirements.

In addition to providing patient notification, providers will also be required to give notice of the breach to the U.S. Department of Health and Human Services (“DHHS”). This is a significant shift from previous rules which required providers to keep an accounting of improper disclosures, but did not require patient notification except to the extent necessary to mitigate any harm caused by the breach. What this means to providers is that every breach will require evaluation including unauthorized use by the provider’s own employees. For example, previously, if an employee improperly accessed a patient’s record out of curiosity, the employee would likely have been subject to discipline, most likely termination. Under the new requirements, the provider will most likely be required to give notice of the breach to the patient and to DHHS. Faxing the document to an incorrect phone number inadvertently is also likely to require notification as will any loss of unencrypted electronic patient data, for example the loss of a lap top containing protected health information.

To be in compliance with new rules, providers are required to revise their policies and business associates agreements, train their employees on the new requirements and implement sanctions for employees who fail to comply with the privacy policies. Providers who are not already in compliance are urged to begin implementation immediately so as to be in full compliance with the law before February 22, 2010.

The breach notifications are only part of the changes to HIPAA included in HITECH. Additional changes include, but are not limited to, new requirements to account for disclosures for users of electronic health records, new requirements limiting the content of disclosures and new restrictions on the use of PHI for marketing and fundraising purposes. Providers seeking additional information about the breach notification requirements and other HIPAA changes may access a Power Point Presentation on the subject.

Cinde Warmington is a partner and chair of the Health Law Practice Group at the law firm of Shaheen & Gordon, P.A. in Concord, NH. Questions may be directed to her at (603)225-7262 or through the firm’s web-site at www.shaheengordon.com.

1 Depending on the nature of the breach, providers may already have an obligation to give notification to patient and the State’s Attorney General’s office.