For many of you, thinking or reading about HIPAA is about as pleasurable as a trip to the dentist. Well, the HIPAA laws have changed. Consider the Omnibus Rule at your next appointment. But rather than dig into the gritty details, we'll go over what you need to do and why you need to do it. And why sooner is better than later. It's true when they say falling asleep at the HIPAA switch now could turn out the lights of your practice.
Why You Need to Know About the Omnibus Rule
Let's take this scenario as an example. You set out to send a promotional mailer to your past and current spider vein patients. The mailer invites your patients to come in for discounted spider vein removal using the new technology you recently acquired. The vendor?s salesperson that sold you the new treatment technique offers to pay for the mailing to assist you in its launch. The mailing is sent out to 5,000 patients in your database. One of your patients complains, and the complaint makes its way to the Office for Civil Rights (OCR). The OCR finds an illegal release of protected health information (PHI), in this case, a lack of properly documented patient authorization and an updated Notice of Privacy Practices. They calculate a penalty of, let's say, $50 per patient. At 5000 patients that's $250,000 in penalties. At the same time, they feature you in a press release, they post your violation on their website, on their listserv, their email list, and more. And yet that's not the worst of it.
It's not that the fines alone could be lethal, it's the damage to your reputation that could land the fatal blow. Over the ensuing 90 days, the word gets out in your community and your patients learn about it. Will it be one in five, three in five? How many patients will not give you the opportunity to explain? How many will simply go elsewhere?
I'm not suggesting this or similar scenarios will become commonplace, but nine out of 10 covered entities experienced some level of PHI breach over 2011 and 2012, according to the annual Ponemon Institute December 2012 study.
That example was one reason why the Omnibus Rule gives HIPAA a powerful punch. Here's a quick look at four things you need to know and the steps you can take to keep the new HIPAA laws from punching the lights out of your business.
1. Use of PHI for Marketing
As indicated in our previous example, the marketing rules (and sales and use of PHI) under the Omnibus Rule have changed quite a bit. According to Amy Fehn, attorney for Wachler and Associates P.C., who regularly assists healthcare providers in HIPAA compliance, "Marketing methods you used last year may no longer be compliant based on the new definition of marketing. Communications that previously met the exception will no longer meet the exception if indirect or direct remuneration is received by the Covered Entity. A signed authorization that notifies the patient of your intended use of their PHI, including any actual or potential remuneration is now required."
Of course, it's not that straightforward. There are exceptions, like face-to-face consults, what you say in your marketing content, and more. It can get confusing quickly. We recommend seeking legal guidance to ensure you're protected. Ms. Fehn's firm, for example, has developed a program to review your marketing campaign, update your Notice of Privacy Practices, and an authorization form to ensure you are promoting healthcare services in a compliant manner. Regardless of who you use, if your business model includes marketing your services to patients and the community at large, part of your marketing budget should include a legal review fee.
Step to take:
Update your Notice of Privacy Practices and authorization documentation to address the requirements of the Omnibus Rule. Download it, purchase it, or have one written for you. Either way, be certain to have it done.
2. Breach Notification Requirement
One of your providers loses their mobile phone. It has PHI on it, but that data is encrypted. Within an hour IT is contacted and the phone is wiped clean. Did a HIPAA breach occur? The encryption is the key, and the answer is that no one knows. OCR is currently taking this under advisement and will render guidance soon. If the PHI was not encrypted, the answer is yes. But regardless, what do you do now?
The Omnibus Rule represents a paradigm shift with regards to the assumption of harm being done in the event of a breach. Previously, you were given the benefit of doubt that harm had actually been caused. Now there's a presumption of harm, and the law requires you to conduct a risk assessment of the incident and be prepared to justify your decision, not to report it if you conclude you?re not required to.
Additionally, your behavior from the moment you discover a breach will impact the severity of your penalties. In short, act fast (you have less than 60 days to remediate and report), act decisively, and we recommend you don't act alone. There are professionals that can efficiently navigate the waters with you. Our HIPAA emergency response team, for example, can conduct an incident risk assessment and forensic analysis of the incident and its impact if necessary. On the legal side we have a nationwide network of attorneys with HIPAA expertise and can introduce you to one in your area.
Step to take:
If you suspect or know a breach occurred, conduct an incident risk assessment or hire someone to perform one for you.
3. Omnibus and the Business Associate
The most dramatic change resulting from the Omnibus Rule impacts your vendors that are business associates (BA). Business associates are redefined and inherit considerable liabilities. As a covered entity, you are required to take action in updating of all of your business associate agreements (with a deadline of September 26, 2013). Also, it?s no longer sufficient to download a generic BA agreement, type your practice name and the applicable vendor name in, and send it off for signing. Among other modifications, the new agreement should apply what?s known as the ?minimum necessary principle? when describing the scope of PHI access the business associate has, and why. The BA agreement for your IT vendor, your billing company, and your EMR support vendor will, therefore, each differ.
Step to take:
Update all of your Business Associate agreements tailored for each vendor.
The Omnibus Rule's impact on you and your business associate extends considerably beyond what we discussed here. Significant risk can be eliminated if your BA does not meet the legal definition of an agent. For more information, contact me at the email below and I'll forward our webinar schedule or send you a copy of our Omnibus Rule presentation.
4. HIPAA Violation Penalty Structure
Finally, at least in terms of what we're covering here, the Omnibus Rule puts into full effect and refines the structure called for in the HITECH Act. The civil money penalty (CMP) determinations and amounts have been further explained. To be brief, the Omnibus Rule clarifies that penalties from a single violation can exceed $1.5 million, and that a single incident typically involves more than one violation. In the event a breach is discovered, if you're determined to have been willfully negligent, the penalties can include criminal charges.
At a recent conference in Washington, DC, representatives from OCR spoke about increased auditing capabilities and their determination to see greater compliance. Others cited that the medical community is now among the most hacked industries in the country and the street value of a medical record is $50 where a social security number is worth only $1. For those who don't feel their database is worth anything to anyone, do the math: 10,000 patients at $50 each street value is more than enough incentive for the miscreants that trade in this sort of information to target you.
The Omnibus Rule also brings into focus five of the guidelines HHS will use when determining a penalty:
- The nature and extent of the violation, including the number of individuals affected
- The nature and extent of the harm resulting from the violation. The harm determination will include consideration for the reputational harm the incident may have caused.
- History of prior compliance with the administrative simplification provision, including past violations of the covered entity or business associate. In other words, don't wait for a breach to occur to initiate a compliance protocol. Your behavior prior to, during, and subsequent to a breach will factor heavily in the penalty determination.
- Financial condition of the covered entity or business associate will be considered. If you can demonstrate you simply didn't have the financial resources to achieve compliance, that will be taken into consideration. However, products like HIPAA Security Suite are driving down the cost of compliance and the financial hardship argument may not be your best bet.
- Such other matters as justice may require.
A large degree of discretion is in the hands of the people that would be assessing your penalties. That being the case, first impressions and a demonstrable commitment to compliance could impact the fiscal penalties.
Step to take:
Recognize the financial risk you face and set a deadline to achieve HIPAA compliance.
OK, even with the Omnibus Rule now being law, it's very unlikely a HIPAA violation is going to shut down your practice. However, the cost of compliance is immaterial relative to the risks you face.
Beyond the rules and regulations, it's not the legal or financial risks that should motivate you to make HIPAA compliance a priority, it's the responsibility of keeping secure the sensitive information your patients have entrusted with you.