A long-awaited update to the patient privacy and security rules that were established 10 years ago under HIPAA (the Health Insurance Portability and Accountability Act) is meaning significant changes for family physicians and their practices. Recently released regulations that enforce the Health Information Technology for Economic and Clinical Health (HITECH) Act expand the scope of the privacy and security provisions of HIPAA. The updated rules, which went into effect March 26, 2013, and which practices must comply with by Sept. 23, 2013, may be confusing to some, but this much is clear: The penalties for violations of the law have increased, and the government will enforce these rules, even for relatively small practices.
This article is intended to provide practical guidance to help physicians and their practices understand and comply with the law. While occasional errors in managing protected health information (PHI) are inevitable, it is increasingly evident that prevention is by far the best tactic.
Business associates: who, what, and when?
The “business associate” (BA) section of HIPAA, which dictates with whom a health care provider or other covered entity may share PHI, frequently confuses practices; namely, how do you define who is a BA? As a general rule, the fundamental question to ask yourself is “Do they perform a service on our behalf that has them accessing, using, and/or disclosing our patients’ PHI?” If the answer is “yes,” then the entity is probably your BA. While relatively straightforward in theory, this question can be harder to answer in practice, because whether an entity is your BA also depends on the nature of the activity the entity performs for you and the degree of control you exercise over it.
Not all disclosures of PHI create a BA relationship. For example, referring a patient to radiology for an imaging study does not make your practice the BA of the radiology practice. Likewise, the radiology practice would not be your BA when it sends back the results. Each entity is using the PHI for its own purposes, and the disclosure is done by one covered entity to another for treatment purposes. But if your practice was purchasing and billing for the diagnostic tests performed by the radiology group, then the radiology group would be your practice’s BA.
If you have direct control over the individuals performing the service, they generally are not BAs and are instead considered “workforce.” Your own staff members are not your BAs. By contrast, an independent contractor over whom you exercise no control at all (such as your attorney or your call service) is a BA if it has access to your practice’s PHI.
However, things become more complicated if you exercise a sufficient degree of control over a separate corporate entity to make it an “agent” of your practice under federal common law. In such cases, you are responsible for its PHI infractions. For example, a staffing company that provides part-time physician assistants to your practice could be a BA. But your practice might also be held responsible for HIPAA violations by the physician assistants as you have a greater degree of control when they are working in your facility. In essence, the physician assistants are your agents even though you do not directly employ them.
The new regulations expand the number of entities that are considered BAs because of the routine access to PHI that they require. These can include electronic prescribing gateways, health information organizations, and other data-transmission services. Similarly, entities that maintain PHI on behalf of a covered entity, such as your document storage company, are now considered BAs. However, the regulations exempt entities with “random” access to PHI (such as an Internet service provider), considering them to be a “mere conduit” of information. Your electronic health record (EHR) vendor is considered a BA if it provides “personal health records” to patients on your practice’s behalf. There is currently no standard definition of a personal health record, but the OCR provides some guidance. In many cases, you may have already established a BA agreement with such entities. If not, you must have these agreements in place.
Before passage of the HITECH Act, BAs would be liable for breach of contract only if they failed to meet an obligation of a BA agreement. However, the HITECH Act made BAs directly liable under HIPAA, meaning that a BA now has the same legal exposure as a covered entity and the government can enforce directly against the BA. The regulations also now require BAs to bind any subcontractor to a BA agreement. Moreover, those subcontractors are themselves directly liable under the law. In other words, each link in the chain is directly liable under the law, and each must bind any immediate subcontractor to a BA agreement. Make sure that you have the required agreements in place to comply with the law and that those agreements obligate your BAs to bind their subcontractors to a BA agreement. In addition, where possible avoid exercising too much control over the BA to avoid the law treating the BA as your agent.
Patient access to information
HIPAA established that patients have the right to access their PHI as well as control how information in their medical record can be changed.1 The new rules explicitly say that if you are using an EHR you must give the patient copies of electronic records if they ask for them. The regulations allow for a wide range of formats, such as PDF, HTML, MS Word, Excel, and text-based files. Unfortunately, not all EHRs make it easy to provide copies or excerpts. The law imposes this burden on all covered entities, which most family physicians are today.
Patients can also direct a physician in writing to transmit PHI to a third party. This is a long-standing policy in most practices when it comes to sharing information with other physicians or hospitals, although some practices mistakenly believe that HIPAA prevents such sharing without a written consent or authorization. Remember that no authorization or consent is required to share PHI with another party for purposes of treatment, payment, or operations of the practice. Your “Notice of Privacy Practices” should make that clear. The patient must provide prior authorization or consent in writing only if the information contains psychotherapeutic notes or is used for marketing or sale. The new standard pertains to disclosures made to other types of third parties, such as employers.
Under the new rules, it is entirely legitimate for a physician practice to charge the patient for the labor and materials (e.g., CDs, paper, or thumb drives) to produce the information requested. In addition, you can charge for postage if you have to send the information through the mail. Most state laws allow physicians to make a reasonable charge for copies of medical records, but you should consult your state society to determine the parameters of these laws in your state. It is also wise to train staff on dealing with these requests, especially on steps to take to ensure that the right person receives the right records.
Others’ access to information
For physicians who have wondered about their responsibilities to safeguard the privacy of a deceased patient’s PHI, the new rules establish that the privacy rule applies for 50 years after death. As to what the family is allowed to see after the patient dies, the rules establish that the practice must respect the patient’s wishes, regardless of whether the family member requesting information was paying for or was otherwise involved in the care. If the patient expressly told the practice not to show the information to a paying family member or says to show the information to someone otherwise uninvolved with the care or payment, then the practice must abide by the patient’s request. If the patient dies without providing directions of this sort, the default position is that family members involved in the care or payment for the patient can see the information while uninvolved family members cannot.
A new rule explicitly allows a physician to disclose proof of immunization to a school if the law requires it as part of a student’s admission. Written authorization is not required, but you still must obtain a verbal agreement from a parent, guardian, or the student if he or she is an adult or emancipated minor. As always, when the authorization is obtained verbally, the date, time, and name of the person to whom the authorization was provided should be entered in the record, to create an audit trail showing that you have followed the rules.
Finally, patients who choose to pay out of pocket for a health service rather than having a claim submitted to their health plan may dictate that their insurer not have access to information about the service. This is most common among patients with employer-sponsored health plans who do not want their employers to know about a medical condition. Patients may want to restrict health plans from having access to other data as well. Your practice should develop procedures to ensure that the appropriate staff are made aware of such requests, that restricted information is documented appropriately and flagged, and that payments are processed appropriately.