The long wait for the HIPAA
omnibus file rule is over and has real implications for adopters of EHR systems and facilitators of health information exchange
(HIE). Last night, the Office of Civil Rights (OCR) in conjunction with the Department of Health & Human Services (HHS) issued modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules to accommodate technological developments as well as to balance rules and regulations pertaining covered entities and the Health Information Technology for Economic and Clinical Health Act (HITECH).
“This final rule is needed to strengthen and expand the privacy and security protections for individuals’ health information and privacy rights established under the HIPAA,” state the authors of the final rule, “These enhancements are necessary to ensure continued adequate protections for health information, as well as trust in the health care system, particularly as the adoption and use of electronic health records increases.”
Of particular importance to healthcare organizations and providers are changes that address business associates, breach notifications, and patient access to health information.
Determining whether an organization is a business associate or a conduit depends on the access they have to protected health information (PHI) provided to them by a covered entity. According to the final rule, “such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.” In light of this clarification, two classes of business associates have emerged:
(1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and
(2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.
Perhaps more importantly, the nature of a business associate is understood by activities not contracts:
The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.
Healthcare organizations and providers, therefore, have some leeway when it comes to the use of cloud-based services depending on the interaction the latter have with the information, the caveat being that making them a business associate carries with it an array of stipulations under HIPAA.
One such stipulation surrounds breach notifications. Now defined as a business associate, HIEs and other health information organizations (HIO) must understand their role in notifying individuals affected by a health data breach. As the authors of the final rule explain, “when multiple covered entities participate in electronic health information exchange and there is a breach of unsecured protected health information at a Health Information Organization (HIO), the obligation to notify individuals of the breach falls to the covered entities.”
HIE stakeholders can expect additional guidance from the OCR and HHS going forward although no particular timeline has been made available as of yet.
Finally, the HIPAA omnibus final rule provides clarification about making PHI available to patients in an electronic form upon request:
Section 13405(e) of the HITECH Act
strengthens the Privacy Rule’s right of access with respect to covered entities that use or maintain an electronic health record (EHR) on an individual. Section 13405(e) provides that when a covered entity uses or maintains an EHR with respect to protected health information of an individual, the individual shall have a right to obtain from the covered entity a copy of such information in an electronic format and the individual may direct the covered entity to transmit such copy directly to the individual’s designee, provided that any such choice is clear, conspicuous, and specific. Section 13405(e) also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity’s labor costs in responding to the request for the copy.
The OCR and HHS provide examples of how this patient access could play out and the liabilities that could come with it. On the one hand, an organization to which an individual has given permission to a covered entity to provide PHI is not “offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data.” On the other hand, an organization hired by a covered entity “to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees” is considered a business associate.
More coverage about the HIPAA omnibus rule is available on HealthITSecurity.com