The HIPAA final rule increases violation fees, clarifies regulations, and stresses encryption.
Those dreaded HIPAA rules have changed again. With enforcement getting stricter and fines rising, radiologists need to know how the rules will impact them, and what changes they need to make.
The final regulations, also known as the mega rule, modify HIPAA’s privacy, security, enforcement and breach notification rules. Issued by the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services in January, they go into effect March 26th.
“For most radiology providers, there’s nothing earth shattering, nothing fundamentally different, that we didn’t know was coming down the pike,” said Clinton Mikel, an attorney with the Health Law Partners in Michigan.
Still, “the sheer size and number of different changes are somewhat of a death by a thousand cuts.” He’s referring to the mega rule’s 563 pages of what he said are small changes and tweaks, requiring providers to update numerous forms, including authorization and privacy forms and the business associate agreement, plus change internal procedures and retrain affected staff members.
With the new mega rule, not much changes on a day-to-day basis for employed radiologists whose work involves only reading studies, charting, consulting with other physicians and potentially with patients.
“From that perspective, nothing has materially changed,” Mikel said. Once a radiologist steps outside that direct treatment realm, moving slightly in an administrative direction however, the rules take on new importance.
As an overview, Mikel said that the mega rule makes numerous revisions to the HIPAA privacy and security rules, increases monetary fees for HIPAA violations and strengthens the enforcement rule, clarifies and increases the regulation role over business associates and subcontractors, and significantly revises the breach notification rule.
One of the messages the mega rule sends out is that of increased enforcement. “The rule really underscores that the ramped up world of HIPAA enforcement is here to stay,” Mikel said. Beginning with the HITECH Act in 2009, the OCR has said and shown that they’re serious about enforcement, he added.
“From what we’ve seen from clients who have gone through the audit program, all the HIPAA rules are being looked at. Covered entities should be well versed in them, and not just have policies sitting on the shelf collecting dust, but a robust training program and operational knowledge of those who need to know,” he said.
Before the HITECH Act, said Mikel, HIPAA penalties were rarely levied. “Frankly they didn’t have much teeth,” he said, explaining that the HITECH Act changed the penalty structure to tiered one, based on levels of culpability. Fines for the top level can hit $1.5 million.
It’s unknown exactly what triggers a statutory audit, said Mikel. “We can posit that if you’ve had numerous reportable breaches [of personal health information, or PHI] or complaints against you, you’re going to be at a higher risk for an audit, but there’s no formal guidance on that. We’ve seen folks that have never had a complaint, who aren’t the biggest fish in the pond and never had a data breach, get audited as well,” he said.
He explained that the OCR website has a sampling of enforcement actions they’ve taken and penalties handed down. “It’s a little bit scary if you’re a provider,” he said. While many of the examples cited are big players - Alaska Medicaid hit for $1.7 million, an insurance company for $1.5 million -, “if you dig deep, that’s just not the case. In April, 2012 they hit a cardiology provider with $100,000 [fine], which is very significant.”
In addition to the fine, he said, if a practice is properly fighting or challenging the enforcement result, or proactively engaging legal counsel, there would be additional direct legal costs and administrative burdens. “For every hour the lawyer spends, the practice manager probably spends two to three hours,” he said.
The biggest stumbling block for providers, Mikel said, has been security rules, a set of administrative, physical and technical safeguards over PHI. “What it says is that you as a radiology provider have to assess every facet of your business and you have to look at where you get protected health information, where you store it, how you use it, who has access, and how it’s protected,” Mikel said.
In terms of security, encryption is a big issue. “They still have not come out and said encryption is mandatory for laptops or portable media like USB flash drives, but given the draconian fines that have come out associated with losing unencrypted laptops, thumb drives and hard drives, and the continued evolution, it’s still not mandatory, but it’s highly, highly recommended,” Mikel said.
Where to get information? How to proceed?
Mikel said that during a recent American Bar Association webinar about the HIPAA changes, the OCR’s Susan McAndrew said they’re intending to give guidance in the months before mandatory implementation. “It will probably be quite substantive,” he said.
As for other information sources, Mikel said that administrators should be consulting with someone well versed in the new HIPAA rules, like a health law attorney. “It’s our job to have fully digested the rules and consult with folks to see how it’s going to affect their practices,” he said.
Medical practices will need to change many of their existing written policies and authorizations. He said that the OCR’s sample business associate agreement has been updated to comply with the HIPAA mega rule. “Aside from that, I really don’t think you’re going to see any further samples out of the OCR. They’ve never put out an official sample of anything else.”
Other notices are tailored for the individual covered entity, he said. “It’s alerting patients to their HIPAA rights, what they’re allowed to do, and what you’re obligated to do as a provider,” said Mikel. “But they want that to be individualized, to talk about some of the uses and disclosures in your practice or hospital.”
He added that there are thousands of sample forms online, though “your mileage will vary,” Mikel said. “The HIPAA rules are extremely technical and all of these required forms and patient authorizations have numerous technical requirements.” Stock HIPAA compliance kits with forms still need individualization. “Even if the kit is correct in most aspects, when you get to that tailoring, you’re doing it on your own,” he said. “It’s easy to tweak something that may not seem substantive, but it can actually make you run afoul of a requirement.”
How much work is this?
How much work is this going to be for the administrators? “A whole lot more than the rule says,” said Mikel. Administrators should work with someone to assess what changes need to be made to the office forms, policies and procedures. The mega rule estimated that an attorney would charge $28 to update the Notice of Privacy Practice (20 minutes at $84/hour). “If you look at their estimated costs, it’s a complete joke,” Mikel said.
In addition to assessing the impact of the rules on your practice, you then have to make the necessary changes, like altering forms and new patient packets. You’ll also need to train everyone whose job functionality is impacted by the changes.
While the rules go into effect March 26, providers have until September 23, 2013, before compliance is mandatory. “That’s not a long time,” Mikel says, suggesting that medical providers proactively get prepared.