Healthcare Law News - Volume 23
BUSINESS ASSOCIATE AGREEMENTS AND THE FINAL HIPAA RULE
The final HIPAA Privacy, Security Enforcement and Breach Notification Rules become effective March 26, 2013. Compliance is required by September 23, 2013.
What does this mean for you?
- The definition of business associate (BA) is broadened to include health information organizations, electronic prescription gateways, or any other persons that provide data transmission services with respect to PHI to a covered entity. It also includes those offering a personal health record on behalf of a covered entity, and includes any subcontractor that creates, receives, maintains or transmits PHI on behalf of a BA. Finally, BA also includes entities that “maintain” PHI for any covered entity including data storage companies (digital or hard copy). The only exception appears to be conduits such as courier services, Fed Ex, USPS, the Postal Service and ISPs providing data transmission services only.
- BAs and their subcontractors are now directly liable for violations of the HIPAA Security Rule and disclosures, and this liability may flow upward to covered entities.
- BAs and subcontractors must now follow rules similar to those of covered entities, such as keeping records and submission of compliant reports to HHS, notification to a covered entity of a breach of unsecured PHI, make reasonable efforts to limit use and disclosure of PHI to the minimum necessary, provide an accounting disclosure and enter into BA agreements with subcontractors that comply with the final rule.
These requirements must be met by September 23, 2013, the compliance date.Existing BA agreements are grandfathered until September 22, 2014, but the use and disclosure portion rule is effective on the 2013 compliance date.
Our recommendations:
1.Covered entities should immediately determine if they share PHI with any of the entity types now determined to be business associates, including data storage venders and all subcontractors.Once you discover these relationships, you must execute BA agreements with all identified entities.
2.Covered entities should also review their existing BA agreements for compliance with the new requirements.
3. Covered entities should require all existing BAs, and all newly discovered BAs and subcontractors to provide reasonable proof of their compliance with the final rule, and provide copies of compliant BA agreements.
4. Determine if all of your data storage and data transmissions are encrypted. If not, can they be encrypted? If such data is not to be encrypted, do you have adequate security in place and monitoring procedures to discover and minimize the effect of the improper loss of unencrypted data?
5. In case of a breach, do you have the ability to comply with HHS notification rules, and have a process and plan for notifications to affected individuals and the media?
6. Given the new requirements in the final rule which expands an individual’s rights to electronic PHI, have you integrated this into your notice of privacy procedures and your security and monitoring systems?
7. If you intend to impose a fee to individuals or others for a copy of PHI, including summaries or explanations of such information, have you determined what your cost for providing this information may be since it must, under the rule, be “reasonable and cost based”.
RAC UPDATE
The Medicare Recovery Audit Program (RAC) released its fiscal year, 2011 report on February 5, 2013. Hospitals should note that FY 2011 was the first year that RAC “actively” reviewed short-stay inpatient hospital admissions and reports that these admissions represent a substantial portion of the reported Medicare FFS error rate and over payment collections.
Also of note are the statistics indicating that Medicare providers appeal only 6.7% of all claims deemed to be overpayments. However, of this 6.7%, 43.6% were overturned. Does this indicate that the appeal rate is too low?
DOCTOR BLABS TO PATIENT’S EMPLOYER
In a lawsuit filed in Northern Indiana Federal Court, Justin Reed claims that his doctor, Richard Rodarte, M.D., examined him, and then told his employer that he had a sexually transmitted disease, not a work related injury. Mr. Reed sued Dr. Rodarte for blabbing to his employer without authority, and claims that it is a violation of HIPAA, state privacy laws, and state defamation laws. Mr. Reed also claims Dr. Rodarte misdiagnosed his condition, but apparently has not made any claim specifically regarding the alleged misdiagnosis.
Dr. Rodarte tried to argue that this case should be heard under the Indiana Medical Malpractice Act, and should have to go to a medical review panel and be subject to damage caps.
Judge Moody ruled that Mr. Reed’s claims, if true, reveal a claim not covered under Medical Malpractice requirements or caps, and that Mr. Reed was free to proceed with his lawsuit against Dr. Rodarte.
SEQUESTRATION INFORMATION
Assuming the Federal Sequestration kicks in today as planned, the required 2% payment reduction to Medicare providers will be effective for services provided on and after April 1, according to HHS spokesman.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions about this newsletter or any other matter at (812) 402-1600 or pwallace@joneswallace.com.