The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.
With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.
Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.
Let’s talk about patient privacy and security under the Omnibus Rule, and what provider executives need to do.
Yes, let’s talk about how covered entities can help their business associates implement what are called these “flow-down requirements.”
What do you think most CIOs don’t understand about the Final Omnibus Rule?
I hope they are aware of this, but they really need to be aware that when they contract or delegate or outsource to another company, and that company further outsources, that company will now have to have a written contract with their subcontractor. Theoretically, this was always the case. But CIOs may not understand that their subcontractors may be liable for up to $1.5 million for willfully ignoring the requirements, if the subcontractor just deliberately ignored the fact that they were required to secure that information and distributed information without HIPAA security. What the government is doing is actually protecting the information. And anybody who could be audited, would be liable. There aren’t any civil lawsuits under HIPAA, but if the government does an audit, and finds out the information isn’t being protected, they will levy penalties.
Another thing that I think is poorly understood is that if CIOs use templates for business associate agreements, they have to see what’s being added into the agreement, and see whether that business associate will be liable for notice of breach costs, or whether that business associate’s subcontractor is liable, or whether your won covered entity is liable; because over $2 billion was spent on notice of breach in 2012. In other words, the average cost of a breach notification is very high. I believe that the Ponemon Institute cited something like $250,000 per individual patient record breach. So when I’m talking about the $2 billion, I’m talking about what was spent last year on reported breaches.
So the first thing they should do is to take a look at whether or not they want to encrypt, and whether or not it’s worth it. Because with these large penalties from the government… the purpose was to encourage CIOs and CFOs to look at whether or not they were going to be able to encrypt, and to encourage them to encrypt, protected health information. In particular, I think they don’t understand how prevalent breaches are and how easy it is to lose a laptop, and to have breaches based on unencrypted health information on mobile devices.
So I would recommend that they first look at the cost of insurance for breaches, and at the cost of encryption. And they should also examine their business associate agreements to determine whether they are liable, their business associate organization is liable, or whether the subcontractor to their business associate, is liable. In other words, they need to know who is liable for providing notice of breach for unencrypted health information.
Next, let’s say that if they’re a hospital, hospitals and medical providers should be aware that one big change that came via the HITECH Act, and one that maybe most CIOs are not aware of, is that the individual has the right to request a restriction on the disclosure of any medical service for which they’ve paid out of pocket. And this can cause problems sometimes, because the hospital doesn’t really let the individual know that if they pay out of pocket, that the insurance company can probably still determine from additional tests that are made, what the diagnosis was. So they may have to pay for an entire panel of tests; and they may want to every test. They don’t realize it doesn’t apply to follow-up tests. And let’s say there’s an electronic prescription, that diagnosis could be released to the pharmacy, and they probably need to go to the pharmacy first and get it restricted there first. And if a patient asks for a restriction, that has to take place at the outset.
What is the most difficult element of this, when attorneys are called in to address a breach that has occurred?