Wednesday, August 28, 2013

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule Summary

The Health Insurance Portability and Accountability Act (HIPAA)
Omnibus Final Rule Summary
The federal government has published its long awaited
final regulations implementing
“Health Information Technology for Economic and Clinical Health (HITECH) Act,” enacted as
part of the “American Recovery and Reinvestment Act of 2009” (ARRA), described by the head
of the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) as
“the most sweeping changes to the HIPAA Privacy and Security Rules since they were first
implemented.” In general, the new rules expand the obligations of physicians and other
health care providers to protect patients’ protected health information (PHI), extend these
obligations to a host of other individuals and companies who, as “business associates,” have
access to PHI, and increase the penalties for violations of any of these obligations. The
American Medical Association (AMA) will be publishing more detailed guidance concerning the
impact of these rules onphysicians. The following outlines the changes physicians will need to
consider as they implement the new HIPAA requirements necessary by the September 23,
2013, compliance date.
There are three areas that physicians will need to focus on to comply with
the new rules:
Privacy, Security, and Breach Notification policies and procedures (and in some cases,
new workflows and forms);
Notice of Privacy Practices (NPP); and
Business Associate (BA) Agreements.
The following summary provides a helpful overview o
f the steps physicians will need to take
in each of these areas to meet the new requirements. Physicians also should be familiar with
their state patient privacy and confidentiality laws, which may be more stringent than HIPAA.
Privacy and Security Policies and Procedures
The new rules will likely require changes to a physician practice’s HIPAA policies and
procedures in at least the following areas:
Breach notification requirements
The obligation to notify patients if there is a breach
of their PHI is expanded and clarified under the new rules. Breaches are now
presumed reportable unless, after completing a risk analysis applying four factors, it is
determined, that there is a “low probability of PHI compromise.” The physicians must
consider all of the following four factors:
the nature and extent of the PHI involved
issues to be considered include the
sensitivity of the information from a financial or clinical perspective and the
likelihood the information can be re-identified;
the person who obtained the unauthorized access and whether that person has
an independent obligation to protect the confidentiality of the information;
whether the PHI was actually acquired or accessed, determined after
conducting a forensic analysis; and
the extent to which the risk has been mitigated, such as by obtaining a signed
confidentiality agreement from the recipient.

This rebuttable presumption of breach and four factor assessment of the “risk of PHI
compromise” replaces the previous, more subjective “significant risk of financial,
reputational, or other harm” analysis for establishing a breach. The new rules further
clarify that there is no need to have an independent entity conduct the risk
assessment and indeed, no risk assessment need be conducted at all if the breach
notification is made (although, physicians will want to undertake an appropriate
review and steps to mitigate the harm and reduce the likelihood of future breaches in
any case). The new rules further confirm that the breach notification requirement may be delegated to a BA, and physicians are encouraged to coordinate with their BAs
so that patients receive only one notification of the breach. The new rules do not modify the actual reporting and timeframe requirements for Breach Notification; that is, covered entities must still adhere to requirements for
individual notification, HHS notification, and where applicable media posting of the
Disclosures to health plans
At the patient’s request, physicians may not disclose
information about care the patient has paid for out
pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This
change updates the previous HIPAA Privacy Rule governing patient requests for
restrictions on the use or disclosure of their PHI. Previously, while physicians could
refuse to abide by any such request, the new rule requires physicians and other health
care providers to abide by a patient’s request not to disclose PHI to a health plan for
those services for which the patient has paid out-of-pocket and requests the
restriction. Of all the changes made by the new rules, this change is likely to have the
greatest impact on physician practice workflow both in terms of documentation and
follow up to ensure the restriction is adhered to.
Marketing communications
The new rules further limit the circumstances when physicians may provide marketing communications to their patients in the absence of the patient’s written authorization. Generally speaking, the only time a physician may tell a patient about a third
party’s product or service without the patient’s written authorization is when: 1) the physician receives no compensation for the
communication; 2) the communication is face-to-face; 3) the communication
involves a drug or biologic the patient is currently being prescribed and the payment is limited
to reasonable reimbursement of the costs of the communication (no profit); 4) the
communication involves general health promotion, rather than the promotion of aspecific product or service; or 5) the communication involves government or government-sponsored programs. Physicians are also still permitted to give patients
promotional gifts of nominal value (e.g., pamphlet).
Sale of PHI
The new rules clarify that the prohibition on the sale of PHI in the absence of the patient’s written authorization extends to licenses or lease agreements, and to the receipt of financial or in-kind benefits. It also includes
disclosures in conjunction with research if the remuneration received includes any
profit margin. On the other hand, the prohibition on PHI sales does not extend to permitted disclosures for payment or treatment nor to permitted disclosures to patients or their designees in exchange for a reasonable cost     b
based fee.

Childhood immunizations
Under the new rules, physicians may disclose
immunizations to schools required to obtain proof of immunization prior to admitting
the student so long as the physicians have and document the patient or patient’s legal
presentative’s “informal agreement” to the disclosure.
The new rules allow physicians to make relevant disclosures to the
deceased’s family and friends under essentially the same circumstances such
disclosures were permitted when the patient was alive; that is, when these individuals
were involved in providing care or payment for care and the physician is unaware of
any expressed preference to the contrary. The new rule also eliminates any HIPAA
protection for PHI 50 years after a patient’s death.
Copies of e-PHI
Physicians will now have only 30 days to respond to a patient’s
written request for his or her PHI with one 30-day extension, regardless of where the
records are kept (eliminating the longer 60-day timeframe for records maintained
offsite). They must provide access to EHR and other electronic records in the
electronic form and format requested by the individual if the records are “readily
reproducible” in that format. Otherwise, they must provide the records in another
mutually agreeable electronic format. Hard copies are permitted only when the
individual rejects all readily reproducible e-formats.
Emailing PHI
Physicians must also consider transmission security, and may send PHI in
unencrypted emails only if the requesting individual is advised of the risk and still
requests that form of transmission.
Charging for copies of e-PHI or PHI
The new rules modify the costs that may be charged to the individual for copies to include labor costs (potentially to include
skilled technical labor costs for extracting electronic PHI and supply costs if the
patient requests a paper copy, or if electronic, the cost of any portable media (such as
a USB memory stick or a CD)), assuming state law does not set a lower reimbursement
rate. The rules also clarify that physicians may impose a separate charge for creating
an affidavit of completeness.
Research authorizations
The new rules permit physicians to combine conditioned and
unconditioned authorizations for research participation, provided individuals can opt
in to the unconditioned research activity. Moreover, these authorizations may
encompass future research.
Notice of Privacy Practices (NPP) Physicians must amend their NPPs to reflect the changes set forth above, including those
related to breach notification, disclosures to health plans, and marketing and sale of PHI. To
the extent physicians engage in fundraising, they will also have to amend their NPP to inform
patients of their right to opt-out of those communications. As the rules presume these are all
material changes, physicians will have to post the revised NPP, and make copies available at
their office, to all new patients and to anyone else on request. Physicians who maintain a
website are cautioned to post the updated
NPP on their website as required by the existing HIPAA Privacy rule. The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives, or health
benefits or services in NPP
s, but the rules do not require that that information be removed

Business Associates (BAs)
The new rules expand the universe of individuals and companies that must be treated as
business associates to include Patient Safety Organizations and oth
ers involved in patient
safety activities, health information organizations like e
prescribing gateways or health
information exchanges that transmit and maintain PHI, and personal health record vendors
physicians sponsor for their patients. Thus, physici
ans must review their relationships and
determine if they must enter new BA agreements with these entities or others that create,
receive, store, maintain, or transmit PHI on their behalf.
These rules also modify the requirements for BA agreements:
icians no longer must report failures of their BAs to the government when
termination of the agreement is not feasible, as HHS has concluded that the BA’s
direct liability for these violations is sufficient.
BAs are now responsible for their subcontractors
BAs must comply with the Security and Breach Notification Rules.
Physicians are liable for the actions of their BAs who are agents, but not for the
actions of those BAs that are independent contractors.
Physicians have until September 23, 2014, to bring
all their BA agreements into
conformance with the new rules.
BA agreements that have not been renewed or modified
between March 26, 2013, and September 23, 2013, will be deemed compliant until the date
the BA agreement is renewed or modified or until Sep
tember 22, 2014, whichever is earlier.
Enforcement and Penalties
The new rules clarify the four penalty tiers as follows:
Lowest tier
cases in which the physician did not and reasonably could not know of
the breach.
Intermediate tier
cases in which
the physician “knew, or by exercising reasonable
diligence would have known” of the violation, but the physician did not act with
willful neglect.
Highest tiers
cases in which the physician “acted with willful neglect” and either
corrected the problem w
ithin the 30
day cure period, or failed to make a timely
HHS must conduct a formal investigation and impose civil monetary penalties in cases
involving willful neglect, and is now free to provide PHI to other government agencies for
t activities. The assessment of penalties must be based on five principal factors:
(1) the nature and extent of the violation, including the number of individuals affected; (2)
the nature and extent of the harm resulting from the violation, including repu
tational harm;
(3) the history and extent of prior compliance; (4) the financial condition of the covered
entity or business associate; and (5) such other matters as justice may require. The number
of violations may be based on the number of individuals a
ffected or by the number of days of
The rule further clarifies that the 30
day cure period begins when the physician knew or

should have known of the violation.
Other Changes
The new rules also make changes that will likely affect physicia
ns, but only indirectly. The
most sweeping is the expansion of the obligations of BAs to include both direct liability under
most of the HIPAA Privacy and Security Rules, and the obligation to enforce these rules with
respect to their subcontractors. The
new rules also implement the Genetic Information
Nondiscrimination Act (GINA), which generally prohibits health plans from using genetic
information for underwriting purposes.
Next Steps
With the potential for $1.5 million fines, not to mention serious re
putational injury, these
new rules must be taken seriously. Clearly, physicians will need to develop a plan to make
these required changes in a timely fashion. The AMA will provide more specific guidance with
respect to each of these three areas, includi
ng sample NPP and BA agreements.
The information contained herein is general in nature and is based on authorities that are subject to change. It is not inte
as legal advice provided by the American Medical Associa
tion and should not be relied upon as a substitute for legal advice or
opinion. This material may not be applicable to, or suitable for, the specific circumstances or needs of the reader, and may
require additional consideration of other factors not described herein.

Tuesday, August 27, 2013

New HIPAA rules start to have impact on September 23, 2013

The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions (September 23, 2013).

The federal Department of Health and Human Services, in response to a law passed by Congress in 2009, announced modifications to the famous HIPAA rules. As you may know, HIPAA (the Health Insurance Portability and Accountability Act) was passed by Congress under President Clinton. However, the regulations that put HIPAA into action were issued several years later under President Bush. Part of the HIPAA law dealt with privacy of medical records, with the focus on emergence of easily sharable electronic records.
The HIPAA confidentiality rules which resulted from that focus often seemed frustrating. They blocked distribution of personal medical information to strangers, and they also made it difficult to share personal medical information with spouses and family members. The biggest contradiction in the regulations, some feel, is that personal medical information can be freely shared within a medical group and its contractors, but cannot be shared by the patient’s family without written consent.
The updated regulations were first announced to the public in 2010, were subject to public comment and revisions, and were finalized as of March 26, 2013. Those affected by the new rules were given 180 days to comply, which means the new rules start to have impact on September 23, 2013. What are the new enhancements to the HIPAA rules? Among other things, the new rules:
1. Expand confidentially requirements to cover “business associates” of the medical providers and health plans. This would include, for instance, companies that handle claims processing and medical billing and law firms that represent hospitals and nursing homes. Adding these entities, which may have access to your medical records, protects seniors (and others) from these back-channel privacy breaches. 
2. Limit ways in which your private medical information can be used for marketing purposes, can be used for fundraising purposes, or can be sold. If a care provider wants to market products to you, wants to solicit you for charitable contributions or plans to sell your data, you must be informed in advance and must have the option to opt out of receiving those communications.
3. Require that when your medical records are kept in electronic format by the care provider, you can request a copy in electronic format. If you want a copy on a USB drive or a disk, you must provide the drive or disk or must pay the care provider for that unit. This should, however, make it faster and easier to obtain copies of your medical records.
4. Grant you the right, when you pay cash for a medical procedure, to forbid your care provider from sharing information about the medical procedure with your health insurance plan. If you want to keep a treatment confidential, you have that right if you pay in cash.
As has been true for a decade, you should have a legally binding HIPAA authorization as part of your Advance Medical Directives. Talk to your elder law attorney to be sure that your Medical Power of Attorney properly addresses HIPAA concerns. After the new rules take effect, you have additional rights that you can exercise when appropriate.
More helpful info,d.aWc&cad=rja

Thursday, April 5, 2012

Tricare to close online mental health program

By Patricia Kime - Staff writer – ARMY TIMES - Posted : Saturday Mar 31, 2012 9:54:58 EDT
The Tricare Assistance Program for behavioral health counseling is being shut down due to lack of use, Tricare officials said Friday.  The $3 million demonstration program, launched in August 2009, was designed to test use of Web-based video conferencing for mental health counseling.
The instant messaging and Web-based chat program facilitated communications with patients and counselors on non-medical concerns ranging from deployment anxiety and work stress to family and relationship issues.
The program logged 5,109 calls during a two-year period, with 89 percent coming from the Tricare West region, according to Tricare spokesman Austin Camacho.
Only 1,188 were initial calls, while the rest were follow-ups, he added.
“The termination of TRIAP in March 2012 will not cause a void in the availability of non-medical counseling services for service members and their families. Military OneSource offers a robust and popular employee-assistance program model of nonmedical-counseling service,” Camacho said.
He added the services provided by Military OneSource are similar to TRIAP, offering confidential, anonymous counseling. Tricare also offers telemental health services for beneficiaries in certain circumstances.
“The demonstration’s goal of improving beneficiary access to mental health care by incorporating Web-based video technology has not been reached and has been deemed highly inefficient to operate financially,” Camacho said.
Military OneSource can be reached at 800-342-9657.  The program offers eligible service members and beneficiaries up to 12 sessions per issue at no cost. Patients who need additional counseling are referred to medical facilities.

Monday, October 17, 2011

Professional LLCs Must Register with IDFPR

January 13, 2011
State of Illinois

Professional LLCs Must Register with State
Registration of health care groups will expand patient protections
SPRINGFIELD To better protect consumers faced with problems in dealing with their health care providers, Limited Liability Companies (LLCs) formed by licensed health care and other professionals will now be required to register with the Illinois Department of Financial and Professional Regulation, Division of Professional Regulation (IDFPR).  Medical and Professional Service Corporations have long been required to register with IDFPR, and this law expands that requirement to cover LLCs established by licensed professions, including doctors and dentists. 
The purpose of registration is to provide information to consumers as well as assist the Department in its enforcement activities. Registration provides basic information about the LLC and most importantly discloses the licensee(s) responsible for the operation of the LLC.  Patients dealing with the LLC for billing, scheduling and other business related activities can seek assistance from IDFPR if they have problems not directly related to the work of a licensed professional.  This registration requirement establishes a new level of regulatory oversight to make sure health care consumers receive the same protection regardless of how their provider’s practice is structured. 
Applications for registration of limited liability companies are now available. The application packets contain detailed instructions and other information which can be viewed and printed at  The initial registration fee is $50 and the annual renewal fee is $40.  Applications are required to be submitted by existing limited liability companies as well as new entities just forming with the Illinois Secretary of State. 
All LLCs are expected to be licensed within 90 days and the department will begin enforcement for failure to be licensed on that date.

Friday, June 24, 2011

Deadline Missed for TRICARE LCPC Independent Practice Rule

Deadline Missed for TRICARE LMHC Independent Practice Rule

Washington, DC – June 24, 2011 – The National Defense Authorization Act for fiscal year 2011, signed in January 2011, directed the Department of Defense (DoD) to adopt regulations allowing licensed mental health counselors (LMHCs) to practice independently under the TRICARE program. The Act gave DoD until June 20th of this week to issue rules implementing the requirement, but DoD has now missed the deadline, making it impossible to implement the directive. Presently, we are hearing uncertain estimates of when the rule may be released, ranging from six to 18 months.

AMHCA has led LMHCs in encouraging the DoD to adopt regulations implementing the rule, which will make it easier for beneficiaries to gain access to needed care. However, we have also called on DoD to adopt more inclusive regulations that will recognize a wider array of qualified LMHCs than a recently adopted standard set in a separate VA administrative procedure.

AMHCA will continue to work with the DoD to ensure the regulations are more inclusive than the VA LMHC eligibility standard, and AMHCA is closely monitoring the agency's activity on this matter. For more information or if you have questions, contact James Finley, AMHCA's director of public policy, at

Thursday, June 23, 2011

Illinois Human services Budget

Dear Illinois Partners:

We have some important updates from the meeting this morning of the Human Services Commission.  Jerry Stermer from Governor Quinn's office assured us that the Governor intends to sign the FY12 budget that was passed by the Illinois General Assembly (HB3717) by June 30th.  In addition, Secretary Saddler of the Department of Human Services confirmed that new contracts will be sent to providers sometime next week.  Thanks to the advocacy of Illinois Partners, these contracts will be temporary, covering 4 months, to allow time for continued discussion and negotiation around any additional changes DHS intends to make for the remainder of FY12. 

It is critical to note that the FY12 DHS budget has been reduced by $668 million from FY11, a 17.2% total reduction.  To review the reductions by specific line items, take a look at the information on our website.  Secretary Saddler stated this morning that the DHS contracts issued next week will be issued at 31.67% of the full FY12 appropriation.  There is an understanding that there is a disconnect between the statutory requirements facing state agencies and the corresponding appropriations levels passed by the General Assembly.  While there is hope for revenue to come in at a higher level than what the FY12 budget is based on, there is real uncertainty.  The Human Services Commission requested follow-up reports from the various state agencies once the FY12 budget has been signed by the Governor and decisions about implementing the FY12 budget have been made. 
Please stay tuned, as we learn more details about the FY12 budget, we will contact you.  Thank you again for all that you do!

Judith Gethner, Director
Illinois Partners for Human Service
Quality Services. Adequate Funding. Measurable Results.
312-906-2364 (p); 847-863-0040 (c)