n
Reimbursement Page
This expansion provides greater protection to a patient’s PHI. Why? Because under the HITECH Act, BAs were required to directly comply with the HIPAA standards, which include both the privacy and security statutes. This requirement is now finalized with the publication of the Omnibus Rule. In essence, your BAs must comply with the same rules as you, including breach notification guidelines, instead of just informally following the rules as a business practice, and they also are directly liable for any HIPAA rules violations.
If a breach involves more than 500 people, you must notify HHS immediately, and the breach notification information will be posted on the HHS website. The Omnibus Rule also made some changes in how the BA is to interact with the covered entity through the creation of contracts or business associate agreements (BAAs). BAs are required to provide you with breach notifications, and provide you with access to PHI in an electronic format. BAs also must disclose PHI to HHS to demonstrate compliance with HIPAA and be able to provide an accounting of all disclosures of PHI. The final rule also modified the required content for a BAA. Since there is a grandfathering period, you have until Sept. 23, 2014, or when the current agreement expires (whichever is first), to review and amend your BAAs. Any BAA created on or after Jan. 25, 2013, must meet the new requirements or be amended to meet the new requirements by Sept. 23, 2013.
16
O&P Almanac APRIL 2013
Building Your BAAs If you don’t have agreements with your BAs, now is the time to create them. A sample business associate agreement is available on the OCR website, www.hhs.gov/ocr. Consider including the following items in your amended or new agreements: • First, include a section that allows you to verify that the BA is in compliance with the HIPAA security and privacy regulations. This means they should have administrative, physical, and technical safeguards in place. • Second, ensure the BA will report all breaches to you in a timely manner, and that these notifications will be done in a standard format. Some of the information you should request when breaches are reported include contact information for those affected; a detailed account of the breach, including what was breached; and any steps the BA is taking to ensure the breach doesn’t recur. Include a request for any information you may require when you have to report the breach because it is your responsibility, not the BA’s, to make the notifications. • Third, if a BA uses any subcontractors, ensure the subcontractors agree to the same restrictions and conditions you apply to the BA. These are some sample items to consider addressing within your BAAs; be sure you create agreements that are specific to your needs. Most importantly, make sure the BAA doesn’t impose any unnecessary burdens or liabilities on you or your BA.
Breaches of PHI and Breach Notifications The final Omnibus Rule did not change the breach notification requirements established by HITECH. A covered entity is still required to notify the patient, in a timely manner, when an unsecured breach of PHI has been discovered.
A breach is considered “discovered” on the date the covered entity learns of the breach, and not on the date the breach occurred. A “timely manner” is considered to be no later than 60 days after the discovery. The notification must be in writing. If a breach involves more than 500 people, you must notify HHS immediately, and the breach notification information will be posted on the HHS website. You also must notify the media, and notify patients in writing. Finally, you must keep a record/log of all breaches that occur during the year and submit a copy to HHS, no later than 60 days after the end of the year. What the final Omnibus Rule did change was the definition of a breach, and subsequently when a breach must be reported and the patient notified. Under HITECH, a breach occurred when it was demonstrated that unsecured PHI was accessed, used, or disclosed by an unauthorized individual and that the unsecured PHI had the potential to harm the patient in any way—the “risk of harm” standard. Now, the “risk of harm” standard has been removed. There is the presumption that any unauthorized use, disclosure, or access of a patient’s PHI is a breach, unless a covered entity or a covered entity’s business associate can demonstrate that that there is a low probability that the PHI has been compromised. To determine if a breach occurred, or that there is a low probability that the PHI has been comprised, and notification is required, you must conduct a risk analysis. The Omnibus Rule provides you with four factors, or questions, that must be part of your risk analysis, but you may include more if you choose; these could include questions you created as part of your risk of harm analysis under HITECH. Whether you use additional factors or stick with the four provided by the final rule, the key is to appoint an individual who will be responsible for conducting the investigation of breaches and the risk analysis, and to ensure the results are thorough, fact-based, and well-documented.