We will attempt to give an overview of the revision to the HIPAA Privacy and Security regulations going into effect in 2013. I say attempt because the published regulations, comments and interpretive guidelines comprise 563 pages.
First the good news:
The new regulations legally go into effect on 3/26/13, but the actual compliance date is 9/23/13. That gives you six months to bring your practice into compliance. Now you might be thinking, "If that's the good news, what's the bad news?" Since you've asked, this is a major change to HIPAA that encompasses the HIPAA Privacy Rule, Security Rule, the HIPAA Breach Notification Rule, the HIPAA Enforcement Rule, and the Genetic Information Non-Discrimination Act.
Breach Notification Rule:
- Prior to 3/26/13, a breach is defined as a HIPAA Privacy Regulation violation and a significant risk of financial, reputational, or other harm to the individual.
- After 3/26/13, a breach will be defined as an acquisition, access, use, or disclosure that violates the HIPAA Privacy regulation.
- The only way it is not a breach is if there is a low probability that the PHI has been compromised. It will be your duty to demonstrate this and "low probability" and "compromised" is not defined in the new regulations. This will make the standard of "low probability" very difficult to meet.
- Every single situation involving a potential breach MUST be analyzed using a risk assessment.
- A breach does not include a PHI disclosure where you have a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably be able to retain the PHI.
- Providers have the burden of proof to demonstrate that all notifications were provided to the people whose PHI was breached or that an impermissible use or disclosure did not constitute a breach based on the risk assessment and the documentation of the risk analysis must be maintained.
- The 60 day notice trigger (by when you have to notify the person whose PHI may have been compromised) begins when the incident is first known and NOT when the investigation of the incident is complete.
- Providers MUST develop and document policies and procedures, train workforce members on the new Breach Notification Rules and impose sanctions for failure to comply with the new Breach Notification Rules.
- Even though the significant financial, reputational, or other harm has been removed from the Breach Notification rule, it is still part of the government's analysis to determine whether penalties will be assessed and to determine the level of fines and culpability.
HIPAA Privacy and Security Enforcement
The levels of enforcement have been clarified:
- If the provider did not know of the violation, and would not have known by exercising "due diligence", the penalty ranges from $100 to $50,000 per violation.
- If the violation is due to "reasonable cause", the fines range from $1000 to $50,000 per violation. "Reasonable cause" means any act or omission in which the provider or its Business Associate (BA) knew or by exercising reasonable diligence would have known that the act or omission would have violated the HIPAA regulations. The provider or the BA did not act with willful neglect.
- If the HIPAA violation is based on willful neglect but the violation is corrected within 30 days, the fines range from $10,000 to $50,000 per violation.
- If the HIPAA violation is based on willful neglect and is not corrected within 30 days, the fine will be no less than $50,000 per violation.
- The maximum fine per violation per calendar year is $1,500,000.
- The extent of the fine is based on numerous factors:
- Financial, reputational, or other harm to the person/people whose PHI has been breached
- Prior non-compliance with HIPAA regulations
- Whether corrective actions were successful implemented
- The size of the provider and whether any fine would cripple the provider's ability to provide services
- The extent of the fine is based on numerous factors:
When I stated last week that the regulatory requirements on your practice will never be less than they are today, I meant it. We have six months to come into compliance with the new HIPAA regulations. As you see, the cost of non-compliance can be extreme.
When I consider what was said in last week's Chat and today, I began to wonder... Is it possible for a practice to stay current with all the new compliance requirements and the many laws affecting your practice that seem to be coming more frequently than ever? I am starting to think, not anymore. I truly believe that practices need help with their compliance requirements (and not just because it is what we do, but because if I had to worry about treating patients, documenting accurately, sending claims, collecting payments, paying bills, marketing to doctors, responding to audit requests, etc., etc., and had to figure out all of this compliance sh-tuff, I think I would go crazy). Coming to the realization that you might not be able to do this by yourself is the first step in becoming what we call confidently compliant.
So what to do?
- Now is the time to retain a compliance consultant as part of your team. Sure, we would like to help, but if you don't pick us, pick someone. This person or group should be able to run your compliance program, or can teach someone on your team how to do it. This is why we developed the Compliance Mastermind Program so that we can "teach you to fish."
- If you are not ready for this step, and I strongly encourage you to consider it, retain someone/us to perform the required HIPAA Risk Assessment
- Sign up for our HIPAA Training webinar on this material.
- Retain us to be available to respond your important compliance questions and concerns.