Some significant changes in HIPAA regulations that take effect Sept. 23 have spurred a flurry of activity at hospitals and their various related organizations.
Among the changes to the patient privacy law are: an expansion of the liability for selected vendors and subcontractors of organizations covered by HIPAA; tightened rules as to what constitutes a reportable breach of the law; and added requirements to update public patient-privacy rights reporting and train staff on the changes.
"It created quite a bit of work for us," says Susan Hannasch, vice president and chief compliance officer for Mercy health system in Chesterfield, Mo. "But they gave us several months to get it done. We are working on it and we are confident we will meet the deadline of Sept. 23," Hannasch says.
A big practical change for hospitals concerns the expanded liability of vendors — the technical term used is business associates — specifically those with access to protected health information. Those business associates will take on a direct liability under the new rules after previously having only indirect liability.
That new legal relationship between hospitals and their business associates requires revising agreements between the two, no small task given the myriad agreements signed by hospitals. "One of the biggest challenges is the need to update business associate agreements," says Elizabeth Warren, partner in the health care group for law firm Bass, Berry & Sims.
From a legal standpoint, the changes are not that complicated, Hannasch notes. "Revising it is not the hard part. Sending out the new forms, getting them signed and getting them back — that's the hard part," she says.
One of the ways the changes will affect hospitals operationally is in determining what constitutes a reportable breach of HIPAA. Now a patient health-related event is presumed to be reportable unless the affected HIPAA-covered entity can demonstrate it was not important enough to warrant reporting, Hannasch says. Previously, there was no such presumption. The changes mainly result from provisions of the health information technology section of the American Recovery and Reinvestment Act of 2009, a section known as HITECH.
Hannasch says she doesn't expect the new standards to affect Mercy because the system already places heavy emphasis on protecting privacy as a result of its general focus on preserving patient dignity. "I don't think we're going to see a dramatic change in the times we do notify," she says.
The technical revision to HIPAA requires changes to hospital policies and to patient processing. As of Sept. 23, patients can require that their insurer not be notified of a procedure or treatment if patients pay for the care themselves. "It doesn't come up very often," but necessitates significant staff education regarding the patient's new right to do that, Hannasch says.
All of the changes to HIPAA require that staff be educated and that public HIPAA notices be updated, with the old notices taken out of circulation. We've told [our printer], 'don't print up any more of the former version.' " she says. "All of the inventory of notice of privacy practices … are going to have to be thrown away."
In general, complying with the new version of HIPAA takes on added urgency. Health & Human Services' enforcement agency — the Office for Civil Rights — continues to focus on hospitals and insurers, says Will Hinde, health care practice director for West Monroe Partners LLC, a consulting firm.
One of the more recent actions was announced in July. WellPoint agreed to pay $1.7 million following an OCR investigation of a possible HIPAA violation.