Run over by the HIPAA bus?

Were you run over by the HIPAA bus yesterday?  The Omnibus final rule finally landed with a crunch last night.  If you check out #HIPAAbus, you'll see my notes from my blaze through with page numbers.  My notes are below.  I haven't actually read the rule, yet, just the commentary up through the start of the financial impact assessment (which I nearly always skip).  If you find federal regulation boring, skip to the fun stuff at the end of this post.

The new rule modifies the HIPAA Privacy & Security Rules to implement HITECH, strengthens privacy protections under GINA, makes other changes to simplify thing for regulated entities, and  modifies the Breach Notification Rule to address public comments.

The final rule is effective March 26, 2013; affected parties (covered entities and their business associates) must comply by September 22, 2013.  Existing BA contracts can remain in force until September 22, 2014 with certain provisions.  If modified sooner, those contracts must comply with new rules.  A 180-day period for compliance will become the norm for similar future regulation (unless exceptions are necessary).

Privacy and Security

Business Associates

• Business associates now include patient safety organizations.
• Health Information Organizations, e-Prescribing gateways, and PHR providers must be business associates. A PHR provider is only considered to be a BA with respect to covered entities on whose behalf they are providing services.  While requirements of a BA are contagious to other associates of a BA with respect to HIPAA, a covered entity need not have agreement with those associates.  
• It delegates responsibility for providing assurance with respect to HIPAA for other associates to the BA.
• BA's include entities that create, receive, maintain or transmit PHI on behalf of a covered entity.
• Business associates are subject to direct civil penalties with respect to enforcement.

Making life easier for Patients and Family

• Covered entities may disclose immunization status to schools with documented agreement by parent, without any signature being required.
• Family members & caregivers are permitted access to dead person's records unless that person's prior expression to contrary is known.
• Information about care paid for by patient can be restricted by that patient from sharing with payer or associates without any exception.  This is a right, not a request that can be denied.

ABBI Rules

There was a chunk of stuff starting around page 263 and ending around 277 that I found to be very enabling for the ABBI project.

• When an EHR is available, the individual has a right to an electronic copy be transmitted to the individuals designee.
• If the patient is notified about the risk of unencrypted e-mail to access PHI, and still wants e-mail, they have a right to it.
• The individual has a right to chose to designate a third party receiver (person or entity) to transmit PHI to.

Miscellany

A bunch of stuff popped out as being of some interest:

• Copiers and fax machines that transmit, may also store PHI, so the storage on them must be treated like any other PHI storage.
• If a covered entity is paid for marketing activities, it must a) have patient authorization, and b) let the patient they are getting paid for it, and c) let the patient opt out, even it the activity is with respect to treatment or operations.
• Persons who are dead for more than 50 years do not have protected health information, it's just health information.
• More flexibility given for how research authorizations can be combined with treatment authorizations.  Research authorizations need not be study specific any more, but must adequately describe purpose of use.
• There are many changes necessary to the Notice of Privacy Practices. Health plans can post these on their web site and include them in their next yearly mailing. Providers must prominently display and make copies available to patients onsite.

Into the Breach (Rule)

• The phrase "Low probability of breach" replaces "no significant risk of harm", keep practicing those risk assessments.
• We didn't know isn't an excuse if you should have known.
• If you want to look at how other covered entities and BA's handled a breach, Mickey Tripathi wrote a great post.  You'd think HHS could have put that link in themselves.
• Waiting until the last minute after a breach to notify patient may be considered an unreasonable delay. 60 days is the upper limit.
• "We retain § ____ in this final rule without modification" seems to be the preferred response on the Breach rule.

Genetic Information Nondiscrimination Act (GINA) Rules

• The use or disclosure of genetic data for underwriting purposes prohibited to health plans covered under HIPAA, except for Long Term Care, for which the jury is still out, so it is still allowed.
• GINA defines family member as dependent or 1st through 4th degree relatives (including by marriage or adoption). Do you know any of your 4th-degree relatives?  One of mine is famous.
• Data about disease manifestation in family members is genetic data.  If you have a disease, your children cannot be dinged for it.
• Underwriting means things like rules for eligibility or determination of benefits, premiums, cost sharing, exclusions for pre-existing conditions, and contract creation or renewal.

The fun Bits

• (Page 43) The US flag needs 6 more stars ;-) as DC, PR, Guam, Virgin Islands, American Samoa & Northern Mariana Islands are defined by the rule as states.
• (Page 44) My favorite change is the paragraph that describes the removal of a comma: (c.f., this tweet)

Overall, I don't find anything objectionable about what they did.  It's really about what they didn't manage to do - but I'll leave the missed opportunities for John Moehrke to write about.