Just when you thought you completely understood HIPAA, the American Recovery and Reinvestment Act (“the Stimulus Plan”) implements major revisions to HIPAA to improve the security and privacy of patient records. Because emergency medical service providers are covered entities pursuant to HIPAA, it is important to learn the new regulations. Fortunately, the new regulations do not represent a vast change in how most covered entities protect a patient’s protected health information (“PHI”). Following are several of the key amendments to HIPAA affecting emergency service providers.
Expanded requirements for “business associates” -- First, the Stimulus Plan expands the requirements of business associates for covered entities under HIPAA. The Stimulus Plan modifies the HIPAA Privacy Rule to include compliance by business associates of covered entities. As a result, business associates must protect the confidentiality of all PHI obtained while operating on behalf of a covered entity. Most covered entities, however, already require their business associates to safeguard PHI in this manner as part of a business associate agreement. In addition, business associates now have the same duty as a covered entity to report any known violations of the Privacy Rule by a covered entity with which it has a business associate’s agreement. The original rule only placed a duty on covered entities to report violations.
Added notice requirements for breach -- Next, the Stimulus Plan adds notice requirements for a “breach” in the release of PHI. Previously, a covered entity did not have to notify a party of an unwarranted release of PHI unless it determined that the notification was necessary to mitigate damages to the individual. Now, a covered entity must notify any individual who it reasonably believes has his or her PHI disclosed in violation of the Privacy Rule. It is important to note that the unintentional acquisition or disclosure of PHI is not defined as a breach by the amendments.
The new regulations require that the notice be sent without unreasonable delay - no later than 60 days after the discovery of the breach - via first-class mail to the individual. In addition, the notice must state the date of the breach, the type of PHI disclosed due to the breach, the steps an individual must take to protect oneself as a result of the breach, and the steps the covered entity is taking to investigate the breach. Further, if the breach involves the release of the PHI of 500 or more individuals, notice must be provided to media outlets and the Department of Health and Human Services. The only exception to the notice requirement is for a breach due to a law enforcement disclosure of PHI. In the case of a law enforcement breach, the notification can be delayed if the notice would impede a criminal investigation.
Revised disclosure rules -- Finally, the Stimulus Plan alters the disclosure rules for the release of PHI by covered entities. Under the previous rule, a covered entity was not required to report the release of PHI if the release was for the purpose of treatment, payment or operational purposes. Under the new rule, a patient can prevent a covered entity from releasing PHI for payment and operational purposes. Thus, if a covered entity receives a request from a patient not to release his or her PHI, the entity can release the PHI for treatment purposes only.
The new regulations also alter the time period during which an individual can receive an accounting of the release of his or her PHI by a covered entity. Previously, an individual could receive an accounting for the release of PHI for a period of six (6) years prior to the date of the request. Releases for treatment, payment or operations, however, were exempt from the accounting. Now, an individual can only receive an accounting for the three (3)-year period preceding the date of the request. The new accounting, however, must include all releases including those made for treatment, payment, or operational purposes.
The Stimulus Plan makes substantial changes to HIPAA that improve the security and privacy of an individual’s health records. If you have any questions concerning the implementation of the new HIPAA regulations, please contact one of our attorneys at 630.682.0085
Joseph Miller III is a partner with Ottosen Britz Kelly Cooper & Gilbert, Ltd. at the firm’s Naperville, Illinois office. Mr. Miller’s practice is concentrated in the areas of local government law and education law.