The Office of Civil Rights has published the new Notice of Proposed Rule Making (NPRM) related to the changes in the HIPAA Privacy and Security rules impacted by the HITECH Act. You can read the proposed rule here:

OCR Proposes New Rule

The document is 234 pages so it takes awhile to read. On a cursory read of it, here are some of the things that appear to be coming with these changes:

Make the requirements under the privacy and security rules apply to business associates just as they presently apply to covered entities.

The definition of a business associate has been modified to include subcontractors. This will be a big impact for the medical transcription industry as it will now require independent contractors who work for medical transcription services to classify themselves as a business associate, with all of the responsibilities that go with that. It clearly defines that a subcontractor, or independent contractor, will be a business associate of the business associate. Under the proposed rule, patient safety organizations now are defined as business associates.

It will require business associates obtain “satisfactory assurances” from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule’s compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.

Requires notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.

Enable individuals to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.

Strengthen the right of individuals to obtain their electronic health records.

Cost of Implementation

With any proposed rule making, there is a requirement that there be a cost analysis. I find this fascinating as it requires a real understanding of the industry and a lot of “guesstimates” about what will be required. The biggest costs have been identified as covered entities making new Notices of Privacy Practices, which must be rewritten and distributed to patients, and the cost of amending business associate agreements and/or writing new agreements between a business associate and their subcontractors.

The cost of redoing the notice of privacy practices is estimated at $166.1 million. The report estimates that 71% of this cost will be in the private sector and the other 29% in the government or public sector. While that sounds extremely costly and impossible to grasp, the report goes on to break the cost down per covered entity, with an estimate of $168 per covered entity. When viewed individually, it does not seem unreasonable.

It’s important to note that the OCR does not have information on the cost of redoing contracts for business associates as they do not have the supporting data. While there is an estimate of 1,500,000 total business associates, no one really knows how many subcontractors each may have. That makes providing a cost estimate on this portion of the change something they are seeking information on.

How Long Will Compliance Take?

The OCR has prepared an estimated annualized burden table, which indicates what portion of the rules is referenced, the type of respondent, the number of respondents, average number of responses per respondent, average burden hours per response, and total burden hours.

This report estimates that there are 1,500,000 business associates, and allocates one hour per business associate to cover legal review of their revised business associate contract. That accounts for 1,500,000 hours of time spent to get this done. The estimated number of hours for revision of the Notice of Privacy Practices is 233,833, for an estimated 701,500 respondents. The time estimated to disseminate the new Notice of Privacy Practices for 200,000,000 patients is one hour per 100 patients, adding up to 2,000,000 hours. That makes the total estimated time 3,733,833 hours! Just in case you’re wondering, that equals 155,576 days, 31,115 weeks (based on a 5-day work week), or 598 years! Thankfully all of this isn’t being done by one person!

The OCR is proposing that an additional 12 months be given for full compliance, in addition to the six months they are currently allowed to give. This would give a total of 18 months for compliance with portions of the proposed rule.

Here’s my question. Does this change your plans for implementation? How do you foresee that these changes will impact your business?

A hospital in California will fire 5 employees and discipline another because they posted information about patients on social media sites.

An ongoing investigation at Tri-City Medical Center in Oceanside "has not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees," according to a statement from Larry Anderson, CEO. "But our investigation yielded sufficient information to warrant disciplinary action."

A hospital spokesman declined to provide any further details. Under the HIPAA privacy rule, which was toughened by the HITECH Act, patients must give permission for their private information to be disclosed.

The California Department of Public Health is conducting an investigation of the incident, a spokesman confirmed June 8, declining to provide further details. The incident involved posting information on Facebook, according to a report by KNSD, the NBC TV affiliate in San Diego.

To help prevent similar incidents, Anderson said the hospital is "re-emphasizing, through employee training and education, the hospital's and the employees' ongoing commitment and obligation to protect our patients' privacy."

Social media does play an important role in marketing in today's world. It is important that you have a policy in place that identifies who can use social media sites and how it will be used. It is also beneficial to set up some searches for things you will track. This can easily be done in Google reader or on Twitter. Companies need to be aware of what their employees are putting on social media sites as well as what is being said about the company on these sites.

Incidents like the one above should be considered security threats and dealt with swiftly. Don't let your company be one who ends up in the middle of an investigation because your staff doesn't have guidance. Be sure the new world of social media is covered in your policies!

The healthcare industry often uses portable devices for the storage and transmission of protected health information. I find it concerning to hear many of the people I speak with thinking that because they use a jump drive or an external hard drive to store patient information, they are compliant. It simply isn't true.

The HITECH Act now specifically says that information must be encrypted during transmission AND at rest. That means all of the patient information you are storing on any kind of portable device must also be encrypted. In the publication by OCR of breaches, you will find a good many of them are as the result of theft or loss of a laptop or jump drive.

In a recent conversation I had with a transcription service owner, who is a business associate and thus subject to these new laws, the response to the above information was "well, the customers don't care so I can't be responsible for it." If you read the laws, you realize this is not the case and that business associates are held to the same standards as the covered entity. In addition, you are responsible for the actions of your subcontractors. Simply "telling them to use an external drive for storage" doesn't relieve you of that responsibility.

Simply storing things on an external drive without encryption isn't good enough. Be sure you are not caught in this situation. If you are audited, it could mean monetary penalties and fines for you.

In the first HIPAA legal case against an individual, a former UCLA Medical Center researcher was sentenced on April 27 to four months in federal prison for looking at the confidential medical records of co-workers and celebrities such as Tom Hanks, Leonardo DiCaprio and Arnold Schwarzenegger.

This is certainly evidence that the government is going to take the enforcement of HIPAA violations seriously. In addition, because the new rules related to HIPAA and the HITECH Act hold individuals responsible, the responsibility for protecting patient information becomes even more crucial.

Be sure your systems have the ability to provide audit trails, and be sure those audit trails are periodically reviewed for unauthorized access.

Training of all staff is critical here. The researcher's defense is that he did not know this was a federal offense and that no reasonable person would have understood this. Training of staff so that they fully understand the consequences of their actions is critical in being able to show that you have met your responsibilities under the law.

The week of May 17-22 is Medical Transcriptionist Week, honoring those folks who play an important role in the delivery of healthcare documentation.

In honor of that week, we are offering a 10% discount on all HIPAA materials and training courses. The courses offer someone for everyone, so take a look and get signed up for the one that best meets your needs. For employers, there is also a discount for groups of 10 or more.

This discount ends May 22, so don't delay and be sure you get signed up before it expires.