While Tuesday marks the effective date of a host of new federal privacy and security rules, including extending legal liability to business associates of healthcare providers and restoring a measure of patient control over disclosure of their records, compliance won't be required until six months later.
The rules, most of which are amendments to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, were drafted by HHS under authorities given by health information technology provisions of the American Recovery and Reinvestment Act of 2009.
A 563-page “omnibus” privacy and security rule was released by HHS on Jan. 17
, with an effective date of March 26.
For most aspects of the rule, however, the compliance deadline is not until Sept. 23, or 180 days after its effective date, said Angela Dinh Rose, director of health information management practice excellence with the Chicago-based American Health Information Management Association.
An exception to the general compliance deadline covers the portion of the rule on business associates, which are “probably the most cumbersome” part of the new rule as well, Dinh Rose said. “An organization can have hundreds of business associate agreements.”
The new rule expands HIPAA privacy and security rule coverage and direct liability for violations to business associates of HIPAA “covered entities.” Those contractors might include vendors of remote-hosted EHRs to office-based physicians or firms providing hospitals with clinical and financial data analytics. In addition to healthcare providers, HIPAA covered entities include claims clearinghouses and insurance plans.
If an organization had a HIPAA-compliant business associate agreement in place before the new rule's Jan. 25 official publication date in the Federal Register, and that contract doesn't have to be renewed between March 26 and Sept. 23, the parties are given a one-year grace period. That means they don't have to draft a contract and be compliant with the new rule until Sept. 23, 2014, Dinh Rose said.
But if a covered entity and a business associate did not have an agreement in place before Jan. 25 this year, they have to get a contract compliant with the new rule in place by Sept. 23, she said.
Another major change under the rule involves the policies and technologies needed to comply with a patient consent management provision. Under the ARRA, a patient who pays out-of-pocket for treatment can ask a provider not to share a record of that treatment with the patient's health insurance plan and providers must comply with that request.
“That's going to be an operational challenge and a system challenge,” Dinh Rose said. “You have to train your staff and make sure they are aware of things that can never go to their health plan, and the systems have to be able to comply with it as well.”
“Once you do get the systems up—let's say the system can do what needs to be done—there still is going to be an operational side” understanding what patients' rights are under the law and educating patients on what those rights are, she said.
While this provision of the law is fairly narrow—with mandatory non-disclosure covering only information exchange with the patient's insurance carrier—a trend toward more patient-centered care is growing, Dinh Rose said. “Consumers today are becoming more aggressive, so I think we're going to continue to see that advance as the years go on.”
Several private sector developers as well as the Veterans Affairs Department, the Substance Abuse and Mental Health Services Administration at HHS, the standards development organization Health Level 7 and others have come up with a software system capable of tagging entire patient records or pieces of them to block their exchange pursuant to this new rule as well as other federal and state privacy laws.
Whether electronic health records system vendors, electronic prescription networks and health information exchanges will be ready in time
to meet the technical challenge of the new law remains to be seen.