HHS issues final rules on HIPAA, HITECH – Mississippi, New Mexico first states to achieve compliance


At the end of January the Department of Health and Human Services (HHS) issued final rules and guidance that amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as a final rule for the newer, Health Information Technology for Economic and Clinical Health Act (HITECH). Both rules were highly anticipated as they deal with the privacy of patient information – a hot topic in the digital age. At the state level, governments have made patient privacy and cybersecurity top issues as they attempt to avoid high profile breaches like what happened in Utah last year.

The rule changes are essentially meant to help the two laws work better together and account for changes in technology since HIPAA was originally passed in 1996. HIPAA has subsequently been amended to take into account new protocols for dealing with breaches of patient privacy, specifically the “minimum necessary standard,” of privacy which has always been somewhat vague for organizations tasked with compliance.

Under HIPAA, if a health care provider, health care plan, or a business associate of a covered entity uses or discloses protected health information (PHI), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make what the law calls a “reasonable effort,” to limit the exposure of information and provide only the minimum necessary to service the request. If an entity covered under HIPAA violates this standard they must report the breach and may be held liable for any damages.

HHS has changed the breach notification requirements to impose harsher consequences on HIPAA covered organizations who have a breach. The have also expanded the definition of “business associate” covered under the law. Anyone deemed a business associate can also be held directly liable for breaches. The changes are designed to force organizations to pay closer attention to potential breaches and guard against them.

According to attorneys for Duane Morris who recently authored a client briefing on these changes, “along with all of the other new requirements in the 2013 Amendments, covered entities and business associates should ensure compliance with the minimum necessary standard set out in the HITECH Act of 2009. The minimum necessary standard generally requires a covered entity—and now, business associates—to make reasonable efforts to limit access to PHI to those persons who need access to PHI to carry out their duties, and to disclose only an amount of PHI reasonably necessary to achieve the purpose of any particular use or disclosure. While these requirements are broad, the 2013 Amendments also reinforce the preexisting rule that covered entities and business associates disclosing PHI in response to a request may reasonably rely on the requests as requesting the minimum necessary for the disclosure.”

The changes to the HITECH Act published by HHS around the same time harmonize the definition of business associate with HIPAA, and also created a clearer framework about overall business liability when the wrongdoing can be pinned directly on an individual. Specifically, an exemption that may have allowed the provider to avoid dealing with damages has now been closed.

Attorneys for law firm Paul Hastings note their own client brief on HITECH that,”previously, while it was possible for a covered entity to be held vicariously liable for the improper acts of its business associate agents, there was an exemption if the covered entity did not know of the improper acts and if there was a business associate agreement in place between the parties. The Final Rule eliminates this exemption, such that now a covered entity can be held vicariously liable for violations of its business associate, as long as the business associate is considered an agent of the covered entity (and this is true of business associates and subcontractors as well). Whether someone is considered an agent is dependent on the federal common law of agency and involves a fact-specific analysis.”

There are other changes outlined in the links above to both laws which also spell out changes to the harm standard, a standard which has largely been removed from both frameworks as HHS has said they felt that the standard was preventing breaches from being reported. While these rule changes are still fairly new and not actually effective until next year, some states have already moved ahead on compliance for the federally mandated eligibility and claim status rule, the first operating rule in a series between that will take effect between 2013 and 2016 under the new Operating Rules Administration certification program.

Mississippi and New Mexico announced compliance today. Xerox provided technology to meet compliance in both states, making improvements to the states’ Medicaid Management Information Systems (MMIS) have simplified claims processing, making it easier for local citizens to receive – and providers to deliver – healthcare services.

Xerox provides a cloud-based Electronic Data Interchange (EDI) solution focused on improving processing of Medicaid programs and records. Doctors, hospitals and others can use their own medical management systems to conduct eligibility and claim transactions in a secure online environment through the solution. This allows them to automate transactions and process claims at faster speeds and with fewer errors. The company enhanced its EDI solution in order to meet HIPAA guidelines.

“We’ve upgraded how we support our Medicaid recipients and their respective medical providers. We can now deliver better citizen service by decreasing claim denials, while reducing manual tasks and overall healthcare administration costs,” said Julie Weinberg, New Mexico’s Medicaid Director.

The remaining states have until January 1, 2013 to have operating systems in place.