CPM Provider Newsletter Digest - Feb 2013

Are You a BA? Sample BA Agreement

4 8

HIPPA/HITECH Final Rule Final Rule at a Glance

13 21

Sample Privacy Notice 22

The Lighter Side 30

Volume 9, Issue 02

New privacy regulations mean practices face more legal

scrutiny and higher fines in case of an information breach

A revised set of federal privacy rules is expected to have a significant impact on the way providers run

their practices.

Revised privacy notices will need to be displayed in prominent areas of doctors’ offices and on practices’ websites. Patients will be able to ask for copies of their

electronic health records or restrict the information given to health plans if they self-pay for services. And perhaps most important, practices might be subject to serious fines if any of their business associates cause security breaches.

On Jan. 17, the Dept. of Health and Human Services issued a final omnibus rule to strengthen the patient privacy protections established by the Health Insurance Portability and Accountability Act of 1996. The rules not only expand the individual rights of patients but also tighten federal breach notification requirements under the Health Information Technology for Economic and Clinical Health Act of 2009. The result is that provider practices potentially face more legal scrutiny by the federal government as well as new administrative burdens, said Robert Tennant, senior policy adviser with MGMA-ACMPE, the medical practice management association.

Under the new privacy rules, doctors now must assume the worst-case scenario in the event of a possible

Continued...

P rovider practices have until Sept. 23 to become compliant with a final set of federal

privacy rules. Robert Tennant, senior policy adviser with the medical practice management association MGMA-ACPME, said the new requirements on breach notifications and patients’ rights mean practices should:

• Conduct a thorough security risk assessment on all activities related to capturing, using, storing or transmitting electronic patient health information.

• Develop comprehensive breach avoidance and notification procedures. For example, if it’s typical for doctors to take laptops home or bring them on hospital rounds, one solution would be to encrypt data.

Examine and redesign workflow to handle the new requirements. For example, if a practice has an electronic health records system, patients can ask for copies of their medical records in electronic formats of their choosing. If the practice cannot readily produce a record that way, it must offer another electronic format or a hard copy if that format is rejected.

INSIDE THIS ISSUE:

February 2013

The New 2013 HIPPA/HITECH Rules — How Do They Affect You?

HIPAA Gets Tougher on Providers

How to prepare for new HIPAA requirements

said the new standard will result in many more official reports of breaches, as well as additional work and costs to provider practices.

A Closer Look at Business Associates HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law’s requirements to these entities, as well as their subcontractors.

For providers, a business associate may be any firm

that handles patient data, such as a storage provider, a shredding company or a benchmarking firm that measures provider performance. With contractors becoming as fully liable as everyone else affected by HIPAA, providers’ offices are going to take on additional legal responsibilities as well, Tennant said. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to

enforcement violations caused by that business associate, he said.

“To make matters even more challenging, there are significant potential fines associated with these violations, upwards of $1 million-plus for particularly egregious cases,” Tennant said.

The days of getting a slap on the wrist for a privacy breach are over, he added. “There’s now the potential that the government will be more aggressive in enforcing this.”

Deborah C. Peel, MD, chair of advocacy group Patient Privacy Rights, however, said past fines had been too low and that raising them would help strengthen needed patient protections. The new $1.5 million maximum fine per calendar year for violations is still too low for many corporations, “but it’s better than $25,000 a year,” Dr. Peel said.

There may be some relationships with business associates where the increased risk for liability won’t apply, said Patricia Wagner, an attorney at Washington law firm Epstein, Becker & Green PC, who specializes in privacy issues. An example of this is an accreditation agency, which “can’t be an agent of the entity they’re surveying because they’re supposed to be independent.” Still, doctors will need to spend a lot of time examining all of the contracts they have with various business associates to see if any need restructuring to reduce their own liability risk, she said.

Continued ...

Page 2 February 2013 CPM Provider Newsletter Digest

From Page 1

T he days of getting a slap on the wrist for a privacy breach are over

HIPAA Gets

Tougher on

Providers

privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. This raised concerns from privacy advocates that practices shouldn’t have the discretion to determine these matters. The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. Tennant

They also will need to explain the breach notification process, Tennant said. There are new stipulations on where these revised notices must be placed in providers’ offices.

“You have to put it in a prominent area and make it available for patients if they wish to review or keep a copy,” or on the practice’s website, he said. While it doesn’t need to be reissued to current patients, the revised notices must be given to all new patients.

This actually offers a good opportunity for a practice to review its notice for any needed updates, Tennant said. Many practices haven’t revised these documents since HIPAA’s original privacy regulations came out in 2003. “They may have changed to an electronic

health record, or have contracts with health information exchange organizations. They may be involved in an accountable care organization.”

MGMA-ACMPE has asked that practices receive more time beyond September to meet all of the new requirements.

Other stakeholders said additional clarification is needed on language relating to patient requests.

Patients, for example, can ask providers’ offices to transmit their health information to third parties, such as family members, but such requests must be in writing, said Shari Erickson, vice president of governmental and regulatory affairs with the American College of Physicians. This creates an obligation on the part of the providers’ offices to collect information on all of these types of third-party requests. The penalty for noncompliance remains unclear.

It’s also not clear which vendors will support the provision that patients can have electronic access to their medical records, Erickson said. She suggested that practices follow up with vendors directly.

While they include important data security protections, the rules in other areas don’t necessarily guarantee that certain new requirements will be followed, Dr. Peel said. She cited the provision that patients can restrict health data given to plans if they pay out of pocket for drugs or services. “HHS did not require segmentation technologies so that [patient health information] can be protected and selectively shared. Instead, the information should be ‘flagged’ so only the ‘minimum necessary’ information is disclosed,” she said.

The success of the rules is going to depend on whether contracts between covered entities are enforced, Dr. Peel said. “Contracts do not enforce themselves any more than laws do. Therefore, most enforcement of the rule depends on inside whistle-blowers.”


From Page 2

“ Contracts do not enforce themselves any more than laws do. Therefore, most

enforcement of the rule depends on inside whistle-blowers.”

HIPAA Gets

Tougher on

Providers

Practices with limited time to tackle this could prioritize the relationships they’re most worried about, Wagner said. These may be the ones that handle the most patient health information or the firms the practice isn’t as familiar with.

Although the rules specify Sept. 23 as the compliance date for the new regulations, health care professionals have an extra year to revise existing business associate agreements to become compliant.

Notices of privacy need revising Providers will need to revise their notices of privacy practices to explain their relationships with business associates and their new status under the final rule.

Who Is a Business Associate?

The final rule affirms that individuals and entities that are not part of a covered entity’s workforce and that engage in activities such as: • claims processing or administration; • data analysis, processing or administration; • utilization review; • quality assurance; • billing; • benefit management; • practice management; • and re-pricing • Document shredder The above continue to be Business Associates. The final rule amends the definition of a “business associate” to mean a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. The final rule also adds a new category of services, patient safety activities, to the list of functions and activities a person or entity may undertake on behalf of a covered entity that give rise to a business associate relationship. Three categories of service providers are specifically identified as business associates under the final rule: • Health information organizations, e-prescribing

gateways, and other people or entities that

provide data transmission services to a covered entity with respect to protected health information and that require access on a routine basis to such protected health information

• People or entities that offer personal health records to one or more individuals on behalf of a covered entity

• Subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates

The addition of subcontractors means that all requirements and obligations that apply to direct contract business associates of a covered entity also apply to all downstream service providers. Covered entities are going to start asking for proof of HIPAA compliance before they will do business with business associates and this will extend to the subcontractors of these business associates. What will drive this, is the healthcare law firms advising their clients, the covered entities, to amend their BA agreements to provide for the "right to audit" or some other means of checking on their business associates and their sub-contractors on-going compliance. A lot of healthcare providers are asking to see policies and procedures before entering into an agreement Continued ...


If So, Your Responsibilities

Under HIPAA, Have Really Changed!

T he Health Insurance Portability and Accountability Act (HIPAA) omnibus regulations released January 17, 2013, by the U.S. Department of Health and Human Services (HHS) have significant

ramifications for Business Associates and the sub-contractors of Business Associates. including implementing changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH). Some of the most sweeping changes directly affect Business Associates and their subcontractors.

the Secretary of HHS to investigate or determine the business associate’s compliance with the rules, failure to comply with minimum necessary standards, failure to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI on its behalf, failure to provide an accounting of disclosures and failure to comply with the electronic security requirements. Although there is direct enforcement authority, business associate agreements are still necessary to address other requirements under the HIPAA privacy and security rules, and business associates/subcontractors remain contractually liable under those business associate/subcontractor agreements. Vicarious Liability for Covered Entities and Business Associates

The final rule adds a vicarious liability component to covered entities and business associates. Covered entities are liable under the final rule for violations resulting from the acts or omissions of a business associate if that business associate is an agent of the covered entity and the business associate is acting within the scope of that agency arrangement. Similarly, a business associate is liable for violations resulting from the acts or omissions of a subcontractor if that subcontractor is an agent of the business associate and the subcontractor is acting within the scope of that agency arrangement. In making its determination whether there is an agency relationship, HHS’s Office for Civil Rights (OCR) will

apply federal common law. The preamble to the final rule indicates that OCR will look at the business associate agreement and the totality of the facts and circumstances surrounding the relationship. The key indicator in determining whether an agency relationship exists is the right or authority of the covered entity to control the business associate’s conduct in the course of performing a service for the covered entity. For example, if the only way to control the actions of a business associate is through a contract that sets the terms and conditions of the provision of services, and the only way to direct the business associate is to amend the contract or sue for breach of contract, then the business associate generally would not be an agent of the covered entity. This same analysis would apply in analyzing the relationship between a business associate and subcontractor. When evaluating whether an act or omission is within the “scope of the agency,” OCR will consider such factors as the time, place and purpose of the agent’s conduct; whether the agent engaged in a course of conduct subject to the covered entity or business associate’s control; whether a business associate or subcontractor agent’s conduct is commonly done by the business associate or subcontractor to accomplish the service on behalf of the covered entity or business associate; and whether the covered entity or business associate reasonably expected that the business associate or subcontractor Continued...




with a potential Business Associate. Covered Entities are asking for the Right to Review books and records. and other things such as SAS No. 70 results to ensure they’re a trusted vendor. This has become a must as Covered Entities are now “on the hook” if the BA drops the ball, even though the BA is directly liable. under the HIPAA privacy and security rules for impermissible uses and disclosures of protected health information (PHI), failure to provide breach notification to the covered entity, failure to disclose PHI as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI, failure to disclose PHI to

From page 4

For existing relationships with compliant business associate agreements in place prior to January 25, 3013, the agreements should be amended in accordance with the final rule.

• In new relationships between a subsidiary and a

business associate, both parties must execute a HIPAA compliant agreement. For existing relationships with agreements in place prior to January 25, 2013, that satisfy current business associate agreement requirements, the agreements should be amended in accordance with the final rule.

• We also suggest keeping in mind the agency law

analysis and vicarious liability when drafting or revising business associate and subcontractor agreements.

Increased Liability for Business Associates and Subcontractors Because Business Associates and their subcontractors are now directly liable for violations of the HIPAA Security Rule and for uses and disclosures of PHI in violation of the HIPAA Privacy Rule. A covered entity is liable, in accordance with the Federal common law of agency, for civil monetary penalties based on the act or omission of any of its agents, including its business associates, acting within the scope of the agency. Similarly, a Business Associate is liable for civil monetary penalties for violations based on the

act or omission of any agent of the Business Associate, including subcontractors, acting within the scope of the agency. Business Associates – and subcontractors—also now have these additional responsibilities under the new omnibus final rule:

1. Keep records and submit compliance reports to HHS when HHS requires such disclosure to determine whether a covered entity or business associate is complying with HIPAA,

2. Disclose PHI as needed by a covered entity to respond to an individual's request for an electronic copy of his or her PHI,

3. Notify the covered entity of a breach of unsecured PHI,

4. Make reasonable efforts to limit use and disclosure of PHI and requests for PHI to the minimum necessary,

5. Provide an accounting of disclosures, and Enter into business associate agreements with subcontractors that comply with the HIPAA Privacy and Security Rules.

Covered entities must determine if they share PHI with any of the types of entities that have now been deemed to be Business Associates, including cloud vendors and other data storage companies. If a Continued...




agent would engage in the conduct in question. Labeling the parties as independent contractors in the agreement will not trump OCR’s agency analysis. Next Steps

• Business associates and subcontractors will need HIPAA compliant privacy and security policies and procedures. We also recommend applicable forms, such as a HIPAA compliant authorization form.

• In new relationships between a covered entity and a business associate, both parties must execute a HIPAA compliant business associate agreement.

From page 5

The final rule codifies which provisions of the privacy and security rules apply to business associates as prescribed by the HITECH Act. Notably, the HITECH Act statutorily imposed direct liability on business associates for failure to comply with HIPAA. Business associates may face civil monetary penalties, and in some cases criminal penalties, for failure to comply or for the failure of their agents, including subcontractors, to comply with the following obligations:

Meeting all requirements of the security rule, including administering administrative, physical and technical safeguards, such as: • Conducting risk analyses; • Designating a security official; • Implementing required security policies and

procedures; • Implementing technical security measures and

facility access controls; • Conducting security awareness and training

programs for all staff, including management; and • Adopting a contingency plan. • Adhering to the following privacy rule obligations: • Limiting uses or disclosures of PHI to only those (i)

provided for within their business associate

agreement or (ii) permitted or required under HIPAA;

• Limiting permissible disclosures or requests for

disclosures of PHI to the minimum necessary; • Providing an accounting of disclosures; • Providing access to its covered entity or to the

individual who is the subject of the PHI to PHI kept in a designated record set;

• Providing PHI to the U.S. Department of Health and

Human Services (HHS) to demonstrate compliance during investigations; and

• Entering into business associate agreements with

subcontractors that comply with the provisions governing business associate agreements between covered entities and business associates.

• Maintaining compliance records and submitting

reports to HHS when HHS requires such disclosures to determine whether a covered entity or business associate is complying with HIPAA.

• Providing a breach notification to its covered

entity upon discovering a privacy or security “breach,” as defined under HIPAA, and performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.




Covered Entity discovers such relationships, it must then execute BAAs with those identified entities. Covered entities must also review their existing BAAs for compliance with the new requirements for such agreements. Business Associates will need to identify which of their subcontractors create, receive, maintain or transmit PHI on behalf of the Business Associate and enter into appropriate BAAs with those companies. Given the increased liability imposed by the omnibus final rule, all participants in a given BAA chain should review the legal risks related to PHI, including compliance and contracting strategies.

From page 6

Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the

Agreement;

(c) Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

[The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter timeframe for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.] (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information; (e) Make available protected health information in a designated record set to the [Choose either “covered entity” or “individual or the individual’s designee”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.524; Continued...


Business Associate Agreement Provisions

Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions.

Definitions

Catch-all definition:

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law,

agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526; [The parties may wish to add additional specificity regarding how the business associate will respond to a request for amendment that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to act on the request for amendment or whether the business associate will forward the individual’s request to the covered entity) and the timeframe for the business associate to incorporate any amendments to the information in the designated record set.] (g) Maintain and make available the information required to provide an accounting of disclosures to the [Choose either “covered entity” or “individual”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.528; [The parties may wish to add additional specificity regarding how the business associate will respond to a request for an accounting of disclosures that the business associate receives directly from the individual (such as whether and in what time and manner the business associate is to provide the accounting of disclosures to the individual or whether the business associate will forward the request to the covered entity) and the timeframe

for the business associate to provide information to the covered entity.] (h) To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and (i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules

Permitted Uses and Disclosures by Business Associate

(a) Business associate may only use or disclose protected health information

[Option 1 – Provide a specific list of permissible purposes.]

[Option 2 – Reference an underlying service agreement, such as “as necessary to perform the services set forth in Service Agreement.”]

[In addition to other permissible purposes, the parties should specify whether the business associate is authorized to use protected health information to de- Continued...



[The parties may wish to add additional specificity regarding how the business associate will respond to a request for access that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to provide the requested access or whether the business associate will forward the individual’s request to the covered entity to fulfill) and the timeframe for the business associate to provide the information to the covered entity.] (f) Make any amendment(s) to protected health information in a designated record set as directed or

From page 8

covered entity’s minimum necessary policies and procedures.]

(d) Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity [if the Agreement permits the business associate to use or disclose protected health information for its own management and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below, then add “, except for the specific uses and disclosures set forth below.”]

(e) [Optional] Business associate may use protected health information for the proper management and administration of the business associate or to carry out the legal responsibilities of the business associate.

(f) [Optional] Business associate may disclose protected health information for the proper management and administration of business associate or to carry out the legal responsibilities of the business associate, provided the disclosures are required by law, or business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(g) [Optional] Business associate may provide data aggregation services relating to the health care operations of the covered entity.

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

(a) [Optional] Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information. (b) [Optional] Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information. (c) [Optional] Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information. Continued...



-identified information.]

(b) Business associate may use or disclose protected health information as required by law.

(c) Business associate agrees to make uses and disclosures and requests for protected health information

[Option 1] consistent with covered entity’s minimum necessary policies and procedures.

[Option 2] subject to the following minimum necessary requirements: [Include specific minimum necessary provisions that are consistent with the From page 9

Term and Termination

(a) Term. The Term of this Agreement shall be effective as of [Insert effective date], and shall terminate on [Insert termination date or event] or on the date covered entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

(b) Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines business associate has violated a material term of the Agreement [and business associate has not cured the breach or ended the violation within the time specified by covered entity]. [Bracketed language may be added if the covered entity wishes to provide the business associate with an opportunity to cure a violation or breach of the contract before termination for cause.]

(c) Obligations of Business Associate Upon Termination.

[Option 1 – if the business associate is to return or destroy all protected health information upon termination of the agreement]

Upon termination of this Agreement for any reason, business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any

form. Business associate shall retain no copies of the protected health information.

[Option 2—if the agreement authorizes the business associate to use or disclose protected health information for its own management and administration or to carry out its legal responsibilities and the business associate needs to retain protected health information for such purposes after termination of the agreement]

Upon termination of this Agreement for any reason, business associate, with respect to protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, shall: 1. Retain only that protected health information

which is necessary for business associate to continue its proper management and administration or to carry out its legal responsibilities;

2. Return to covered entity [or, if agreed to by covered entity, destroy] the remaining protected health information that the business associate still maintains in any form;

3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health

Continued...



Permissible Requests by Covered Entity

[Optional] Covered entity shall not request business associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by covered entity. [Include an exception if the business associate will use or disclose protected health information for, and the agreement includes provisions for, data aggregation or management and administration and legal responsibilities of the business associate.]

From page 10

covered entity, destroy] the protected health information retained by business associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities.

6. [The agreement also could provide that the

business associate will transmit the protected health information to another business associate of the covered entity at termination, and/or could add terms regarding a business associate’s obligations to obtain or ensure the destruction of protected health information created, received, or maintained by subcontractors.]

(d) Survival. The obligations of business associate under this Section shall survive the termination of this Agreement. Miscellaneous [Optional] (a) [Optional] Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended. (b) [Optional] Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. (c) [Optional] Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. Sample Language This is only sample language and use of these

sample provisions is not required for compliance with the HIPAA Rules. The language may be changed to more accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition, these or similar provisions may be incorporated into an agreement for the provision of services between a covered entity and business associate or business associate and subcontractor, or they may be incorporated into a separate business associate agreement. These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract. This document includes sample business associate agreement provisions to help covered entities and business associates more easily comply with the business associate contract requirements. While these sample provisions are written for the purposes of the contract between a covered entity and its business associate, the language may be adapted for purposes of the contract between a business associate and subcontractor.



health information, other than as provided for in this Section, for as long as business associate retains the protected health information;

4. Not use or disclose the protected health information retained by business associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at [Insert section number related to paragraphs (e) and (f) above under “Permitted Uses and Disclosures By Business Associate”] which applied prior to termination; and

5. Return to covered entity [or, if agreed to by From page 11

enacted as part of the American Recovery and Reinvestment Act of 2009. The 2013 Amendments are effective as of March 26, 2013, and compliance with applicable requirements generally must be made within 180 days, by September 23, 2013 (with important exceptions for existing business associate arrangements). Significant penalties apply for non-compliance.

The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a higher threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI. Business associates are now directly subject to HIPAA with respect to the Security Rule. The 2013 Amendments also implement the Genetic Information Nondiscrimination Act of 2008 ("GINA") by including genetic information in the HIPAA definition of health information and by prohibiting health insurance issuers from using such information for underwriting purposes. Finally, covered entities must issue new notices of privacy practices to comply with the amended HIPAA Rules. Overall, these changes will have a profound effect on healthcare providers, plans, individuals, entrepreneurs, investors and advertisers, as well as many others that support the healthcare industry, such as entities that analyze, create, maintain or use healthcare data. HHS states that industry-wide costs

for first-year compliance will range from $115 million to $225 million, but industry analysts anticipate real costs to be exponentially higher. Below, is a brief summary of the key provisions and changes contained in the 2013 Amendments. I. Expansion of Rule's Application: Definition of Business Associate A. INCLUSION OF SUBCONTRACTORS

The 2013 Amendments significantly expand the definition of a "business associate"—and thereby the application of HIPAA—to include subcontractors of business associates (and their subcontractors) that create, receive, maintain or transmit PHI in performing a function, activity or service delegated by the business associate to a subcontractor. A covered entity must obtain satisfactory assurances in the form of a written contract or other arrangement from each business associate, and each business associate in turn must do the same with regard to each subcontractor that handles PHI on its behalf, and so on—no matter how far "down the chain" the PHI flows. Disclosures of PHI by a business associate and its business associate subcontractors for its own management and administration or legal Continued ...

T he federal Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"), has issued the long-

anticipated final omnibus amendments (the "2013 Amendments") to the Privacy, Security, Breach Notification and Enforcement Rules (the "HIPAA Rules") under the Health Insurance Portability and Accountability Act ("HIPAA"), as directed pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act,

February 2013 CPM Provider Newsletter Digest Page 13

associate agreement or contract does not exempt a person from the definition of business associate and thereby HIPAA's requirements; rather, the applicable facts and circumstances control. B. INCLUSION OF HEALTH INFORMATION ORGANIZATIONS, VENDORS OF PERSONAL HEALTH RECORDS AND OTHERS THAT FACILITATE DATA TRANSMISSION Also included in the definition of a business associate are entities that create, receive, maintain or transmit PHI through electronic means, such as health information organizations ("HIOs"); vendors of personal health records; and others that facilitate data transmission. As HHS explains, the business associate definition now applies to an entity that "maintains" PHI (in addition to creating, receiving or transmitting it)—i.e., an entity that accesses PHI "on a routine basis." There is an exception for a "conduit" of PHI, i.e., an entity that provides mere courier or transmission services (in digital or hard form). Only an "opportunity to access" PHI is needed to implicate HIPAA, and the key is whether the opportunity is "transient" as opposed to "persistent." Specifically, HHS noted that entities which "manage" the exchange of PHI through a network, including oversight or governance functions for the electronic HIO, fall within the purview of HIPAA because they have more than random access to PHI. Whether or not they view PHI is not key. HHS stated that this area is evolving

and that additional guidance will be provided in the future, as the areas of healthcare information technology and exchanges develop. C. COMPLIANCE DEADLINES FOR BUSINESS ASSOCIATE COMPLIANCE Covered entities and business associates (including their subcontractors) must ensure compliance, including by entering into written agreements, by September 26, 2013. There is an exception for covered entities and business associates (including their subcontractors) that had preexisting business associate agreements prior to January 25, 2013. In such cases, if the agreement is not renewed or modified prior to September 23, 2013, then the parties are deemed compliant until the earlier of the date that the agreement is renewed or modified, or September 24, 2014. II. Modified Breach Standard and Notification Rule A. BREACH

The 2013 Amendments make significant changes to the current Interim Final Breach Notification Rule that was published in August 2009 and to date has guided covered entities and business associates with respect to breaches. The most dramatic change concerns the definition of the term "breach." Under the current Continued ...

responsibilities, however, do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity's role as a business associate. Furthermore, covered entities are not required to enter into a contract or other arrangement directly with a HIPAA-covered subcontractor of a business associate. Notably, the 2013 Amendments also make some technical revisions to the HIPAA Rules to clarify that failing to enter into a business


From page 13

orized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated. If the risk assessment evaluation fails to demonstrate there is a low probability that any PHI has been compromised, breach notification is required. Certain exceptions to the definition of a breach continue to apply. B. NOTIFICATION

In the case of a breach, the 2013 Amendments require covered entities to notify each affected individual whose unsecured PHI has been compromised. Even if such breach is caused by a business associate, the covered entity is ultimately responsible for providing the notification (although the covered entity is free to delegate the breach response function to the business associate). Moreover, a business associate's, as well as the workforce member's, knowledge of a breach will be imputed onto a covered entity. If the breach involves more than 500 persons, OCR must be notified in accordance with instructions posted on its website.

The HIPAA-covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach and must maintain supporting documentation, including documentation pertaining to the risk assessment. III. Marketing The 2013 Amendments substantially modify the definition of marketing to require an authorization from an individual for the receipt of certain marketing materials for treatment or operations purposes. This modification will significantly impact third parties who wish to market their products or services through covered entities.

Marketing broadly applies to any communications about a product or service that encourages a recipient to purchase or use the product or service. Under the 2013 Amendments, exceptions to the definition of marketing communications include any communication that is made: (1) to provide refill reminders or information regarding a drug that is currently being prescribed, as long as any financial remuneration received by the covered entity is "reasonably related" to the cost related to the marketing; (2) regarding the product or service of a third party for certain treatment or operations purposes, except where financial remuneration is involved. The kinds of communications covered by this provision include those offered to an Continued ...

interim rule, a "breach" is defined as an inappropriate use or disclosure of PHI involving a significant risk of financial, reputational or other harm. The 2013 Amendments modify this definition by providing that an impermissible use or disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised based upon a four-part risk assessment that considers: (1) the nature and extent of the PHI involved in the breach; (2) the unauth-


From page 14

I f the breach involves more than 500 persons, OCR must be notified in

accordance with instructions posted on its website.

In other words, the definition of marketing now includes communications issued by a covered entity or business associate regarding a treatment- or operations-related product or service offered by a third party and the third party has compensated the covered entity or business associate for the communication. In these situations, an individual's authorization that covers subsidized communications is required. It is important to note there are key exceptions to the authorization requirement—i.e., when the covered entity makes the communication face-to-face or the communication consists of a promotional gift of nominal value. IV. Security Rule The HIPAA Security Rule applies to electronic PHI (ePHI) that is created, received, maintained or transmitted by a covered entity. Pursuant to HITECH, the 2013 Amendments expand the application of the Security Rule to business associates (that now are defined to include subcontractors of business

associates that handle PHI for or on behalf of business associates). This means that business associates must comply with all of the Security Rule's applicable administrative safeguards (security management procedures, training, etc.); physical safeguards (workstation security, device and media controls, etc.); and technical safeguards (audit controls, transmission security, etc.). Business associates, including their subcontractors that handle PHI, must enter into agreements that require the business associates to comply with the Security Rule. Significantly, a downstream business associate (or a business associate subcontractor) must notify the upstream entity of any security incident or breach under the breach notification rules. V. Amendments to the Authorization Requirements A. SALE OF PHI

The 2013 Amendments provide a general prohibition on any disclosure in exchange for remuneration (i.e., a sale) of any PHI by a covered entity or by a business associate without an authorization from the individual for such disclosure. Additionally, the authorization must state that such disclosure will result in remuneration. Continued ...

individual as part of treatment, or to a larger population as part of operations, regarding case management, care coordination or alternative treatment modalities; or to describe a health-related product or service—or payment for the product or service—that is provided by the covered entity or included in a plan of benefits, such as communications about network-participating providers or value-added products or services not offered by a plan (e.g., vision plan enhancements).


From page 15

m arketing now includes communications issued by a covered entity or business

associate regarding a treatment- or operations-related product or service offered by a third

party...

Amendments provide a number of exceptions to this general authorization requirement, such as disclosures for public health, treatment and payment purposes, and sale and merger transactions, among others. B. PHI AFTER DEATH Prior to the 2013 Amendments, the HIPAA Privacy Rule applied the same protections to the PHI of non-living individuals as it did to the PHI of living individuals. By amending the definition of PHI to generally exclude any health information of a person who has been deceased for more than 50 years, the 2013 Amendments limit the HIPAA Privacy Rule's protections with regard to a deceased individual's PHI for a period of 50 years after the date of death. Additionally, the 2013 Amendments provide that covered entities may disclose deceased individuals' PHI to non-family members, as well as family members, who were involved in the care or payment for healthcare of the decedent prior to death; however, the disclosure must be limited to PHI

relevant to such care or payment and cannot be inconsistent with any prior expressed preference of the deceased individual. C. DISCLOSURE TO SCHOOLS OF STUDENT IMMUNIZATIONS The 2013 Amendments permit a covered entity to disclose, without written authorization, immunization records to a school where state or other law requires, as opposed to merely permits, the school to have such information prior to admitting the student. While written authorization would no longer be required, the covered entity would nevertheless be required to obtain and document agreement to the disclosure that may be oral and over the phone from the parent or person acting in loco parentis for the individual, or from the individual himself or herself. A mere request by a school for the immunization records of a student would not be sufficient to permit disclosure without authorization. VI. Notice of Privacy Practices

The 2013 Amendments reflect modifications from the interim final rule that provide significant changes to covered entities' Notice of Privacy Practices ("NPP") regarding uses and disclosures that require authorization. While the 2013 Amendments do not require the NPP to include all situations requiring Continued ...

The 2013 Amendments define "sale of PHI" broadly to mean any disclosure where the covered entity or business associate receives, directly or indirectly, any remuneration in exchange for the PHI. OCR confirms the broad scope of this provision by clarifying that the term "remuneration" is not limited to financial payments (as the marketing provisions are, above); therefore, this prohibition applies to the receipt of financial as well as nonfinancial benefits. The 2013


From page 16

A mere request by a school for the immunization records of a student would not be sufficient

to permit disclosure without authorization.

VII. Individuals' Right to Restrict Disclosures; Right of Access

To implement the HITECH Act, the Privacy Rule is amended to require a covered entity to restrict the disclosure of PHI about the individual to a health plan, upon request, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which the individual has paid the covered entity in full. OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restrict healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan. The 2013 Amendments also adopt the proposal in the interim rule requiring a covered entity to provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be

provided to the individual if it is readily producible. OCR clarifies that covered entities must provide individuals only with an electronic copy of their PHI, not direct access to their electronic health record systems. The 2013 Amendments also provide the right to individuals to direct a covered entity to transmit an electronic copy of PHI to an entity or person designated by the individual. Furthermore, the amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable, cost-based and identify separately the labor for copying PHI (if any). Finally, the 2013 Amendments modify the timeliness requirement for right of access, from up to 90 days currently permitted to 30 days, with a one-time extension of 30 additional days. VIII. Fundraising

The 2013 Amendments continue to permit a covered entity or business associate to use PHI for its fundraising without the individual's authorization, and even expand the fundraising rules by allowing covered entities to utilize demographic information, including the individual's health insurance status and certain treatment and outcome information. With respect to individuals' right to opt out of fundraising communications, covered entities are now free to decide which opt-out methods to provide to individuals, as long as the chosen methods do not Continued ...

authorization, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures and sale of PHI do require prior authorization, as well as the right of the individual to be notified in case of a breach of unsecured PHI. OCR clarifies that distribution by covered entities of new NPPs to individuals is required because the changes to the NPP requirements are material.


From page 17

a ny complaint or violation must be formally investigated

among other things, required OCR to revise the HIPAA Privacy Rule to include genetic information within the definition of health information. The 2013 Amendments amend the existing HIPAA Privacy Rule by adding the prohibition on the use of "genetic information" for "underwriting purposes," with the exception of the underwriting of long-term care policies. OCR was persuaded to exempt long-term care insurance by rulemaking comments that prohibiting use of genetic information for underwriting purposes would impair the viability of the long-term care insurance market. As with other terms used in this section of the 2013 Amendments, "genetic information" and "underwriting purposes" are defined terms. It is important to note that nothing in GINA should be construed to limit the ability of a health plan to adjust premiums or establish eligibility criteria on the basis of a manifestation of a disease or disorder of an enrollee. The terms "manifestation or manifested" are defined because they are used to distinguish permissible uses of genetic information by insurance companies from impermissible uses. The

2013 Amendments also require health plans that perform underwriting to include in their NPPs a statement that they are prohibited from using or disclosing genetic information for underwriting purposes. We will be reporting on a separate, detailed analysis of the provisions of the 2013 Amendments implementing GINA in the near future. X. The Hybrid Entity, Its Healthcare Components and Business Associate Functions Under the HIPAA Rules, a "hybrid entity" is one that performs HIPAA-covered and non-covered functions, such as a small manufacturing company and its health clinic that is a HIPAA-covered entity. In this example, the health clinic constitutes a "health care component" under HIPAA. The 2013 Amendments clarify that the business associate functions provided by the hybrid entity to its healthcare component, such as billing for the health clinic in the example above, are now considered part of the healthcare component and are subject to HIPAA. XI. Compliance and Investigations; Liability A. INVESTIGATIONS; BASIS FOR LIABILITY

Under the 2013 Amendments, as required by HITECH Act, any complaint or violation must be formally investigated if a preliminary review of the facts Continued ...

impose an undue burden or more than a nominal cost for the individuals. For example, requiring a written letter would be an undue burden, but a pre-printed, prepaid postcard would be appropriate; use of a toll-free number or an e-mail address is encouraged.

IX. Modifications to the HIPAA Privacy Rule Under GINA

The Genetic Information Non-discrimination Act of 2008 ("GINA") prohibits discrimination based upon an individual's genetic information and,


From page 18

P rivacy Rule Notices Must Now Be Displayed in Clinic Lobby or Other Location Where Patients

Frequent as Well as on Clinic Web Site.

Significantly, the 2013 Amendments make covered entities and business associates liable for acts of their business associates that are deemed to be agents. A number of comments expressed concerns to this new rule in proposed form, but OCR justifies its interpretation under the federal common law of agency. Commenters argued that contractual provisions, not the federal common law of agency, should control, but all such arguments were dismissed by OCR.

B. CIVIL MONETARY LIABIL ITY

As required by the HITECH Act, the 2013 Amendments substantially increase the potential civil monetary fines for violations for covered entities and business associates, and establish tiers of escalating penalty amounts based on increasing degrees of culpability of violators and other responsible parties. The 2013 Amendments also reduce OCR’s discretion in assessing these fines.

In circumstances where discretion is available, the Secretary, in determining the amount of penalty, is required to take into account the nature of the claims and the circumstances under which they were presented, the degree of culpability, history of prior offenses, financial condition of the person presenting the claims and other matters. OCR also intends to consider factors, such as the time period during which the violations occurred; reputational harm; and the number of individuals affected. Therefore, every HIPAA-covered entity, its business associates and their subcontractor business associates are strongly encouraged to quickly review the 2013 Amendments, consider its implications and promptly begin working to achieve compliance with applicable provisions and mitigate statutory liability risks. Significant penalties apply for lack of compliance. It may be worthwhile to consider taking prompt action. Continued ...

indicates a possible violation due to willful neglect. Thus, in such situations, informal means can no longer be used to resolve such violations. OCR also confirmed that preliminary review needs to indicate only "possible" as opposed to "probable" willful neglect. OCR emphasized that they retain discretion to decide whether to conduct a formal investigation where preliminary review of the facts indicates a degree of culpability less than willful neglect.


From page 19

Violation Category – Section 1176(a)(1) Each Violation

All Such Violations of an Identical Provision in a Calendar Year

(A) Did Not Know $100 - $50,000 $1,500,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000

(C)(i) Willful Neglect-Corrected $10,000 - $50,000 $1,500,000

(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

The Final HIPAA Rule At A Glance The final rule will take effect March 26, 2013, and is composed of four final rules, as follows: 1. Final modifications to the HIPAA Rules mandated

by the Health Information Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:

• Make business associates of covered entities

directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.

• Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.

• Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

• Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.

• Modify the individual authorization and other

requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.

• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced in number two, below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.

ON THE FOLLOWING 8 PAGES IS A SAMPLE PRIVACY NOTICE

The above discussion provides a cursory discussion of the 2013 Amendments, which cannot and should not be relied upon for any purpose other than informational purposes. All situations and questions concerning PHI, the 2013 Amendments and other subjects discussed above present unique facts and issues, which along with applicable state laws should be considered on a case-by-case basis.


From page 20


PRIVACY NOTICE

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

[45 CFR 164.520]

Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for

Economic and Clinical Health (HITECH) Act; [45 CFR Parts 160 and 164]

This notice describes how information about you may be used and disclosed and how you can get access to this information. Please review it carefully. Introduction ___________________________________________________ hereafter referred to as “The Physical Therapy Provider”, is committed to treating and using protected health information (PHI) about you responsibly. This Notice of Privacy Practices describes the personal information we collect, and how and when we use or disclose that information. It also describes your rights as they relate to your protected health information. This Notice is effective April 14, 2003, with the HITECH modifications effective July 14, 2010, and applies to all Protected Health Information (PHI) as defined by federal regulations. Understanding Your Health Record/Information Each time you receive treatment or equipment from our clinic, a record is made. Typically, this record contains your symptoms, genetic information, examination and test results, diagnosis, treatment, and a plan for future care or treatment. This information, often referred to as your health or medical record, serves as: • a basis for planning your care and treatment • a means of communication among the many health professionals who contribute to your care • a legal document describing the care/equipment you received • a tool in educating health professionals • a source of information for public health officials charged with improving the health of this state and

the nation • a source of data for planning and marketing • a tool with which we can assess and continually work to improve the care we render and the outcomes

we achieve.


Understanding what is in your record and how your health information is used helps you to: ensure its accuracy, better understand who, what, when, where, and why others may access your health information, and make more informed decisions when authorizing disclosures to others. Your Health Information Rights Although your health record is the physical property of The Physical Therapy Provider, the information belongs to you. You have the right to: • Obtain a paper or electronic copy of this Notice of Privacy Practices on request. • Inspect and receive a copy of your health record as provided for in 45 CFR 164.524 (from the Health

Insurance Portability and Accountability Act (HIPAA) of 1996.) • Amend your health record as provided in 45 CFR 164.528. • Obtain an accounting of disclosures of your health information, other than those for purposes

contained within this notice and those you have authorized, as provided in 45 CFR 164.528. • Request communications of your health information by alternative means or at alternative locations.

We will comply with a reasonable request for such an alternative. • Request a restriction on certain uses and disclosures of your information as provided by 45 CFR

164.522. We are not required to agree to the requested restrictions. If however, we do agree, the agreement will be binding on us.

• Revoke your authorization to use or disclose health information except to the extent that action has

already been taken. Examples of Disclosures for Treatment, Payment, and Health Operations (TPO) We may disclose your information without your specific authorization in the following circumstances: Treatment: We will use your health information for treatment. For example: Information obtained by a physical therapist, physical therapist assistant, physical therapist aide, nurse, physician, physicians assistant, or other member of your health team will be recorded in your record and used to determine the course of treatment that should work best for you. Your physical therapist and physician will document in your record his/her expectations of the members of your health care team (including orders for supplies & equipment), who will then record the actions they took and their observations and your response to the therapy. In that way, the physical therapist, and physician will know how you are responding to treatment. Payment: We will use your health information for payment. For example: A bill may be sent to you or a third-party payer. The information on or accompanying the bill may include information that identifies you, as well as your treatment, diagnosis, procedures, dates of service, and


equipment/supplies used. Disclosure of your health information will only be divulged to your health plan upon their request and only for the purpose of carrying out payment or healthcare operations. We will use your health information for regular health operations. For example: The risk management or quality improvement team may use information in your health record in an effort to continually improve the quality and effectiveness of the care, products and services we provide. We may use your billing information for review by our compliance department. Other Required or Permitted Disclosures: • Notification: We may use or disclose information to notify a family member, personal

representative, or another person responsible for your care regarding your location and general condition. We may leave a message on your answering machine or voicemail, mail you a postcard or written notice, or send you an email as a means of communication.

• Communication with family: Health professionals, using their best judgment, may disclose to a family member, other relative, close personal friend or any other person you identify, health information relevant to that person's involvement in your care or payment related to your care.

• Research: We may disclose information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your health information.

• Food and Drug Administration (FDA): We may disclose to the FDA health information relative to adverse events with respect to food, drugs, supplements, product and product defects, product tracking, or post marketing surveillance information to enable product recalls, repairs, or replacement.

• Worker's Compensation: We may disclose health information to the extent authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law.

• Marketing: The Physical Therapy Provider will only contact you with information about treatment alternatives and other health-related benefits that may be appropriate to you, only with your express authorization and with full disclosure of any renumeration that your physical therapy provider may receive.

• Public health: As required by law, we may disclose your health information to public health or

legal authorities charged with preventing or controlling disease, injury, or disability, tracking reports of morbidity, or receiving reports regarding victims of abuse, neglect, or domestic violence.

• Law enforcement: We may disclose health information for law enforcement purposes as required by law or in response to a valid subpoena or other legal process.


• Disclosures required by law: We may be required by federal, state, or local law to disclose your medical information. In addition, federal law makes provision for your health information to be released to appropriate health oversight agencies for activities authorized by law such as audits, investigations, and inspections.

• Disclosure to Schools of Student Immunizations: The 2013 Amendments permit a covered entity, in this case, your therapy provider, to disclose, without written authorization, immunization records to a school where state or other law requires, as opposed to merely permits, the school to have such information prior to admitting the student. While written authorization would no longer be required, the covered entity is required to obtain and document agreement to the disclosure that may be oral and over the phone from the parent or person acting loco parentis for the individual, or from the individual him or herself. A mere request by a school for immunization records of a student is not sufficient to permit disclosure without authorization.

Our Responsibilities ______________________________________________________ is required to:

• Maintain the privacy of your health information

• Provide you with notice as to our legal duties and privacy practices with respect to information we

collect and maintain about you

• Abide by the terms of the Notice of Privacy Practices currently in effect

• Notify you if we are unable to agree to a requested restriction

• Accommodate reasonable requests you may have to communicate health information by

alternative means or at alternative locations

We will obtain your written authorization before using or disclosing your health information for purposes other than those listed in this notice or otherwise permitted or required by law. You may revoke an authorization in writing at any time. Upon receipt of a written revocation, we will discontinue using or disclosing your health information, except to the extent that we have already taken action in reliance on the authorization. We reserve the right to change our practices and to make the new provisions effective for all Protected Health Information we maintain. Should our information practices change, a copy of the revised notice will be available to you:

• as displayed at our office; • on our website • from any of our office representatives; • from our Privacy Officer at : ________________________________________ • by writing to us at the address located at the end of this document, Attention: Privacy Officer.


HITECH Amendments The Physical Therapy Provider including HITECH Act provisions to its Notice as follows: HITECH Notification Requirements under HITECH, The Physical Therapy Provider is required to notify patients whose PHI has been breached, including breaches by any of our Business Associates and/or their Subcontractors. Notification must occur by first class mail within 60 days of the event. A breach occurs when an unauthorized use or disclosure that compromises the privacy or security of PHI poses a significant risk for financial, reputational, or other harm to the individual. This notice must:

(1) Contain a brief description of what happened, including the date of the breach and the date of discovery;

(2) The steps the individual should take to protect themselves from potential harm resulting from the breach;

(3) A brief description of what The Physical Therapy Provider is doing to investigate the breach, mitigate losses, and to protect against further breaches.

Business Associates Effective January 2013, The Physical Therapy Provider Business Associate Agreements have been amended to include the expanded definition of who a Business Associate is and provide that all HIPAA security administrative safeguards, physical safeguards, technical safeguards and security policies, procedures, and documentation requirements apply directly to the Business Associate AND their Subcontractors. Cash Patients/Clients HITECH states that if a patient pays in full for their services out of pocket they can demand that the information regarding the service not be disclosed to the patient’s third party payer since no claim is being made against the third party payer. Access to E-Health Records HITECH expands this right, giving individuals the right to access their own e-health record in an electronic format and to direct The Physical Therapy Provider to send the e-health record directly to a third party. The Physical Therapy Provider may only charge for labor costs under the new rules. Accounting of E-Health Records for Treatment, Payment, and Health The Physical Therapy Provider does not currently have to provide an accounting of disclosures of PHI to carry out Treatment, Payment, and health care Operations (TPO). However, beginning on January 1, 2014, the Act will require The Physical Therapy Provider to provide an accounting of disclosures through an e-health record to carry out Treatment, Payment, and health care Operations. This new accounting requirement is limited to disclosures within the three-year period prior to the individual’s request.


Examples of Disclosure for Treatment, Payment, and Healthcare Operations: We will use your health information for Treatment. Information obtained by our company will be documented in your healthcare record and will be used to provide you with treatment and/or durable medical equipment and/or supplies. The prescription that your physician has ordered will be part of the record and will determine the treatment, equipment and supplies that you receive. We will use your health information for Payment. In order to determine your eligibility for treatment, equipment and/or supplies, The Physical Therapy Provider may contact your insurance company and disclose healthcare related information. Also, The Physical Therapy Provider will bill you or a third-party payer for services that you receive from our clinic. The health information that identifies you, your diagnosis, your treatment, equipment, and supplies may be included on this bill. We will use your health information for healthcare Operations. The Physical Therapy Provider may use your health information to evaluate the quality of care you receive from us, to conduct cost management assessments, and to plan business activities. This information is used in an effort to continually improve the quality and effectiveness of the healthcare services we provide. Other Uses or Disclosures: Business Associates AND their Subcontractors: There are some individuals who are under contract with The Physical Therapy Provider and, from time to time, are engaged in the improvement or financial enhancement of our clinic. So that your health information is protected, however, we require any business associate AND their Subcontractors to appropriately safeguard your information. Public Health: As required by law, we may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury, or disability. Law Enforcement: We may disclose health information for law enforcement purposes as required by law, or in response to a valid subpoena. Health Oversight Activities: We may disclose health information to health oversight agencies for activities authorized by law, including surveys, audits, and compliance inspections. Worker's Compensation: We may release your health information to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law.


For More Information or to Report a Problem If you have questions and would like additional information, you may contact the company's Privacy Officer at ________________________________________________________________ If you believe your privacy rights have been violated, you can file a complaint with the company's Privacy Officer, or with the Office for Civil Rights, U.S. Department of Health and Human Services. There will be no retaliation against any individual for filing a complaint. The address for the OCR is:

Office for Civil Rights, U.S. Department of Health and Human Services,

200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201.

Our Clinics Contact Information: ______________________________________ ______________________________________ ______________________________________ CONTACT PERSON NAME & PHONE NUMBER: _________________________________ PRIVACY OFFICER NAME & PHONE NUMBER:__________________________________ PHONE NUMBER OF CLINIC: _________________________________________________ FAX NUMBER OF CLINIC:_____________________________________________________ EMAIL (OPTIONAL) ADDESS: _________________________________________________


PRIVACY NOTICE

PATIENT/PATIENT REPRESENTATIVE ATTESTATION PAGE

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

[45 CFR 164.520]

Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for

Economic and Clinical Health Act; [45 CFR Parts 160 and 164]

SIGNATURE PAGE

I, ___________________________________________ attest that I have read, and understand the Notice of Privacy Practices for Protected Health Information under 45 CFR 164.520 of the HIPAA Privacy Rule. I further attest that I have received a copy of said Notice from The Physical Therapy Provider. I have also received, read, and understand the additional privacy provisions as detailed in the Health Information Technology for Economic and Clinical Health Act (HITECH) under 45 CFR Parts 160 and 164. ______________________________________ _____________________________________ PATIENT NAME OR REPRESENTATIVE SIGNATURE PRINTED PATIENT NAME OR REPRESENTATIVE ______________________________________ _____________________________________ Date Relationship to Patient ______________________________________ _____________________________________ Witness Date This page will be kept in your Medical Records Chart. If you would like a copy for your records, please notify the Privacy Officer or Clinic Front Desk Personnel.

PLEASE SIGN IN BLUE INK


The Lighter Side . . .

Of Sequestration

Citations

Loder, David. "Overview of 2013 Amendments to HIPAA Privacy, Security, Breach Notification and

Enforcement Rules." JD Supra. N.p., 30 Jan. 2013. Web. 28 Feb. 2013. <http://www.jdsupra.com/

legalnews/overview-of-2013-amendments-to-hipaa-pri-65174/>.

Lubbel, Jennifer. "HIPAA Gets Tougher on Physicians." - Amednews.com. American Medical Association,

04 Feb. 2013. Web. 20 Feb. 2013. <http://www.ama-assn.org/amednews/2013/02/04/

gvl10204.htm>.

Page 31 February 2013 CPM Provider Newsletter

The 4-1-1 On Us! Clinical Practice Management’s (CPM) story began in 1998 by a group of Physical Therapists who decided to provide, what they themselves were looking for, in a billing company. • Compliance • Compassion • Knowledge • Integrity • ...and of course...Cash!

The launch of CPM was a success! We’ve enjoyed continued growth due to the strength of our pledge to provide stellar clinical services to our clients! CPMs client references speak to our reputation in the Rehabilitation healthcare community— as well as CPMs status in being a PTPN Preferred Provider!

CPM is Not Your Run of the Mill Billing Company — Keeping You on Target and in Control!

Disclaimers

The articles contained in this Newsletter were prepared as a service to our subscribers and is not intended to grant rights or impose obligations. These articles may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations and other interpretive materials for a full and accurate statement of their contents. We do our best to provide you with the most accurate and up-to-date information possible. However, due to circumstances beyond our control some of the information can change without our knowledge. Because of the possibility of human error and other circumstances beyond its control, Clinical Practice Management is not responsible for any errors or omissions which shall include any direct, indirect, incidental, consequential or any other damages arising out of or in connection with the information available in this Newsletter Digest. The information provided in this digest is solely for non-profit educational purposes (17U.S.C.§107) and no other purpose(s) is to be derived or implied. We have, when necessary, condensed certain articles for space purposes but without having diluted, in our opinion, the original message or intent of the cited author(s). Source references of articles used in this digest lead directly to cited work by original author. The information provided in this digest does not constitute an endorsement from nor of any company, corporation, person or other entity.

If you find an error or omission on any of our pages, please inform us as soon as possible by email at: [email protected]

Clinical Practice Management Provider Newsletter Digest

2200 W. Orangewood Ave., Ste. 212 Orange, CA 92868

1-888-550-2112

Kimberly Gordon, Manager 714-450-4999

Linda Seidelman Editor 714-450-4980 X 1251

John O’Connor, Joseph Donohue, Owners

Your comments, suggestions and letters are welcome! Please feel free to relay any and all information to us. Direct all correspondence, letters, etc., to the Editor: Linda Seidelman, Editor, [email protected]

L to R; John O’Connor, Kimberly Saalfeld, Joe Donohue


2200 W. Orangewood Ave | Ste 212 contact: Linda Seidelman

Orange, CA 92868 phone: 714-450-4950 X 1251

714-450-4980

Your comments, suggestions and letters are welcome! Please feel free to relay any and all information to us. Direct all correspondence, letters, etc., to the Editor:

Linda Seidelman, Editor, [email protected]

The Clinical Practice Management Team


Documents

CPM Provider Newsletter Digest - Feb 2013