PHI, BAs, and NPPs

Tougher New HIPAA Rules in Effect

Texas Medicine Logo

Tex Med. 2013;109(10):31-35.  

By Crystal Zuzek

Associate Editor


Matt Murray, MD, a Fort Worth pediatric emergency physician in the Cook Children's Health Care System, is serious about his legal obligation to safeguard patients' protected health information (PHI).

"Complying with HIPAA does require extra work for physicians and staff. But it's worth it to prevent my patients from being adversely affected by a breach of PHI. I try to focus on what's best for my patients," said Dr. Murray, vice chair of the Texas Medical Association Ad Hoc Committee on Health Information Technology.

The U.S. Department of Health and Human Services (HHS) made comprehensive changes (known as the Omnibus Rule) to HIPAA that took effect Sept. 23. The regulations expand physicians' obligation to protect patients' personal information. They also clarify when physicians must report breaches of unsecured information to patients and HHS.

That's why TMA encourages you to review business associate (BA) agreements and notices of privacy practices (NPPs) and security and breach notification policies to make sure they meet the new HIPAA rules.

HHS defines protected information as "individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral."

It defines a breach of PHI as improper use or disclosure of personal information that "poses a significant risk of financial, reputational, or other harm to the affected individual." An example of a breach would be loss or theft of a laptop containing nonencrypted personal information. 

Who Is a Business Associate?

When determining if the revised federal HIPAA rules consider an entity one of your business associates, physicians' mantra is "create, receive, store, maintain, or transmit," said Jeffery Drummond, an attorney in the Dallas office of Jackson Walker, LLP.

"When reviewing their relationships with businesses, physicians will need to enter new BA agreements with those entities that create, receive, store, maintain, or transmit PHI on their behalf," he said.

For example, under the new rule, you must consider patient safety organizations, e-prescribing gateways, health information exchanges, and record storage companies as business associates. Mr. Drummond encountered one case where a record storage company refused to sign a BA agreement with a medical practice. He advises physicians who run into resistance from business associates to take their business elsewhere.

The new HIPAA regulations expand the criteria for business associates but give physicians some time to update their agreements.

"As long as physicians had an existing BA agreement in place on the publication date of the rule — Jan. 25, 2013 — that met pre-Omnibus Rule standards, that agreement will be good until Sept. 22, 2014, one year from the compliance date," Mr. Drummond said. After that date, BA agreements may need to be updated.

He adds one caveat: Any BA agreements in place by Jan. 25, 2013, and subsequently modified before Sept. 22, 2014, must comply with the rule upon modification.

In the past, HIPAA Privacy and Security rules focused on health care professionals, health plans, and insurance claims clearinghouses. The new regulations apply many of the old requirements to business associates of entities that receive PHI. HHS reports that some of the largest breaches of PHI involved business associates, such as contractors and subcontractors.

Compliance with HIPAA regulations is more important as physicians face steeper penalties for breaches of PHI security and as the HHS Office for Civil Rights (OCR) cracks down on violations.

Federal law increases penalties for HIPAA violations to up to $1.5 million per violation. Civil penalties range from $100 to $50,000 per violation. Criminal penalties for lying to defraud a victim include a maximum $100,000 fine and up to five years in prison. Anyone who violates HIPAA rules to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm faces up to a $250,000 fine and 10 years in prison.

Mr. Drummond says you need to scrutinize your HIPAA policies and procedures to make sure you meet your obligation to safeguard patients' information under the rule.

"A practice's policies and procedures need to be specifically adapted to the practice. Employees should be trained on HIPAA compliance, and the policies and procedures should be applicable to the business," he said.

Mr. Drummond worked with TMA to update the HIPAA privacy and security manuals in Policies and Procedures: A Guide for Medical Practices. (See "TMA's HIPAA Compliance Tools.") The manuals include updated details on HIPAA and Texas' privacy law, as well as template policies for: 

  • Staff training on the HIPAA policies and procedures,
  • BA agreements that incorporate amendments of the Health Information Technology for Economic and Clinical Health Act (HITECH), and
  • Breach risk assessments.  

Read the final rule here. For the latest information on the HIPAA Privacy Rule, sign up for OCR's listserv.

Find the Weak Spots

You'll likely need to update your breach notification procedures to meet the new requirements. Previously, you didn't need to report a security violation if it did not harm the patient.

The new rules outline four things you can do to determine if the security of a patient's personal information is compromised.

Mr. Drummond recommends contacting a lawyer to help determine: 

  • Whether the PHI was actually acquired or accessed;
  • The financial or clinical sensitivity of the information involved and the likelihood it can be reidentified;
  • The person who caused the breach and whether he or she has an obligation to keep the information confidential; and
  • The extent to which the risk is mitigated, which may involve obtaining a signed confidentiality agreement from the person who received the PHI.

If you find there is a low probability of a breach, you do not have to report it. Otherwise, you must report the breach to the patient and to HHS (and the media for certain large breaches). The agency has instructions for submitting notice of a breach on its website.

Additionally, you can assign breach notification to business associates and should work with them to coordinate the notification.

TMA's HIT Security Risk Assessment Questionnaire helps physicians and staff make risk management decisions regarding reasonable and appropriate security measures to reduce risk to an acceptable level.  

Examine Policies, Contracts

Dr. Murray, past chief medical information officer for Cook Children's, says the system has taken steps to conform to the new privacy and security laws. This includes updating BA agreements, privacy notices, and staff training, and reminding clinicians and staff about maintaining confidentiality and privacy of PHI.

"We also added language in our BA agreements specifying the time frame for notifying the physician network when the business associate identifies a breach of PHI," Dr. Murray said.

He suggests the agreements specify who is responsible for the cost of a breach notification. You may want to request an attorney's assistance in reviewing an associate's risk assessment documents.

You should look at your privacy notices, as well. Mr. Drummond says the notices must tell patients that most uses and disclosures of psychotherapy notes or information for marketing purposes and sale of information require their approval. Physicians who participate in fundraising need to modify their notices to tell patients they have the right to opt out of those communications. The rule doesn't specify what "fundraising" means, thus you should check with an attorney for guidance if you think it might apply to you.

The new rule also requires you to agree to a patient's request not to disclose information about care he or she paid for in full out of pocket to health plans unless otherwise required by law.

Privacy notices must tell patients they have the right to know about a HIPAA breach. You must post the revised notice and make copies available to all new patients and to others upon request.

"The NPP tells patients what they can expect from the medical practice in terms of privacy and security of PHI. It's important for doctors to follow the NPP," Mr. Drummond said.

To request a sample privacy notice and BA agreement, call the TMA Knowledge Center at (800) 880-7955, or email knowledge[at]texmed[dot]org.

HHS has developed sample BA agreement provisions

Crystal Zuzek can be reached by telephone at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by email.



TMA's HIPAA Compliance Tools   

TMA has resources to help physicians and their staff members comply with state privacy law requirements and federal HIPAA regulations. Visit the TMA website to access the following on-demand webinars: 

  • Complying with HIPAA and Texas Privacy Laws teaches compliance officers and physicians and their staff members the ins and outs of federal and state privacy training requirements. The webinar features a HIPAA risk assessment tool and a sample notice of privacy practices and business associate agreement.
  • Complying with HIPAA Security instructs physicians and their employees on the procedures practices must implement to ensure patients' electronic protected health information remains confidential and safe from leaks or hacking.
  • HIPAA Training for Medical Office Staff explains modifications to state privacy training requirements and helps practices comply with state and federal privacy laws.

TMA, in conjunction with Jackson Walker, LLP, has updated the HIPAA privacy and security information in Policies and Procedures: A Guide for Medical Practices. A hard copy of the guide with customizable CD is $295 for members and $395 for nonmembers. The customizable CD alone is $255 for members and $355 for nonmembers.

To order the guide, contact the TMA Knowledge Center by telephone, (800) 880-7955, or by email.

Back to article

October 2013 Texas Medicine Contents
Texas Medicine Main Page