September 23rd Deadline Has Passed
On September 23rd, all business associate agreements (BAA) that were active prior to the Omnibus Rule were required to be updated to be in compliance with the Omnibus Rule. The changes were significant and will be enforced by the Office for Civil Rights (OCR). In response, David Holtzman, recently authored an article, “Don’t Let Enforcement of new HIPAA Requirements Catch You Napping” in the October issue of Compliance Today. This article reviews what every covered entity and business associate needs to know about the September 23rd deadline, including:
- Compliance dates for key changes to HIPAA Rules are here
- Last chance to update HIPAA Business Associate agreements
- Enforcement of patient access to lab records began in October
- Patients to have electronic access to protected health information (PHI) held electronicallyMedical labs must have updated Notice of Privacy Practices
The change of seasons from summer to fall has brought us to key dates for compliance with the HIPAA Privacy and Security Rule standards for business associate agreements (BAAs) and the right of individuals to access their protected health information (PHI) from medical laboratories.
Business Associate Agreements
Key dates are on the horizon affecting compliance with the HIPAA Privacy and Security Rule standards for Business Associate Agreements (BAA) and the right of individuals to access their protected health information (PHI) from medical laboratories. A delay in the enforcement of required changes to the Notice of Privacy Practices (NPP), issued by the Clinical Laboratory Improvement Amendments (CLIA), covered labs and non-CLIA labs ends with the October 6, 2014 compliance date for the right to access records of medical laboratories..
The HIPAA Omnibus Rule, issued in January 2013, changed the standards for BAAs, adding a number of requirements that include executing a new or revised BAA that included the new or modified provisions. The rules changing the required provisions of the BAA took effect in September 2013 for those agreements created or modified after the Omnibus Rule’s publication. HHS used its enforcement discretion to give Ccovered entities more time to revise the BAAs that were already in place, but the extended compliance deadline to update those BAA’s ended on September 23, 2014.
The modifications to the HIPAA Privacy and Security Rules, among other things, expand the definition of business associates (BAs). Under the revised rules, “business associate” now includes any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity or their BA, or any entity that provides services to or for the covered entity involving the use or disclosure of PHI. This means that all downstream subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate now meet the definition of a BA. Another major change is that BAs are now directly liable for certain Privacy and Security Rule violations. Prior to the new rule, BAs had only contractual liability to their covered entity but no direct liability to OCR for HIPAA violations.
In addition to broadening the definition of who is a BA and imposing direct liability for compliance with the Security Rule and certain provisions of the Privacy Rule, covered entities must update their BAAs to comply with the new HIPAA requirements. BAAs must provide that the business associate will (1) comply with HIPAA Security Rule, (2) report breaches of unsecured PHI to the covered entity, and (3) enter into BAAs with subcontractors in the same manner that the covered entity contracts with the BA.
Right to Access PHI & Notice of Privacy Practices
A second key provision that recently took effect is the right of individuals to access health information from medical laboratory providers who administer tests that are subject to the CLIA. The new rule, was published as a final rule in February 2014 and is being enforced as of October 8, 2014.
The right to access health data removes legal barriers that stopped medical laboratories from providing lab test results directly to patients and their designees, such as developers of their personal health records systems. The rule preempts laws that were in place in 13 states and lifts a federal exemption effective in 26 more states.
Previously, in those 39 states, patients could receive or view their lab test results only through their physician or other authorized healthcare provider, or with the consent of the provider who ordered the procedure. The final rule issued jointly by CMS and OCR in February 2014 amends the Clinical Laboratory Improvement Act, which regulates 239,000 healthcare testing labs.
Before the revisions, CLIA stipulated that labs could release test results to three types of individuals: the person authorized under state law to order or receive results (typically a physician), the person responsible for using the test results for treatment, and the referring lab that requested the test.
The new rule also eliminated an exemption for CLIA-covered labs to the requirements of the HIPAA Privacy Rule, which generally required healthcare providers to give patients access to