HIPAA Blog

Prescription Reminders: CVS' move to stop providing manufacturer-funded prescription reminder services has triggered calls from pharmacy trade groups to HHS, asking them to loosen up the "marketing" rules to allow these things to proceed.  I tend to agree -- the tight marketing rules are too convoluted and too easy to violate, and activities that are much more beneficial than harmful are caught in the regulatory net. 

University of Rochester Medical Center data breach: a resident lost a flash drive, probably in the laundry.  The flash drive had PHI on a little more than 500 patients, but it was . . . drum roll please . . . unencrypted, resulting in the need for a breach report.  AND, since there were more than 500 patients, the report must go to the press as well. 

Social Media: Tweeting and webcasting births, surgeries, and the like.

"Storage" Creates a BA Relationship: Where do you store your old medical records?  Lots of small practices rent a self-storage unit somewhere to keep boxes of old paper medical records.  Those storage facilities don't consider themselves to be in the "medical record storage" business, don't intend to access the records, don't "maintain" them in the traditional sense of the word, don't have policies and procedures or other safeguards in place (other than locks on the doors), and probably won't be willing to sign a business associate agreement (or if they sign one, probably wouldn't do a good job of complying with it).  In common-law terms, there is no "bailment," and they don't consider themselves to be bailees.  Under the original HIPAA rules, they had a very strong argument that they were not business associates.

However, under the Omnibus Rule, they almost certainly are business associates.  Even if they protest and deny any intent to become one, they probably still are.  "Conduits" such as the post office, FedEx and UPS get a special exception, but storage companies don't.  Here's what the commentary in the Omnibus Rule says:

We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.

 Document storage companies like Iron Mountain clearly are covered; what about regular storage companies who don't specialize in storing documents, but are simply self-storage warehouses?  Given that the risk of improper access (by an inside or outside actor) are basically the same, I would think you must treat them the same. 

The HIPAA Omnibus Rule Blows Up Refill Reminders: Some of the hardest components of the Omnibus Rule to figure out are the changes to marketing and restrictions on sale of PHI.  Any communication urging the recipient to purchase a good or service is marketing.  When a physician gives you a prescription, he's urging you to buy that drug; is that marketing?  There is an exemption that allows for delivery of that prescription, since it's for treatment of the individual.

However, the exemption doesn't apply if the provider is paid for making the communication.  Because of that limit on the exemption, CVS has decided to stop sending refill reminders, since they were being paid to do so by the manufacturers of the drugs that were being refilled.

Meaningful Use and HIPAA: If you are a healthcare provider who is receiving federal incentive payments under the HITECH Act for "meaningful use" (i.e., you are a meaningful user of an Electronic Medical Record, have attested to it, and receive incentive payments from CMS), you stand a 5% chance of being audited, either before or after payment is made.  One of the certifications you must attest to is that you have conducted a HIPAA Security Rule risk assessment.  Apparently, lots of EMR meaningful users have attested to this, even though they haven't done it.

IDExperts asks the question, "Do you really need security to attest to meaningful use?"  The answer is an absolute and unequivocal yes.

Frankly, if you are a covered entity and haven't done a HIPAA risk analysis, you are currently in breach of HIPAA.  And have been since April 2005.

That's eight years this month.  If you get audited for HIPAA, or audited for MU, or suffer a breach, how are you going to explain that?

OCR Helps Consumers Understand HIPAA: OCR has posted a series of factsheets, in different languages, to help consumers understand their rights under HIPAA.  These are complimented by a series of YouTube videos for consumers (one of which is targeted at providers and describes how to establish basic safeguards).  It's pretty perfunctory, but is a good starting point for "civilians" to get a rudimentary understanding of how HIPAA affects them and what it can do for them. 

OCR has also published a series of MedScape CME modules for physicians on HIPAA, here, here and here (you gotta sign up for MedScape, but you get CME credit, so it's probably worth it.

When HIPAA Kills: Or at least when confusion about how much privacy to afford the patient results in harm to others.

Arizona Counseling and Treatment Services breach: This behavioral health provider suffered a data breach when a laptop and hard drive (unencrypted, natch) were stolen from an employee's home, resulting in notification to 3000 patients.  The laptop had tracking software and was wiped, but the hard drive didn't have that functionality.

Hat tip: Malvern Group

This is a little disconcerting: HHS, in its HIPAA audit program, has discovered that approximately one-third of providers' and insurers' noncompliance problems stemmed from a lack of awareness of requirements facing them.  47 out of 61 healthcare providers audited haven't done a satisfactory security risk analysis either.  That's amazing.

Another data breach, another lawsuit.  This time in Glens Falls, NY. 

HIPAA as a Hinderance to Gun Purchase Background Checks: It's been posited that the National Instant Criminal Background Check System, which is supposed to help prevent guns from being purchased by those not allowed to have them, doesn't work as well as it should because some people don't report information due to HIPAA concerns.  I don't know enough about NICS to know if that's true, but HHS wants to make sure HIPAA doesn't interfere with gun laws.  So they're asking for public comment; if you have a stake in the process or information for that can help HHS deal with the issue, please follow the directions at the link and send in your comments.

Class-Action Suit: Employees at Florida Hospital - Celebration were recently sentenced to jail time for stealing patient data relating to patients who were in car wrecks and selling it to chiropractors and plaintiff's attorneys.  The thefts occurred between 2009 and 2011, and obviously the hospital didn't know the employees were doing it.  However, now the hospital has been sued in a class action suit, based on breach of contract (not providing patients with the security they expected).  Proving damages might be an issue, of course.

General HIPAA article from Buffalo.  In an unusual twist, I can't find anything wrong in it.

HIPAA Violation: 12 years in prison for HIPAA identity theft and Medicare fraud.

Interesting HIPAA preemption case: The 11th Circuit has ruled that a Florida rule that requires nursing homes to give PHI of deceased patients to the next of kin is superseded by HIPAA's privacy requirements, which only allow the information to be given to the "personal representative," or executor of the estate.  Interestingly, HIPAA's "required by law" allowance was not sufficient to allow the disclosures in a manner that would meet both the state law requirements and HIPAA.  I think this one may go to the Supreme Court, if they're willing waste time on a HIPAA preemption case.

Social Media Issues: If you were at my Texas Medical Association presentation yesterday or the day before in Houston (or in preceding weeks across the state), you heard me make the point about risks of emailing with patients (and the greater risk of texting with them).  As with social media, providers must be particularly careful in dealing with patients electronically.  The American College of Physician and the Federation of State Medical Boards have published guidelines recognizing the benefits of electronic communication with patients (directly or through social media), but also pointing out the risks, which are great.

Don't do it if you haven't done a risk analysis that considers what could go wrong.  And if you haven't done a risk analysis in a while (or ever -- and you people know who you are), you really better do one.  Email me if you want some help on where to start.

UPDATE: more on the same from HCPro.

Out on a Limb: Electronic communications between doctors and patients may help, but may cause problems.

Via BNA: California's AG is looking closely at health record privacy and data breaches.  (subscription required, sorry).

Even small breaches have consequences: In Massachusetts, a physician practice employee snoops into 200 records in an electronic medical record, and Hallmark Health System has to notify all of the patients and the Mass. and NH attorneys general. 

Doctors and their online presences: Interesting article, slightly off topic.

Verizon Announces Secure Universal Messaging System at HIMSS: the Health Information Management Systems Society (HIMSS) conference is going on in New Orleans, and according to BNA, Verizon has announced that it is developing an open-source, secure messaging system that will allow healthcare providers to text safely and securely.  Apparently, this system will serve as a bridge between different EMR systems.  BNA is subscription service, so I looked for any other announcement about this online, but haven't seen it.  If I see one, I'll update this.

I've been speaking a lot lately on medical record and HIPAA issues, and one thing that comes up a lot is whether physicians can text safely, or if they should not text at all.  There are a lot of problems raised by texting, but a secure system, with the ability to retain texts, would go a long way to curing those problems.   It would be nice to see Verizon working on something more along those lines. 

UPDATE: Here's a free link to another source on the Verizon announcement.

Non-HIPAA HIPAA violation: a Detroit healthcare worker sold PHI of Medicare beneficiaries to home health care agencies, who falsely billed Medicare for services not provided.  Clarence Cooper pled guilty to one count of conspiracy to commit healthcare fraud, and faces up to 10 years in prison.  His part of the scheme cost the government about $1 million, but the whole scheme accounted for about $24,700,000.  Via BNA (subscription required.

OCR to Focus Audits on Entities with Long-Standing Patterns of Non-Compliance.  According to BNA (subscription required), OCR will look for organizations with long histories of noncompliance, across all areas of the healthcare industry.  Entities that can demonstrate efforts to create and nurture a "culture of compliance" will come out of audits looking good.  Entities that violate HIPAA in ways that raise a high risk of data breaches (such as with mobile devices) will bear the brunt of OCR's enforcement activities, which will definitely be stepped up after publication of the Omnibus Rule.  And if you don't have policies and procedures in place, you will pay penalties.

You have been warned.

Five Ways to Improve HIEs: Health Information Exchanges are big part of the future of healthcare delivery and process, but they haven't progressed as many expected they would.  The reasons why are pretty predictable: the inherent conflict between information exchange and privacy concerns, different goals/objectives/interests pursued by different participants in the HIE industry, incompatability of data, etc.  But perhaps the biggest hurdle is the level of unrealistic expectations.  Here are 5 ways to improve the HIE system, which pretty much reflect that last observation.

Mental Health and HIPAA: Balance.  I always say that the problem with privacy advocates is that absolute privacy is a bad thing, and prevents necessary health and safety from happening.  Take mental health records.  That's obviously a very sensitive area of medical records.  Mental health records should be kept private.  But what about where the disclosure of mental health records might save lives?  Newtown, the Batman theater shooting, Virginia Tech, perhaps even Ft. Hood might have been prevented if the right person knew the perpetrator's mental health records.  That specific issue has been raised by some Republican members of the House Energy and Commerce Committee, who have sent a letter to the Secretary of HHS asking how HIPAA impacts the abilty to get information into the background check system used to screen gun purchasers.  "Required by law" should cover it, but is that enough to overcome the inclination toward privacy in every case?

Facebook Follies: A physician posts a note on Facebook complaining about a patient who is always late to her OB appointments.  A commenter asks why she doesn't fire the patient, and the doctor says that the patient previously miscarried.  Someone else sees the post, takes a screenshot, and posts that on the "new moms" Facebook page of the hospital where the physician works.  Hilarity ensues.

Slightly off-topic: Dr. Kevin MD: Advice to physicians for enhancing your online presence.

Shiner's Saison: Picked up a growler of Shiner's FM966 farmhouse ale at Whole Foods on the way home tonight, and enjoying it watching the Stars' new rookies Roussel (first NHL goal) and Oleksiak ("the big rig" at 6'7" and 240 lbs) play Phoenix.  Like most Shiner beers, it's a good, solid, but not showy saison beer.  Probably a little too light in color, slightly sweet and under-hopped.  Not going to change your view of beer, but a nice little beer.

Healthcare Data Breaches and their costs.  Insider negligence is the biggest cause.

Officially Published: Here's the link to the online Federal Register posting of the Omnibus Rule.  It's not in the usual 3-column FR form; I'll post that when I see it.  But it is searchable and you can jump to the sections you want to read.

Model Business Associate Agreement Provisions: way back when the Privacy Rule first came out, HHS helpfully provided a draft business associate agreement.  Unfortunately, it was very popular.  I say unfortunately because it wasn't a very well-drafted contract.

In the Omnibus Rule and commentary that came out around that time, HHS said it was publishing model business associate agreement language.  The old language was still up on the website, until today.  Now, there's a new item on the HHS website with new, model BAA language.  And unlike last time, HHS didn't try to draft a whole contract; rather, they just gave model language that, on first glance, looks pretty promising.

Officially, the Omnibus Rule is published in today's Federal Register (even though it's been available online for over a week), so today is fine for posting up the model BAA language.

Prison Time: for data theft at Florida Hospital Celebration.  Florida, of course.

My HIPAA Omnibus Rule e-Alert was sent out this afternoon.  It can be viewed here.  If you're not a subscriber to the Jackson Walker healthcare e-Alerts, you can sign up here.

Privacy for Mobile Apps and Devices: the (smokin' hot) California Attorney General has published a handbook advising developers, carriers and networks to consider certain privacy issues related to mobile apps.  Interesting reading.

The Hide Rule is Hard: Modern Healthcare notices that the Hide Rule is hard to comply with, especially when you're dealing with electronic medical records. 

Nugget 14: What happened to the proposed revisions to the Accounting of Disclosures rule?  Those are still out there, floating around.  I guess the Omnibus rule ain't so Omni after all.

Nugget 13: Marketing (this ought to be linked with nugget 7 on Fundraising): A big component of the Omnibus Rule wrestles with the fact that most marketing activities require an express authorization from the patient.  Specifically, the Privacy Rule now explicitly states that an authorization is needed for three things: the release of psychotherapy notes, marketing, or sales of PHI.  The former definition of marketing included where a covered entity received compensation from a third party for giving the third party PHI so the third party could market its goods and services to the individuals whose PHI was provided; that's no longer there, since that would be selling PHI, and it specifically requires an authorization.

Under the proposed rule:

Marketing is a communication about a product or service that encourages recipients of the communicton to purchase or use the product or service.  There are exceptions: communications by a covered entity about the covered entity's own healthcare-related products or services; treatment communications; and communications about case management, care coordination, or alternative treatments/therapies.  If the marketing communication is delivered face-to-face or consists only of promotional gifts, no authorization is required.  However, an authorization is needed if the information is non-healthcare related, or if the covered entity gives or sells the PHI to a third party to do the marketing.

With a few exceptions, if the covered entity is compensated for making the communication, it is considered marketing and an authorization is required.  If the compensation received for making the communication is not financial remuneration but is in-kind or other remuneration, then it does not elevate the communication to "marketing." 

If the remuneration is in exchange for some service other than making the communication, it doesn't lose the possibility of being excluded from the definition of marketing.  Refill reminders and information about drugs and biologics currently prescribed, for which the covered entity receives "reasonable" compensation, are not marketing.  Communications to the individual by the provider relating to health-related products (including case management, cooridination of care, and alternative treatments) are not marketing; however, if the provider is compensated and the communication is in writing, the patient must have the opportunity to opt out.  And the provider's NoPP must describe the possibility of these communications and note that the patient can opt out of receiving them.

Under the Omnibus Rule:

If the covered entity receives financial remuneration (not in-kind or other remuneration) for making the communication (a "subsidized communication"), even though it is for treatment or healthcare operations (such as refill reminders, case management or care coordination, or alternative therapies).  A covered entity can provide those, but cannot receive any financial remuneration for doing so.  So, you don't need that NoPP description of the possibility of the communications (they're almost certainly treatment of healthcare operations uses/disclosures) or the ability to opt out.  And if the covered entity can't get paid for the communication, the covered entity's business associate can't either.

To be a "subsidized communication," the financial remuneration must be for the making of the communication, not for something else.  A health plan can pay a provider to set up a disease management program, and the provider can make communications to patients encouraging them to participate in the disease management program without having to obtain prior authorization; the payment was not for the communication about the program, but for the establishment of the program.  Also, a provider can be compensated for making communications to patients without needing an authorization if the communication is made face-to-face (not over the phone) or the communication is a promotional gift of nominal value.  Also, refill reminders and communications about a currently-used drug or biologic are still OK, even if they are subsidized, as long as the subsidy is reasonably related to the costs of providing the reminder/communication.  Finally, communications regarding health generally (promoting healthy diets or regular exams) and about government programs are not marketing

Likewise, sales of PHI generally require an authorization.  There are limited exceptions: public health activities; research (as long as the compensation is reasonable and cost-based); treatment and payment for services; sale in connection with sale of the covered entity to another covered entity (and related due diligence); services by a BA; payment by an individual for copies of his/her PHI; and as HHS otherwise determines.  The authorization can't just state that the PHI is being provided, but that the covered entity is receiving compensation for it.  The final rule uses a definition and exceptions to effect these requirements.  Unlike the marketing prohibition, which only applies to financial remuneration, the prohibition of sales of PHI without authorization applies to any remuneration that might be provided in exchange for the provision of the PHI. 

Nugget 12: The Numbers are Whack: I'm not going to waste a lot of time digging through the numbers and expected costs included in the regulatory analysis, because ultimately it doesn't matter.  But HHS severely underestimates the amount of time and costs associated with compliance with HIPAA generally and these regs specifically.  For example, HHS assumes that half of the breach notification letters will actually be sent by email rather than snail mail.  That might be the case for non-healthcare businesses.  But because of HIPAA itself, hospitals and physicians don't do email that much.  Some may use email for a thin sliver of their patient population, but nowhere near half.  And of those that do, the vast majority use some portal or secure email system; most providers would not count on the patient coming to the portal or utilizing the secure email system, and would send a hard-copy breach letter just to make sure the communication was received.

Most of the staff time calculations include no down-time.  For example, for manning the toll-free phone, the expectation is that the staff person will average 5 minutes per call and take 12 calls per hour.  You think all of the calls will come in back-to-back like that?  There won't be times when nobody is calling, but the covered entity needs the staffer available in case someone does?

There's lots more like that.  Like the $50/hour lawyers.  Really?

Nugget 11: GINA regs: A big chunk of the Omnibus Rule is taken up with finalizing the regulations HHS proposed relating to the Genetic Information Nondiscrimination Act, which basically prohibits insurers and employers from using genetic information for underwriting or hiring purposes.  HHS published a proposed rule on October 7, 2009.  The Omnibus Rule basically finalized the proposed rule with very few changes.  Mainly it prevents health plans, other than long term care insurance plans, from using genetic information for underwriting purposes.

One specific issue is that health insurers that do underwriting must state explicitly in their NoPP that they will not use or disclose genetic information for underwriting purposes.  Many health plans did so when the GINA legislation was passed, and so they don't need to do so again.  As noted above for other NoPP changes, health plans don't need to send a new NoPP out now (although they should make the revisions now); they will meet the regulatory requirements if they send the revised NoPP out at their next annual mailing.

Nugget 10: Breach Notification:  This is the big one.  The "harm" standard is out.  Under the interim rule, a breach was not reportable if there was no substantial risk of financial, reputational, or other harm to the individual whose information was improperly used or disclosed.  The vast majority of commentators supported the "harm" standard, but there were concerns that it was too subjective, and the rule should be more objective.

So, the "harm" standard is no longer the rule.  Now, an improper use or disclosure is a breach (unless it meets one of 3 stated exceptions) "unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."  That's less subjective, I guess (not dependent on the risk of harm, which would be different for different people and different situtions.  But it's still subject to individual interpretation.  Mainly, what the hell does "compromised" mean?  HHS doesn't say.

The burden of proof is on the covered entity or business associate to show a low probability of compromise.

Upon a breach occurring, a covered entity or business associate must conduct a risk assessment using 4 factors: (i) the nature of the PHI involved (apparently not sensitivity of the data -- like STD or mental health data being of a nature that would make a breach more troubling -- but rather how much identifying data is there); (ii) who used or received the PHI; (iii) was the PHI actually acquired or viewed; and (iv) the extent that the risk have been mitigated.

The interim rule also had an exception that you did not have to report the improper use or disclosure of a limited data set that also excluded dates of birth and zip codes. HHS acknowledges that such a breach would probably pass a risk analysis, but they won't give it a bright-line free pass.

In my opinion, this is a bad change.  It doesn't make it any less subjective, it just changes the specific types of issues you'll argue about.  And why are we concerned about a potential "compromise" of the data (i.e., you report if the data is compromised), rather than being concerned about the well-being of the breach victim (i.e., you report if the victim is at risk of harm)?  Even within the commentary, HHS notes that reviewing the type of information in the breach might reveal whether it's the type of information that "could be used by an unauthorized recipient in a manner adverse to the individual."  Isn't that another way of saying "cause harm to the individual"?

Ultimately (and as mentioned by HHS), this is another nail in the coffin of those who want to avoid using encryption.  The encryption golden ticket just got more gilt. 

One last thing: HHS makes clear that any violation of the "minimum necessary" rule could be a breach (it's an improper use or disclosure), and therefore you must to a risk analysis any time someone violates the minimum necessary rule and, unless you determine a low risk of compromise, you'll have to report it.

Nugget 9 (nugget 9, nugget 9): The "Hide" Rule: You may recall that the HITECH Act is part of the ARRA, a/k/a the "Stimulus Bill."  That was one of those "you gotta pass it so you can see what's in it" thousand-page bills that was written by lobbyists and not read by anyone who voted for it.  It was passed with hand-written portions, because they found problems while it was in the well of the Senate.  Of course, with such bills, you end up with ridiculous, stupid provisions (the Texas legislature is famous for this sort of thing, but they only meet for about 5 months every 2 years so you gotta expect some slipshod work there). 

My favorite chunk of asininity in the HITECH Act is what I call the "Hide" rule: if a patient pays for a healthcare service "in full out of pocket," and asks the provider not to provide information on that healthcare service to the patient's insurer, then the healthcare provider is prohibited from disclosing that information to the insurer.  Effectively, it lets the patient "hide" information from his insurance company, so they don't know what he's up to.  What could go wrong here?  Obviously, a lot.  If the patient then needs pain meds or antibiotics, the insurer might refuse to pay for them, since there's no indication of medical need if the original treatment is hidden.  What if follow-up care is needed, and the patient can't afford to pay for that out of pocket?  What if the patient is an HMO patient and state law prohibits a provider from charging a patient more than the co-pay amount? 

In the proposed Rule, HHS noted how unworkable this idea is.  However, the language for the "Hide" rule is in the HITECH statute, making it the law.  So like the rest of us, they're stuck with it, and have to write regs to implement it.  To be clear, it only applies to providers, and only to disclosures to health plans (disclosures pursuant to a subpoena or court order aren't subject to the restriction, for example).  The provider is not responsible for notifying downstream providers.  But HHS expects providers to work with patients to instruct them on the risks and difficulties entailed in hiding stuff from their insurance company.  Providers don't need to create a separete record, but need to be able to tag the record to prevent slipping up and later sending the embargoed information.  If the patient is a Medicare or Medicaid patient, if the care can be treated as non-covered care, or the patient can opt out or refuse to authorize presentation of a bill to Medicare, then the covered entity must play along, but if state or federal law requires the disclosure, then it can be made despite the requested restriction (the disclosure is then a "required by law" disclosure, not a disclosure for payment purposes).  If it's a private insurer and the issue is bundling/unbundling, if unbundling is allowed, the provider must do so and allow the patient to pay his portion and bill the insurer for the un-embargoed services; if you can't unbundle, then the patient would need to pay for the whole bundle to be able to invoke the "hide" rule.  Finally, the fact that you have a contract with an HMO that requires you to provide all information to them on current medical services is trumped by the Hide rule: HIPAA beats the HMO contractual obligation. 

Providers have to mention the Hide rule obligations in their NoPP. 

Nugget 8: Notice of Privacy Practices: Basically, if you changed your NoPP in response to the HITECH Act (either before or after the proposed regs came out), then you're probably OK.  Your NoPP must contain a statement that an authorization is required before releases of psychotherapy notes (if you might have them), marketing activities, or sales of PHI, as well as a general statement that uses/disclosures not noted in the NoPP require an authorization.  If your NoPP talks about the possibility of fundraising, you've got to say that the individual will have the ability to opt out.  You've also got to include in your NoPP (if your are a provider) an explanation of the "Hide" rule (i.e., if the patient pays in full out of pocket and requests you not notify their insurer, you have to respect that wish).  Your NoPP must also say that the patient has the right to be notified in case of a HIPAA breach. 

These are "material changes" to the NoPP, which means you must give new copies to patients (if you're a provider) and mail them out to beneficiaries (if you're a health plan), although you can do so at your next annual mailing.  The Omnibus Rule states that providers can post the new NoPP and give a hard copy to old patients only if they ask for it, but must give new patients a hard copy and ask them to sign an acknowledgement. 

Nugget 7: Fundraising: The big change here is that a covered entity may now use information about the patient's department of service, treating physician, and outcome in connection with marketing (in addition to general demographic information.  Previously, a hospital could not target patients of its cancer center in connection with a fundraiser for the cancer center, and could not target patients of a particular physician for fundraising to build a wing named after that physician.  Now, that is allowed.  Also, a hospital can use outcomes data to decide not to send a fundraising request to a patient who had a bad outcome at the hospital.  These are on top of the other proposals in the interim rule, such as requiring each fundraising communication to have a "clear and conspicuous" opt-out statement and a method to opt out that isn't burdensome on the patient.  Also, a covered entity can't condition treatment or payment on an individual's decision to receive fundraising materials. 

Nugget 6: School Immunization Records: A covered entity may disclose proof of immunization to a school if state law requires the school to have such information prior to admitting the student, without getting a HIPAA-compliant authorization.  However, the parent or other responsible adult (or the child if he/she is emancipated or of age) must agree to the disclosure.  Agreement can be verbal, but either way, the covered entity must document the parent's agreement to the disclosure.

Nugget 5: The Dead: Once you're dead for 50 years, you get on privacy.  That's right, you don't need to treat PHI of someone who died 50 years ago as private.  Also, under the original Privacy Rule, while a covered entity could disclose PHI to friends and family members "involved in the care" of the individual patient, to the extent of their involvement; however, once the individual died, the friends/family members were no longer "involved in the care" because there is no care being given, so only the "personal representative" (i.e., the executor or administrator of the estate) could get the information.  The Omnibus Rule has changed this, to allow covered entities to continue discussing PHI with friends/family members after death of the patient.  The same limitations apply (only information relating to that person's involvement in the patient's care), and there's no requirement that the covered entity provide the PHI if they don't want to.

Nugget 2(c): Many Business Associate Contracts will need a few tweaks.  Nothing major, and some may actually be OK.  But as long as you have an existing BAA in place on the publication date (Janaury 25, 2013) that meets current HIPAA standards (pre-Omnibus Rule standards), that agreement will be good for up to a year after the compliance date (September 22, 2014), unless the agreement is renewed in the interim.  An "evergreen" renewal doesn't count as a renewal triggering the need for a new BAA.

Nugget 2(b): The HITECH Act makes the big 3 components of the Security Rule applicable to BAs, but only "certain" provisions of the Privacy Rule.  In other words, the direct liability under the Security Rule is much wider and more complete than the Privacy Rule.  The Security Rule provisions applicable to BAs are the implementation of (i) administrative, (ii) physical, and (iii) technical safeguards.  The Privacy Rule provisions applicable to BAs are (i) direct liability for a use or disclosure of PHI in violation of a BAA; (ii) failure to provide PHI to the Secretary, (iii) failure to provide PHI when a patient requests access to his/her EMR; (iv) failure to limit uses and disclosures to the minimum necessary; and (v) failure to enter into sub-BAAs with subcontractors.

Nugget 2(a) (OK, I know these are out of order, but this really expand on nugget 2): Subcontractors are now "business associates" for purposes of complying with the Security Rule.  Under HITECH, business associates must do all the things a covered entity has to do under the Security Rule.  Under the Omnibus Rule, subcontractors also must do all of these things.  That means that anyone who touches PHI that originated with a covered entity must (i) do a risk analysis and (ii) adopt a full set of policies and procedures that implement the technical, physical, and administrative requirements and implementation specifications in45 CFR 164.300 et seq.  Many, many covered entities have been derelict in doing this; most medium to small BAs haven't done this to the extent required; I'd guess very few second and third tier subcontractors have done this.

GET TO WORK!  This is probably the biggest, costliest component of the Omnibus Rule.  Needs to be done, and is a good idea, but has been under the radar since 2005. 

Nugget 4(a): more hybrid entity stuff: If you have an on-site clinic that provides healthcare services to employees, it is only a covered entity if it also transaction electronic transactions, like getting paid electronically.  If it doesn''t transmit the information anywhere electronically, it's probably not a covered entity at all, so HIPAA doesn't apply to it.  If it does, then HIPAA applies to the entire company unless you designate the clinic s a hybrid entity.  If the clinic is a CE, then the PHI it holds that is part of an employment record (sick leave requests, on-the-job injury reports, pre-employment physicals, etc.) is not PHI, so needs not be protected under HIPAA, but other health information that is not part of an employment record would be PHI and would have to be protected.  Finally, you probably also have state law obligations to protect that data, so even if HIPAA doesn't apply, don't think you can be entirely cavalier about it.