What does the new HITECH Megarule mean for the Use of EHRs?
By Catherine Barrett1, Adela Lucero2 and Erin Williams, MITRE, Annapolis, MD3
Electronic Health Records (“EHRs”) facilitate the sharing of medical information and are central to the federal government’s effort to coordinate medical care, reduce preventable medical errors, prevent clerical errors, and reduce costs.4 “An EHR is held and maintained by a health care provider and may contain all the information that once existed in a patient’s paper medical record, but in electronic form.”5
The Health Insurance Portability and Accountability Act (“HIPAA”) Omnibus rule (“Megarule”) , which was issued in January 2013 significantly revised HIPAA by strengthening the privacy and security rules designed to protect individual’s protected health information (“PHI”) and the national standards to secure the integrity of electronic PHI. The Megarule implemented many of the changes required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5). The final Megarule was effective March 26, 2013 and compliance with the Megarule begins on September 23, 2013. The Megarule modifies the privacy standards located at 45 C.F.R. parts 160 and 164, subparts A and E (the "Privacy Rule"), the security standards located at 45 C.F.R. parts 160, 162 and 164, subpart C (the "Security Rule"), and enforcement standards located at 45 CFR part 160, subparts C, D, and E (the "Enforcement Rule").6 This article surveys the major areas where the Megarule has implications for the use of EHRs – the Privacy and Security Rules.
HIPAA Privacy Rule
The Privacy Rule protects the privacy of an individual’s PHI that is created or maintained by a Covered Entity. “Covered Entities include health plans and those health care providers that transmit any health information in electronic form in connection with certain standard transactions, such as healthcare claims.”7 “The Privacy Rule governs how these Covered Entities may use and disclose an individual’s PHI and grants individuals certain rights regarding their health information.”8 EHRs maintained by a Covered Entity will contain PHI; thus, the Covered Entity must appropriately safeguard this information as required by the Privacy Rule. Three of the major areas where the Megarule and EHRs intersect are discussed below.
I. Notice and breach of PHI
New under the Megarule is that “liability for impermissible uses and disclosures attaches immediately when a person [or entity] creates, receives, maintains, or transmits [PHI] on behalf of a Covered Entity or Business Associate.” Previously a contract with a Covered Entity was needed to establish a Business Associate relationship and liability. Now, actions themselves give rise to a Business Associate relationship rather than the mere existence of a contract. Importantly, this change in definition of a Business Associate means that EHR vendors that receive, maintain or transmit PHI will be considered Business Associates under the Megarule.
Covered Entities and Business Associates that adopt and implement EHRs also need to be aware that the Megarule changes the definition of “breach” by removing the requirement that an individual suffer “significant risk of financial, reputational, or other harm.”9 Under the new criteria, the Department of Health and Human Services (“HHS”) explains that there is no breach notification requirement if the Covered Entity or Business Associate can show “through a risk assessment that there is a low probability that the protected health information has been compromised.”10 The Megarule did not define the term “compromise” but HHS intends to issue additional guidance in the future “to aid Covered Entities and Business Associates in performing risk assessments...."11 Covered Entities and Business Associates using EHRs might find a feature that allows the user to follow a “documented chain of custody that ensures patient records are protected throughout the entire [transmittal] process” helpful in complying with the new breach notification rule.12
II. Patient access to PHI
Covered Entities and Business Associates that use EHRs must be able to respond to patient requests to restrict the use or disclosure of PHI upon request. This may pose a problem for those using EHRs since the patient request must be honored each and every time the healthcare provider accesses the patient’s PHI. For example, a patient that exercises his or her right to restrict disclosure of mental health diagnosis or sexually transmitted disease diagnosis must be made known to the healthcare provider using the EHR. Automatic prompts within the EHR to remind healthcare providers to restrict use and/or disclosure of a patient’s PHI might be needed to ensure that layers of protection are built into the EHR to adhere to this new Megarule requirement. In addition, secure log-in requirements might be needed to ensure restricted data within the EHR is not shared with others in accordance with the patient’s request to restrict his/her PHI.
The Megarule expands or introduces two patient-related rights: (1) 45 CFR §164.522 which provides a patient the right to request privacy protection for PHI and (2) 45 CFR §164.524 which provides a patient with access to PHI. First, a patient has a right to request a Covered Entity restrict the use and disclosure of PHI about his or her treatment, payment or healthcare operations. This is a change from the previous HIPAA regulations that did not require Covered Entities to agree to restrict use and disclosure of PHI. Now, Covered Entities are required to comply with a patient’s request to restrict disclosure of PHI to a health plan if: “(a) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (b) the protected health information pertains solely to a health care item or service for which the individual or person other than the health plan on behalf of the individual has paid the Covered Entity in full.”13 This could be an issue in an EHR environment if the data is not carefully flagged, segregated or otherwise separated from the other patient data. To avoid preventable errors, the EHR may need to include features designed to allow providers to easily quarantine this data from the rest of the patient file to adhere to this new Megarule requirement.
In addition, the Megarule requires Covered Entities to provide access to PHI in the electronic “form and format requested by the individual” or, if not possible, “in a form and format as agreed to by the Covered Entity and the individual.”14 Second, organizations that operate EHRs must be able to comply with new “time and manner” rules outlined in the Megarule. Specifically, 45 CFR §164.524(c)(3)(ii) provides that “if an individual’s request for access directs the Covered Entity to transmit the copy of [PHI] directly to another person designated by the individual, the Covered Entity must provide the copy to the person designated by the individual. The individual’s request must be in writing, signed by the individual and clearly identify the designated person and where to send the copy of protected health information.”15 Thus, an EHR that includes a feature to allow an individual to fulfill this request, including the ability to provide a digital signature, would likely comply with this new Privacy Rule requirement under the Megarule.
III. Notice of Privacy Practices (“NPP”)
According to 45 CFR §164.520 of the Megarule, the NPP must also include “a statement that other uses and disclosures not described in the [NPP] will be made with the individual’s written authorization.”17 For example, under §164.508(a)(2)-(a)(4) the use and disclosure of psychotherapy notes, PHI for marketing purposes and the sale of PHI require an individual’s authorization and language in the NPP that use and disclosure of PHI for these purposes requires an individual’s authorization. Applied to the EHR environment, a prompt or warning needs to be included in the EHR system to advise EHR users that PHI related to the above-mentioned areas need individual authorization prior to use or disclosure. The EHR warning feature should be described in the NPP that patients review and sign.
HIPAA Security Rule
The major new HIPAA Security Rule requirement ushered in by the Megarule is that Business Associates and subcontractors of Covered Entities must fully comply with the HIPAA Security Rule. Significantly, “EHR vendors that have access to patients' confidential information--via internet shared programs, installation of upgrades, staff training, and the like--meet the definition of [Business Associates]”.18 “This is an enormous new obligation…that takes both time and resources—to evaluate security programs, conduct an appropriate risk assessment, implement risk management strategies and prepare appropriate written policies and procedures encompassing a full information security program.”19 As more and more healthcare providers20 adopt EHRs to organize, store, access and query PHI, the government has expanded the liability of persons or entities that do not properly protect PHI.
The Megarule also extends liability directly to a subcontractor that “creates, receives, maintains or transmits PHI on behalf of the Business Associate.”21 Business Associates and subcontractors must now comply with the technical,22 administrative,23 physical24 and organizational25 safeguards and standards outlined in the Security Rule. Business Associates include a person or entity that offers a personal health record to one or more individuals on behalf of a Covered Entity or a health information organization, e-prescribing gateway or others that provide data transmission services to covered entities and require access to PHI on a routine basis.26 In accordance with 45 CFR §164.306, Covered Entities, Business Associates and subcontractors must:
- Ensure the confidentiality, integrity and availability of all electronic protected health information (“PHI”) the Covered Entity or Business Associate creates, receives, maintains or transmits;
- Protect against reasonably anticipated threats or hazards to the security or integrity of PHI;
- Protect against any reasonably anticipated unauthorized use or disclosure of PHI;
- Ensure that the workforce complies with these requirements; and
- Modify security measures as needed and update documentation to ensure reasonable and appropriate protection of electronic PHI. To comply with the new Megarule, there must be EHR features in place to prohibit healthcare providers from improperly accessing and/or transferring electronic PHI of patients.
In addition, the Megarule included changes to the implementation provisions of the Genetic Information Nondiscrimination Act of 2008 (“GINA”). The changes require that patient genetic information be treated as PHI. Most health plans are prohibited from using or disclosing patient genetic information for underwriting purposes. Thus, EHRs need to be properly designed and implemented and users need proper training to ensure that genetic PHI contained in the EHR is not improperly shared with health plans.
The Megarule includes substantive changes to the way in which PHI must be protected, used, disclosed and stored by Covered Entities and Business Associates, their counsel and others. They need to factor them in when using EHRs so as to protect patient privacy and comply with the Megarule. As the rate of EHR adoption continues to rise among healthcare providers, it is increasingly important that policies, procedures and technical standards are in place to protect PHI contained in the EHRs and transferred between EHRs and other electronic forums, such as health information exchanges.
Catherine Barrett, Esq. is a Lead Healthcare Consultant with MITRE, a not-for-profit organization chartered to work in the public interest. She received her JD and MBA from the American University Washington College of Law and Kogod School of Business, respectively. She may be reached at: firstname.lastname@example.org. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Adela Lucero, Esq. is a Health Policy Analyst with MITRE, a not-for-profit organization chartered to work in the public interest. She received her JD from Suffolk University Law School. She may be reached at: email@example.com. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Erin Williams, Esq. is a Principal Health Policy Analyst with MITRE, a not-for-profit organization chartered to work in the public interest. She received her JD from Washington University in St. Louis School of Law. She may be reached at: firstname.lastname@example.org . The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Centers for Medicare & Medicaid Services, Office for Civil Rights, Personal Health Records and the HIPAA Privacy Rule, page 1, at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf
45 CFR §160.103.
Centers for Medicare & Medicaid Services, Office for Civil Rights, Personal Health Records and the HIPAA Privacy Rule, page 4, at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf.
|9||42 C.F.R. § 164.402(1)(i).|
78 Fed. Reg. 5,566, 5,641.
|11||Id. For a detailed overview of breach notification and risk assessments, See Clinton R. Mikel, “Changes to the Breach Notification Risk Assessment Under the HIPAA Megarule”, American Bar Association Health Law eSource, January 29, 2013, Volume 9, Available at this link.|
|12||Iron Mountain, “Iron Mountain Document Conversion Services, The HIPAA-Compliant Approach to EMR Transition”, Healthcare Best Practices Guide, 2011, Available at this link.|
|13||45 CFR §164.522(a)(1)(vi)(A),(B).|
|14||45 CFR § 164.524(c)(2).|
|15||45 CFR §164.524(c)(3)(ii).|
|16||Holland & Knight, Healthcare and Life Sciences, “HIPAA Happenings — The New HITECH Act Megarule”, January 31, 2013, Available at http://www.hklaw.com/publications/HIPAA-Happenings-The-New-HITECH-Act-Megarule-01-31-2013. See also 78 Fed. Reg. 5566, 5,624.|
|17||Id., see also, 78 Fed. Reg. 5,566, 5,624.|
|18||Hirsch, Marla Durben, “HIPAA business associate compliance by EHR vendors not optional”, FierceEMR.com, April 9, 2013, Available at: http://www.fierceemr.com/story/HIPAA-providers-dont-take-no-answer-business-associate-ehr-vendors/2013-04-09.|
|19||Nahra, Kirk J., “Summary of the new HIPAA/HITECH omnibus regulation”, Wiley Rein LLP, January 28, 2013, Available at: http://www.lexology.com/library/detail.aspx?g=a87231d9-60ed-4789-bbf6-c491d08e7522. |
|20||Under §3000(3) of the HITECH Act, a healthcare provider includes a hospital, a skilled nursing facility, a nursing facility, a home health entity, a laboratory, a health plan [includes medical, dental and vision plans, HMOs, Medicare & Medicaid, Medicare Advantage, Medicare supplemental insurers, long-term care insurers, Veterans health plans and company plans], a healthcare clearinghouse, healthcare providers [includes doctors, clinics, psychologists, dentists, chiropractors, pharmacies], therapists, and pharmacists.|
|21||45 CFR §160.103.|
|22||The new Megarule expands the technical safeguards beyond Covered Entities to include Business Associates and subcontractors. See 45 CFR §164.312.|
Under 45 CFR §164.308, the scope of administrative safeguards expands beyond Covered Entities to include Business Associates and subcontractors that must:
- Implement policies and procedures to prevent, detect, contain and correct security violations;
- Conduct a risk analysis to identify potential risks to the confidentiality and integrity of PHI;
- Implement risk management measures to reduce risks to PHI to “a reasonable and appropriate level”;
- Implement policies and procedures authorizing when appropriate members of the workforce are granted access to, or are prevented from having access to, PHI;
- Train all members of the workforce on the policies and procedures governing PHI;
- Apply “appropriate sanctions” against the members of the workforce who fail to comply with PHI security policies and procedures;
- Review regularly the records of information system activity using audit logs, access reports and security tracking reports to ensure the confidentiality of PHI;
- Implement periodic security reminders, anti-malware software, log-in monitoring software to track log-in attempts and anomalies and password management software to safeguard passwords;
- Implement policies and procedures to address suspected or known security incidents and mitigate the harmful effects of known or suspected security incidents;
- Establish a contingency plan to respond to emergencies such as fire, vandalism, system failure and natural disaster, among others; and
- Perform periodic evaluation of the Security Rule standards to ensure environmental and operational challenges that may impact PHI are addressed. In accordance with 45 CFR §164.308(8)(b)(2), a Business Associate may permit a Business Associate that is a subcontractor to create, receive, maintain or transmit electronic PHI on its behalf only if the Business Associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.
In accordance with 45 CFR §164.310, the HIPAA physical safeguards extend to Business Associates and subcontractors that must:
- Implement policies and procedures to limit physical access to electronic information systems including the facility or facilities in which they are housed;
- Implement policies and procedures to ensure protection of PHI at the workstation, including proper functions to be performed at the workstation; and
- Implement policies and procedures that govern receipt and removal of devices, hardware and electronic media that contain electronic PHI within the facility and into and out of the facility.
The new Megarule also expands the organizational requirements beyond Covered Entities to include Business Associates and subcontractors. In accordance with 45 CFR §164.314, Business Associate contracts must provide that Business Associates will:
- Ensure any subcontractors that create, receive, maintain or transmit electronic PHI on behalf of a Business Associate agree to comply with the applicable requirements by entering into a contract or other agreement that complies with this section [45 CFR §164.312]; and
- Report any security incident of which the Business Associate becomes aware to the Covered Entity.
|26||45 CFR §160.103.|
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.