Resource Center
Federal Safe Harbor Rules
Certain financial relationships between referring providers of services and supplies can be defined as kickbacks, i.e., some type of financial reward in exchange for giving or receiving referrals of patients or business reimbursed under a federal or state health care program. Federal regulations describe certain financial relationships, payment and practices that would be considered safe ("safe harbors") from prosecution or civil enforcement if all criteria in a rule are met, i.e., would not be considered illegal remuneration for enforcement purposes. The safe harbor regulations [42 CFR 1001.952 (a)-(u)] describe and define certain business relationships and will be described in detail in an update of this website.
Patient Privacy
Patient privacy is governed by federal and state law (if state law is more restrictive than federal law). The Health Insurance Portability and Accountability Act (“HIPAA”) was enacted and since e then the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) issued long-awaited final privacy and security regulations.
The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
On January 25, 2013, the “Omnibus Rule” was issued to implement the changes made in 2009 by the Health Information for Economic and Clinical Health Act (“HITECH Act”). The Omnibus Rule became effective March 25, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013.
Business Associates (of covered entities) - business associates are directly subject to HIPAA’s security rule and a substantial number of the requirements under the Privacy Rule. Business associates are now directly liable under HIPAA for impermissible uses and disclosures of personal identifiable health information (PHI)
Under the Omnibus Rule, subcontractors of a business associate are considered business associates for purposes of HIPAA compliance.
Covered entities and business associates that entered into agreements prior to Jan. 25, 2013 may to continue to operate under those agreements until Sept. 23, 2014. Any agreements entered into after March 25, 2013 must meet the provisions by Sept. 23, 2013.
Steps business associates of covered entities may wish to consider for compliance purposes:
• Verify status as a business associate of a covered entity, or a subcontractor business associate of a business associate;
• Amend or enter into business associate agreements to reflect the Omnibus Rule changes;
• Conduct a HIPAA security rule risk assessment;
• Update policies and procedures regarding HIPAA security rule, breach notification rule and privacy rule;
• Educate subcontractor business associates about their (and their subcontractors') responsibility to safeguard PHI; and
• Conduct training on the updated HIPAA policies and procedures.
Breach Notification and Reporting - Since August 2009, a breach has been defined by regulations as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA privacy rule] which poses a significant risk of financial, reputational, or other harm to the individual. Effective Sept. 23, 2013, the harm threshold is replaced by a presumption that any impermissible acquisition, access, use or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate that there is a “low probability” that the PHI has been “compromised based on a risk assessment.” The risk assessment must include consideration of four risk factors.
Notices of Privacy Practices - The Omnibus Rule promulgated changes to the Notice of Privacy Practices (NPP) that must be published by covered entities to their patients. NPPs must include a description of the types of uses and disclosures that require an authorization under 45 C.F.R. § 164.508(a)(2)-(4). These include uses and disclosures of psychotherapy notes, marketing communications and the sale of PHI. NPPs must also state that other uses and disclosures not described in the notice will be made only with the individual’s written authorization.
The Omnibus Rule expanded the rights of individuals to restrict disclosures of their PHI and grants them expanded access to their electronic health records. It also requires covered health care providers to agree to an individual’s request to restrict disclosure of PHI to a health plan if (i) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (ii) the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
The Omnibus Rule expanded the right of individuals to request access to their own PHI, including information from the covered entity in electronic format. Unencrypted email may be used to deliver the information to the individual if the covered entity advises the individual of the risk and the individual still prefers email delivery. The Omnibus Rule also requires a covered entity to transmit PHI directly to a third party if directed to do so in writing by the affected individual.