Summary of Proposed Modifications to HIPAA Privacy Rule
Background:
HIPAA prohibits covered entities from using or disclosing patients' protected health information, except in certain circumstances or under specified conditions. One accepted avenue for disclosure is through a "business associate agreement." An outside person or business, "who performs a function or activity on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information," is considered a "business associate." HHS has never considered funeral directors to be business associates of covered entities, because they work on behalf of the deceased and surviving families, not covered entities. Funeral directors also have a specific excemption from HIPAA requirements for protected health information necessary to carry out their duties. HIPAA allows covered entities to disclose protected health information to funeral directors, without the written authorization of the individual, "prior to, and in reasonable anticipation of, the individual's death" (45 C.F.R. 164.512(g)(2)).
The Proposed Rule:
HHS' new Proposed Rule, "Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act (HITECH);" contains sections that may cause confusion between covered entities and funeral directors. HITECH caused additional entities to be responsible for HIPAA compliance, added elements for business associate agreements, created stiffer enforcement penalties, and facilitated easier violation reporting. Taken all together, these changes mean that covered entities are likely to take greater care when disclosing protected health information. Funeral directors, when necessary, may need to reassure healthcare providers, such as hospitals and nursing homes, that disclosure of health information to a funeral director remains appropriate. In fact, the Proposed Rule specifically states that the proposed modifications will have no impact on permitted disclosures to funeral directors (We have attached the relevant language from the Proposed Rule).
The following HITECH changes are the most likely to cause confusion:
- New Business Associates: Responsibility for HIPAA enforcement no longer stops with the covered entity. Business associates and subcontractors of business associates are now directly subject to HIPAA enforcement action. Because new entities must now comply with HIPAA, some funeral directors may question if they are now responsible for HIPAA compliance. Funeral directors are still not considered covered entities, business associates, or subcontractors of business associates; and disclosures to funeral directors are still covered by the current exception in the HIPAA privacy regulations. Therefore, expanded enforcement should have no impact.
- New Obligations in Business Associate Agreements: Due to an expanded list of required elements for agreements between covered entities and business associates, covered entities may now need formalized agreements in cases where they were previously unnecessary. Therefore, covered entities may question whether disclosure of HIPAA protected information to funeral directors will now require such an agreement. Again, because funeral directors are not business associates, and disclosures to funeral directors are not subject to HIPAA requirements, business associate agreements are not needed.
- Stiffer Enforcement: Tougher enforcement will encourage healthcare providers to have better systems in place to prevent and detect HIPAA violations. Providers can incur additional penalties for "willful neglect" if they do not actively employ practices to prevent violation. Therefore, funeral directors may encounter new provider business practices, which may cause resistance to disclosure of personal health information. However, disclosures to funeral directors are still well within the range of approppriate HIPAA disclosures.
Q&A:
Q: Do the new business associate guidelines mean that funeral directors now need a business associate's agreement with covered entities prior to receiving protected health information?
A: No, funeral directors are still not considered business associates of covered entities; and therefore, no business associate agreement is appropriate. Current HIPAA privacy regulations state that a covered entity may disclose protected health information to funeral directors, "as necessary to carry out their duties with respect to the decedent." The regulations further state that covered entities, "may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death." The new Proposed Rule notes that this exception has not been changed.
Q: Should a funeral director consent to a business associate agreement with a healthcare provider who wishes to, "play it safe?"
A: No. The law is clear that funeral directors do not require such an agreement. Funeral directors are typically bound by state licensing guidelines and professional ethics not to disclose protected health information. If a funeral director enters into a business associate agreement, the funeral director will have voluntarily obligated his/her organization to treating protected health information pursuant to HIPAA privacy and security regulations. The HIPAA regulations have difficult standards to meet.
Q: Will new enforcement requirements mean that funeral directors are now held legally responsible for HIPAA compliance?
A: No. Funeral directors are not covered entities, business associates, or subcontractors of business associates. Because funeral directors are not covered by the HIPAA Privacy Regulations, they are not subject to HIPAA enforcement action.
Q: May nursing homes and hospitals (covered entities) disclose protected health information to funeral directors without either a business associate agreement or patient consent?
A: Yes. As long as the protected information is necessary for a funeral director to carry out his or her duties, the covered entity is permitted under HIPAA to disclose that information.
| < Prev | Next > |
|---|