Health plans, their sponsors, associated employers, and business associates have a lot of HIPAA work to do (including major updates to current documents) over the next several months. On January 25, 2013,
pursuant in part to the statutory framework of the HITECH Act, the Department of Health and Human
Services (“HHS”) published long-awaited final regulations modifying HIPAA’s privacy, security, enforcement, and breach notification rules.
The final regulations reflect both HITECH Act amendments and other comprehensive refinements to the current HIPAA rules. Indeed, HHS officials describe these new regulations as making “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Specifically, the final regulations, among other things, enhance an individual’s privacy protections, strengthen the government’s ability to enforce the law, impose additional obligations on business associates (and their subcontractors), and require updates to a health plan’s HIPAA documents.
Highlights of changes include (but are not limited to) the following:
- Business Associates. The final regulations clarify the provisions in the Privacy and Security Rules that are directly applicable to business associates, and that direct liability applies to business associates that fail to comply with these provisions. Subcontractors of business associates will also now be directly obligated to comply with HIPAA, and business associates must enter into agreements with subcontractors in accordance with the requirements for business associate agreements. The final regulations also explicitly expand the definition of business associate and provide an agent/principal analysis to be used in determining whether liability of the business associate attaches to the covered entity . Business associate agreements will need to be updated to reflect the changes set forth in the final regulations (although under certain circumstances, a special transition rule may apply to a valid business associate agreement in effect before January 25, 2013 ).
- Changes to the breach notification requirements. The final regulations expand the definition of “breach.” The final regulations replace the original “risk of harm threshold” with a more objective standard. Specifically, the final regulations modify the definition of “breach” and the risk assessment approach that was set forth in the interim final rule. Under the new definition of breach, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been com promised. This standard replaces the “significant risk of harm” standard. The final regulations also modify the factors that covered entities and business associates must consider when performing a risk assessment with respect to a potential breach.
- Increased and tiered civil monetary penalties for noncompliance. Pursuant to the HITECH Act, the final regulations adopt higher penalties for HIPAA violations. Penalties, which range from $100 per violation to $50,000 per violation, are based on violation category (ranging from “did not know” to “willful neglect—not corrected) and the facts and circumstances surrounding the violation. The manner in which HHS counts violations may result in multi-million-dollar penalties.
- Restrictions on use of genetic information (pursuant to GINA). The final regulations expressly incorporate “genetic information” into the definition of PHI and generally prohibits the use or disclosure of genetic information for underwriting purposes to health plans that are covered entities.
- Expanded individual rights. The final regulations perm it covered entities to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so would be inconsistent with any known preference of the individual. The final regulations implement the HITECH Act requirement that covered entities, in certain circumstances, com ply with an individual’s request to restrict disclosure of his or her PHI. The final regulations also strengthen an individual’s right to access his or her PHI (including the right to receive electronic copies of PHI).
- Notice of privacy practices. The final regulations make significant changes to the content of a covered entity’s notice of privacy practices including (but not limited to) statements (1) regarding uses and disclosures that require authorizations, (2) related to fundraising communications, and (3) regarding an affected individual’s right to be notified following a breach of unsecured PHI. Thus, a covered entity is required to revise and redistribute its notice of privacy practices.
- Additional limitations. The final regulations impose additional limitations on how information is used and disclosed for marketing and fundraising purposes. The final regulations also prohibit the sale of an individual’s health information without their permission. Additionally, patients are permitted to restrict insurance companies from accessing portions of their medical records if they paid for the corresponding treatment out of their own pocket.
- Authorizations for research purposes disclosures and uses. The final regulations amend requirements for authorizations related to research. As such, authorizations for this purpose will need to be revised and updated.
These are just a few highlights of provisions found in the 560+ pages of the final regulations. The effective date for the final regulations is March 26, 2013, with a compliance deadline for most of the rules of September 23, 2013.
Health plans and their business associates need to begin preparing for the necessary changes now. The final regulations require health plans to update their policies and procedures, business associate agreements, and notices of privacy practices. Additional workforce training will also be necessary to update workforce members with access to PHI on the new regulations. HHS, even prior to the publication of the new final regulations, has aggressively investigated and enforced the HIPAA requirements. As such, it is as important as ever to ensure your health plan is HIPAA compliant.
For more information on compliance obligations under the new regulations, you can reach attorney
Samantha Kopacz directly at firstname.lastname@example.org or 517.377.0868. Attorney Elizabeth Latchana can be reached at email@example.com or 517.377.0826.