We’ve already explored the changes from the new HIPAA/HITECH omnibus final rule in detail in our client alert. However, we wanted to highlight a few important provisions (and one perhaps not as important) of the rule and provide some additional commentary.
First, as noted in the alert, business associate agreements generally do not need to be amended for the final rules until September 23, 2014. However, if the agreement is renewed or extended (other than as part of an evergreen renewing contract), it must be amended at that time. The key condition, however, is that the agreement must have been in place by January 25, 2013 (the date the regulations were published in the Federal Register). If it was not, then the deadline is a full year earlier, or September 23, 2013. HHS recently posted some sample business associate contract language on its website here.
Additionally, as has been widely reported, the “harm standard” for breaches has been replaced with factors HHS viewed as more objective. Specifically, in the preamble, they state:
“[T]the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”
Therefore, any impermissible use or disclosure (which also encompasses any impermissible access or acquisition) is a breach unless the plan (really, the plan administrator) can demonstrate otherwise. HHS goes on to say that a plan (administrator) can demonstrate the “low probability” only by performing a “thorough risk assessment.” In other words, now every breach needs to have a risk assessment, no matter how small or how low the likelihood of harm to the individuals whose information was used or disclosed. This means that plan administrators should consider developing a formal process for conducting these assessments (if they do not already have one) and documenting that it has been followed each time there is a breach.
When the prior breach rules were in effect, some business associates negotiated to allow themselves to make the harm determination (with appropriate indemnifications, of course). However, under this more strict standard, plan administrators may want consider taking back that role to ensure that appropriate risk assessments are conducted since ultimately, the plan will be liable for any failure to make the necessary notifications. Alternatively, it may make sense to make sure the indemnification provisions are still strong and that the business associate is required to provide notice of any potential breaches to the plan (administrator) and copies of its risk assessment.
Further, as we noted in the client alert, the Office of Civil Rights can still pursue enforcement action against a plan (administrator) for a breach even though all proper disclosures were made. So plan administrators now have to notify HHS of breaches and OCR can still come after them. This was recently demonstrated by the enforcement action against Hospice of North Idaho that we discussed in this prior post.
While not especially relevant for health plans, HHS did revise the definition of protected health information to exclude information of individuals who have been deceased for more than 50 years. One can’t help but wonder if this will cause the development of a cottage industry of farming and sharing health information of long-deceased individuals, like a health-information-only version of genealogy research websites, where one can discover that his or her not-so-distant ancestors were treated for certain (let’s just call them “personal”) diseases.
The rule makes many other changes, and we refer you to our client alert for more discussion on those items. Compliance is generally required by September 23 (except for business associate agreements, as described above). These are our highlights, but what are yours? What did you find most important (or interesting) about the final rule?