On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") released the much-anticipated and long-awaited omnibus final rule modifying the Health Information Portability and Accountability Act ("HIPAA") privacy, security, enforcement and breach notification rules (the "Final Rule"). This bulletin is intended to cover two key concepts that will impact health care providers: Notices of Privacy Practices and Business Associate Agreements. Summer is the time to get in gear — don’t let September 23 sneak up on you!
Notices of Privacy Practices
Updates that health care providers are required to make to their Notices of Privacy Practices under the Final Rule include:
- A statement that the covered entity must obtain an authorization for the use and disclosure of psychotherapy notes, marketing and the sale of protected health information (covered entities that do not record or maintain psychotherapy notes are not required to include a statement about the authorization requirements for uses and disclosures of psychotherapy notes).
- A statement informing individuals of their right to opt out of receiving a covered entity’s communications to raise funds for the covered entity (if the covered entity intends to contact individuals to raise funds for the covered entity).
- A statement informing individuals of their right to restrict disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service.
- A statement of the right of affected individuals to be notified following a breach of unsecured protected health information (the specifics regarding the covered entity’s procedures regarding breach notification do not have to be specified in the Notices of Privacy Practices).
HHS indicated that the changes to the Notices of Privacy Practices are material. Therefore, health care providers must revise their Notices of Privacy Practices by September 23, 2013.
Business Associate Agreements
Provisions that must be contained in business associate agreements between health care providers and their business associates under the Final Rule include:
- The business associate will comply with the security standards for the protection of electronic protected health information.
- The business associate will report to the covered entity breaches of unsecured protected health information in accordance with the breach notification rules.
- The Final Rule modified the definition of a "breach" requiring notification. Therefore, existing business associate agreements will need to be examined in order to determine whether the definition of "breach" needs to be updated.
- To the extent the business associate is delegated to carry out a covered entity’s obligation(s) under subpart E of 45 C.F.R. Part 164, the business associate will comply with the requirements of subpart E of 45 C.F.R. Part 164 that apply to the covered entity in the performance of such obligation(s). Subpart E of 45 C.F.R. Part 164 contains multiple obligations of a covered entity regarding the uses and disclosures of protected health information including a covered entity’s obligations as they relate to an individual’s right of access, amendments to protected health information, and accounting of disclosures of protected health information.
The business associate will ensure that the business associate’s "subcontractor" agrees to the same restrictions and conditions that apply to the business associate with respect to such information through a written contract or other written agreement or arrangement.
- The definition of business associate was expanded under the Final Rule and includes the concept of a "subcontractor" that "creates, receives, maintains or transmits protected health information on behalf of the business associate."
Who is a Business Associate Now?
Prior to the Final Rule, service providers who were "conduits" of protected health information were excluded from being classified as business associates. HHS has now clarified that the "conduit" exception previously articulated is now limited such that only those service providers who are providing transmission services, whether digital or hard copy and including any temporary storage of the transmitted data incident to such transmissions, are excluded from being classified as business associates. It is the persistence of custody of protected health information, rather than the degree of access, that is the indicator of a business associate relationship. What this means for covered entities and business associates alike is that service providers who maintain protected health information (e.g., data or document storage companies) are now considered business associates (or subcontractors of a business associate, as applicable) regardless of whether the service provider actually views the information it holds. Therefore, covered entities and business associates should review their existing relationships with vendors to determine whether a business associate agreement is required.
Next Steps and Important Dates
Health care providers should take inventory of their existing business associate agreements and evaluate areas that require revisions under the Final Rule. The Final Rule became effective March 26, 2013, but in general covered entities and business associates will have until September 23, 2013, to come into compliance. However, for those business associate agreements that were in place before January 25, 2013, and were not renewed or modified after March 26, 2013, these arrangements are in compliance until September 22, 2014.