What just happened?
You may have noticed that after a few years of keeping a relatively low profile, HIPAA privacy and security issues are now a hot topic again. What happened? The US Department of Health and Human Services ("HHS") issued final regulations addressing a broad array of issues for covered entities and their business associates, including rules implementing the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"). If you want, you can find the final regulations by linking to the HHS website at http:// www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/, but keep in mind that the regulations consume 138 pages of 3-column text, in exquisitely fine print. Below is a summary for everyone else.
What are the HIPAA changes?
The final regulations include rules implementing HITECH and GINA, and finalize proposed rules on civil enforcement penalties and breach notifications. More specifically, the final regulations address the following provisions:
- The expansion of business associate obligations to include many of the privacy requirements and all of the security requirements that previously applied only to covered entities.
- The expansion of the definition of business associate to new entities, such as providers of data transmission and storage services for protected health information ("PHI"); (2) providers of personal health records on behalf of a covered entity; and (3) other business associate subcontractors with access to PHI.
- Changes to the factors to determine if a breach of unsecured PHI triggers the onerous notification requirements.
- The additional restrictions on use and disclosure of PHI for marketing and fundraising purposes and the prohibition on sale of PHI without an individual authorization.
- The expansion of an individual’s right to receive electronic copies of his or her own information and to restrict disclosure of PHI by a provider to a health plan when the individual has paid the provider in full out of pocket.
- Access to a deceased individual’s PHI by family members and others.
- GINA’s prohibition on using or disclosing genetic information for underwriting purposes.
- The increased civil enforcement penalties authorized under HITECH.
We are a covered entity—what should we do?
Covered entities include health providers and group health plans. Covered entities will need to address the following issues (though some of these issues will not be applicable to a fully insured group health plan):
- Review existing business associate relationships and work with business associates to update contracts for new obligations, including the breach reporting requirements. Determine if the expanded definition of business associate means that there are new relationships that need to have a business associate contract.
- Adopt new written policy on breach notification procedures and determine if other policies and procedures need to be updated.
- Update notice of privacy practices on breach notification rules, the expansion of individual rights and for group health plans, the restriction on the use of genetic information.
- For group health plans, confirm that no genetic information is being used for underwriting purposes.
- Train your workforce on the new rules.
We are a business associate—what should we do?
Business associates (and subcontractors of business associates) actually have more new HIPAA obligations than covered entities. Those include:
- If not already completed, adopt and implement a formal compliance program for the privacy and security obligations that now apply directly to business associates. This may involve significant resources.
- Review existing business associate relationships and work with covered entities to update business associate contracts for new obligations, including the breach reporting requirements.
- Review subcontractor relationships to make sure there is a business associate contract with any subcontractor who creates, receives, maintains or transmits PHI on behalf of the business associate.
What is the deadline to comply?
The final regulations are generally effective March 26, 2013, but covered entities and business associates are given until September 23, 2013 to come into operational compliance by replacing business associate agreements, updating HIPAA policies and procedures, and distributing a new notice of privacy practices. The deadline to replace existing business associate agreements can be delayed until September 23, 2014 if there was a business associate agreement in effect on January 25, 2013 that complied with the privacy rules applicable at that time.