On January 25, 2013, Health and Human Services (HHS), the federal agency in charge of implementing the Health Information Privacy and Accountability Act of 1996 (HIPAA) issued regulations modifying the HIPAA Privacy and Security enforcement rules. These regulations finalized the amendments to HIPAA that were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), modifying the HITECH Act’s interim-breach notification rules and modifying the HIPAA Privacy Rules to implement the Genetic Information Nondiscrimination Act of 2008 (GINA).

The final rules went into effect on March 26, 2013; covered entities and business associates must comply with the final rule by September 23, 2013. Now is the time to make the necessary change to your HIPAA Privacy and Security compliance materials.

What Changed

Modifications to the proposed HITECH rules include: 1) confirmation that business associates are now directly liable for compliance with the HIPAA Privacy and Security Rules and are subject to HHS enforcement; 2) strengthening the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes and prohibiting the sale of PHI without the individual’s authorization; 3) expanding individuals’ rights to receive electronic copies of their PHI and restrict disclosures to a health plan concerning services for which the individual has already paid in full; 4) modifications to covered entities’ privacy notices; 5) increasing fines for noncompliance; and 6) changing the definition of “breach” by replacing the harm threshold with a more objective standard. To implement GINA, the HIPAA rules are modified to prohibit most plans from using or disclosing genetic information for underwriting purposes.

The January regulations require changes to privacy notices, business associate agreements, authorization forms, training, HIPAA Privacy policies, and HIPAA Security policies, as well as add a new privacy-agreement requirement between business associates and any subcontractors. They will also affect how a covered entity can use information to fundraise and will cause business associate’s subcontractors to implement their own HIPAA compliance measures.

How To Comply

For those of our clients (group health plans, healthcare providers and business associates) who previously purchased the firm’s HIPAA Privacy and possibly HIPAA Security compliance packages, you must amend these by September 23, 2013. We have prepared updated materials that you can use to amend your existing packages.

For those covered entities, business associates and subcontractors who have not yet completed your HIPAA Privacy and Security compliance, we have updated Privacy and Security compliance packages that you can purchase. These packages include step-by-step instructions, forms, and flat-rate legal advice so that the end result is a compliance package which you can price in advance and rely upon to meet all your HIPAA requirements. The flat fee includes telephone interviews with a Fisher & Phillips attorney, analysis of any existing compliance documents and security measures, review of the uses, storage, disposal and disclosures of PHI, and a determination of the scope of required Privacy and Security compliance.

Fisher & Phillips will provide all necessary customized written documents, policies and procedures, and training materials, including the following, where necessary: 1) Notice of Privacy Practices; 2) HIPAA Privacy and Security policies and procedures manuals; 3) HIPAA compliant Authorization forms; 4) HIPAA Privacy Official and Security Official job descriptions; 5) group health plan amendments; 6) employer certification of compliance; 7) HIPAA training materials; 8) a model business associate agreement for use by covered entities and their business associates; and 9) a model privacy agreement for use by business associates and their subcontractors.

For help on how to update your existing HIPAA compliance materials or how to purchase the firm’s HIPAA Privacy and Security packages contact any attorney in our Employee Benefits Practice Group.