Four years ago, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) introduced major revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services has now published final regulations implementing these changes, as well as changes required under the Genetic Information Nondiscrimination Act (GINA).

The extensive regulations:

  • Expand the scope and impact of the Privacy and Security Rules on business associates. Anyone providing services to a health plan, health care clearinghouse, or health care providers who receives or generates protected health information (PHI) may be subject to these expanded provisions. Previously, most business associates were subject to the Privacy and Security Rules only through a business associate agreement with the covered entity. The HITECH Act extended the application of HIPAA’s enforcement provisions to business associates directly, and it established an independent requirement that business associates implement many of the Security Rule’s administrative safeguards.
  • Impose significant new restrictions on the use of PHI, including new rules governing the use of PHI for marketing and fundraising purposes and prohibiting the sale of PHI without authorization.
  • Enhance individual rights to reflect various HITECH Act requirements, such as the right to request electronic copies of an individual’s PHI and to restrict disclosures to a plan regarding treatment when the individual has paid in full for the service or product.
  • Implement new enforcement of the tiered penalty structure established by the HITECH Act. Depending on the degree of knowledge that the covered entity had (or should have had) regarding the violation, penalties for each violation range from $100 to $50,000, with a maximum penalty for a given year of $1.5 million for any violations of the same requirement or prohibition.
  • Redesign the final HITECH Act breach notification rule. A covered entity must engage in a risk assessment and examine (1) the nature and extent of the PHI involved, (2) any unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) whether the risk to the PHI has been reduced or resolved.
  • Include genetic information in the definition of PHI. The regulations also finalize rules against the use of genetic information for health plan underwriting. The regulations make clear that any health plan covered by the Privacy Rule is subject to this requirement, not just health plans and insurers defined by GINA. Long-term care insurers are excluded by the regulations from this prohibition, but they remain subject to the Privacy Rule.

The final rule took effect on March 26, 2013, but provides a 180-day grace period on operational compliance. For existing business associate agreements, the new rule gives most covered entities and business associates an additional year to modify their current contracts to reflect the new regulations.