On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying HIPAA privacy, security, enforcement, and breach notification rules. The final rule became effective on March 26, 2013, and providers have just over a month to comply with the new rule.  Compliance is required by September 23, 2013.

Changes to Breach Identification

Under the old standard, a reportable breach was an unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual. Under the new standard, all unauthorized uses and disclosures of PHI are presumed to be reportable breaches unless, following a risk assessment, it is determined that there is a low probability that the PHI has been compromised.

Previously, we recommended including the following factors in breach risk assessments:

  1. the type and amount of PHI disclosed;
  2. to whom the PHI was disclosed; and
  3. the risk of further disclosure.

Now, the new “objective” standard requires assessment of:

  1. the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the PHI was disclosed;
  3. whether the PHI was actually acquired or viewed; and
  4. the extent to which the risk to the PHI has been mitigated.

Changes to the Definition of Business Associate

The new definition of business associate covers health information organizations, personal health record vendors, subcontractors of the business associate and individuals or entities that create, receive, maintain or transmit PHI for a covered entity. Significantly, this definition now includes subcontractors of business associates and entities that maintain PHI. So, whereas before there was no such thing as a business associate of a business associate, under the new rule, business associates who subcontract out functions involving PHI will need to enter into business associate agreements with those subcontractors. Further, based on the addition of the word “maintain” to the definition, covered entities can now require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.

Business associates may only use or disclose PHI in the same manner as the covered entity under the Privacy Rule and are directly responsible for breach notification and compliance with the Security Rule.

HHS/OCR has published a form business associate agreement incorporating the new HIPAA regulations here. Covered entities should compare their templates to the new form. Business associates should require applicable subcontractors to sign business associate agreements that track the new form and address the terms of the business associate agreement with the covered entity.