Final HIPAA Regulations Issued

by

 

On January 17, the Office of Civil Rights posted its omnibus Final Breach Notification Rule (the "Final Rule"), which modified many provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Final Rule, published in the Federal Register on January 25, does the following: 1. Sets forth new responsibilities for business associates and subcontractors 2. Amends the Breach Notification Rule 3. Adds to the notifications required to be included in the Notice of Privacy Practices, and adopts the tiered penalty provisions of the Interim Final Rule (released on August 24, 2009)   The Final Rule is effective March 26, 2013 and covered entities and business associates must be in compliance by September 23, 2013.    This is a summary of some pertinent provisions of the Final Rule.   1. Liability of Business Associates and Subcontractors Under the Final Rule, subcontractors and Business Associates (BAs) can be directly liable for certain Privacy and Security Rule violations. A "business associate" or BA is a third party that a covered entity may engage to assist it in performing its covered services. To be considered a business associate, the third party must create, receive, maintain or transmit Protected Health Information ("PHI"). An example of a BA could be a transcriptionist that is not employed by the covered entity.  A "subcontractor" is a person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the workforce of such business associate, and also creates, receives, maintains or transmits PHI. For example, if you use a shredding company to dispose of PHI, they would be considered a subcontractor.  Consistent with the previous rule, covered entities must have written business associate agreements with their business associates. Pursuant to the Final Rule, the definition of "business associate" has been extended to include subcontractors. Therefore, the requirements of business associates has extended to subcontractors. Business associates must ensure that they have agreements with all subcontractors that comply with the new regulations. In short, if you are using "business associates" or subcontractors, you need to have an agreement on file for each of them that they will comply with the new regulations.   2. Compliance Date for Revised Business Associate Agreements The compliance date for revising business associate agreements ("BAAs") to comply with the Final Rule is September 23, 2013. However, an opportunity to grandfather in existing BAAs exists if the BAA complied with the HIPAA regulations and is not set to be renewed between January 25 and September 23 of this year. If a BAA renews after September 23, 2013, the BAA must comply by the earlier of (a) the date of the BAA's renewal, or (b) September 22, 2014. Those BAAs renewing between January 25 and September 23, 2013 must be revised to comply with the Final Rule by September 23. Bottom line - with a few exceptions, you have until September 23, 2013 to get the new Business Associate Agreements in place with all of your "business associates" and subcontractors.   3. Notice of Privacy Practices The Final Rule requires certain amendments to Notices of Privacy Practices (the "Notice") and requires certain statements regarding uses and disclosures that require authorization. For instance, one of the changes requires a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosure that constitute a sale of PHI require authorization. In other words, update your notice of privacy practices to include the new language.   4. Individual's Access to His/Her Own PHI Upon an individual's request to obtain an electronic copy of his/her own PHI, the covered entity must furnish the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or in a format as agreed to by the covered entity and the individual. If someone asks for their medical information, you must give it to them and you must give it to them in a format they desire.   5. Breach Notification The most significant changes in the Final Rule appear in the revisions to the Breach Notification Rule. Most considerable is the revision within the Breach Notification Rule to the definition of "breach". Whereas, prior to the Final Rule, a use or disclosure of PHI was presumed to be a breach if it posed a significant risk of financial, reputation or other harm to the individual, a use or disclosure of PHI is now presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. In other words, the Final Rule demonstrates a shift from the subjective risk-of-harm standard to the objective low-probability-of-compromise standard. The Final Rule sets forth a number of factors that must be considered when performing a risk assessment and determining the probability that PHI has been compromised, including: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information; The unauthorized person who impermissibly used the PHI or to whom the disclosure was made; and Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. The Final Rule has also made a number of revisions to the notification obligations which arise upon discovery of the breach.   In summary, the rules for what constitutes a breach have changed.  This means the notification requirements have changed.  Be sure to clearly define, in layman terms, what a breach is and what to do if one occurs. 6. Tiered Penalties The Final Rule adopted the tiered and increased civil monetary penalty structure to conform with HITECH. The new penalty provisions increase depending on the type of breach.  Be sure to educate employees on the types of breaches and penalties that may be incurred as they can personally be responsible.   This is only a summary of the changes.  Please be sure to contact your legal council to be sure you are in compliance with all issues.  Although this is mainly focused on the health care industry, all businesses that offer group health coverage, should be aware that they may be subject to the guidelines as well.  As a professional, you basically have about 8 months to put all the technical, physical and administrative safeguards in place to be in compliance.  Now is the time for action!

On January 17, the Office of Civil Rights posted its omnibus Final Breach Notification Rule (the "Final Rule"), which modified many provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Final Rule, published in the Federal Register on January 25, does the following:

1. Sets forth new responsibilities for business associates and subcontractors

2. Amends the Breach Notification Rule

3. Adds to the notifications required to be included in the Notice of Privacy Practices

4. Adopts the tiered penalty provisions of the Interim Final Rule 

The Final Rule is effective March 26, 2013 and covered entities and business associates must be in compliance by September 23, 2013. 

This is a summary of some pertinent provisions of the Final Rule.

1. Liability of Business Associates and Subcontractors

Under the Final Rule, subcontractors and Business Associates (BAs) can be directly liable for certain Privacy and Security Rule violations. A "business associate" or BA is a third party that a covered entity may engage to assist it in performing its covered services. To be considered a business associate, the third party must create, receive, maintain or transmit Protected Health Information ("PHI"). An example of a BA could be a transcriptionist that is not employed by the covered entity.  A "subcontractor" is a person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the workforce of such business associate, and also creates, receives, maintains or transmits PHI. For example, if you use a shredding company to dispose of PHI, they would be considered a subcontractor.  Consistent with the previous rule, covered entities must have written business associate agreements with their business associates. Pursuant to the Final Rule, the definition of "business associate" has been extended to include subcontractors. Therefore, the requirements of business associates has extended to subcontractors. Business associates must ensure that they have agreements with all subcontractors that comply with the new regulations.

In short, if you are using "business associates" or subcontractors, you need to have an agreement on file for each of them that they will comply with the new regulations.

 2. Compliance Date for Revised Business Associate Agreements

The compliance date for revising business associate agreements ("BAAs") to comply with the Final Rule is September 23, 2013. However, an opportunity to grandfather in existing BAAs exists if the BAA complied with the HIPAA regulations and is not set to be renewed between January 25 and September 23 of this year. If a BAA renews after September 23, 2013, the BAA must comply by the earlier of (a) the date of the BAA's renewal, or (b) September 22, 2014. Those BAAs renewing between January 25 and September 23, 2013 must be revised to comply with the Final Rule by September 23.

Bottom line - with a few exceptions, you have until September 23, 2013 to get the new Business Associate Agreements in place with all of your "business associates" and subcontractors.

 3. Notice of Privacy Practices

The Final Rule requires certain amendments to Notices of Privacy Practices (the "Notice") and requires certain statements regarding uses and disclosures that require authorization. For instance, one of the changes requires a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosure that constitute a sale of PHI require authorization.

In other words, update your notice of privacy practices to include the new language.

 4. Individual's Access to His/Her Own PHI

Upon an individual's request to obtain an electronic copy of his/her own PHI, the covered entity must furnish the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or in a format as agreed to by the covered entity and the individual.

If someone asks for their medical information, you must give it to them and you must give it to them in a format they desire.

 5. Breach Notification

The most significant changes in the Final Rule appear in the revisions to the Breach Notification Rule. Most considerable is the revision within the Breach Notification Rule to the definition of "breach". Whereas, prior to the Final Rule, a use or disclosure of PHI was presumed to be a breach if it posed a significant risk of financial, reputation or other harm to the individual, a use or disclosure of PHI is now presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. In other words, the Final Rule demonstrates a shift from the subjective risk-of-harm standard to the objective low-probability-of-compromise standard. The Final Rule sets forth a number of factors that must be considered when performing a risk assessment and determining the probability that PHI has been compromised, including:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information;
  • The unauthorized person who impermissibly used the PHI or to whom the disclosure was made; and
  • Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.
  • The Final Rule has also made a number of revisions to the notification obligations which arise upon discovery of the breach.

 In summary, the rules for what constitutes a breach have changed.  This means the notification requirements have changed.  Be sure to clearly define, in layman terms, what a breach is and what to do if one occurs.

6. Tiered Penalties

The Final Rule adopted the tiered and increased civil monetary penalty structure to conform with HITECH. The new penalty provisions increase depending on the type of breach.  Be sure to educate employees on the types of breaches and penalties that may be incurred as they can personally be responsible.

 

This is only a summary of the changes.  Please be sure to contact your legal council to be sure you are in compliance with all issues.  Although this is mainly focused on the health care industry, all businesses that offer group health coverage, should be aware that they may be subject to the guidelines as well.  As a professional, you basically have about 8 months to put all the technical, physical and administrative safeguards in place to make sure your organization is in compliance.  Now is the time for action!

Top