On January 25, 2013, the Federal Register will publish final omnibus rules written by the U.S. Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act. While some of the rule changes are not surprising, others are very impactful and will markedly change the obligations imposed on covered entities, business associates and subcontractors. Some of the more significant provisions are described in summary below. Please feel free to contact us with questions.
The compliance deadline for virtually every provision of these rules is September 23, 2013. A longer period is provided where updates to existing business associate and data use agreements are required; those agreements may not need to be updated until September 22, 2014 provided they are not modified or renewed prior to that date.
HHS has eliminated the harm threshold that provided notice of a security breach would only be required if the breach posed a significant risk of harm to affected individuals. It has provided instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can defeat this presumption by conducting a risk analysis using factors articulated by HHS, but the agency has made clear its expectation that impermissible uses and disclosures of readily accessible PHI will likely be a reportable breach. This change will mean an increase in the number of breaches reported.
Much of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors. Business associate agreements are likely to require updates and, in light of breach requirements and increasing compliance reviews, covered entities should enhance their efforts to review business associate compliance and consider appropriate liability protections in their business associate agreements.
Enforcement and Penalties
HHS has retained the high penalty structure currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.
The final rules address multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records. In addition, individuals have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI). Notices of privacy practices, research authorizations, internal policies, and training programs may require updates to address the rule modifications.
Business associates and subcontractors now must comply with the Security Rule in full. Given the complexities of achieving Security Rule compliance, business associates and subcontractors should begin efforts now to meet the September 23 compliance deadline.
To implement the Genetic Information Nondiscrimination Act, HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes.
As with most regulations, the details matter, so we have provided a more comprehensive summary of all the substantive requirements and described in brief how they will impact the regulated community from a practical standpoint. Please contact us with any questions, and you can sign up for other privacy and information security updates here.
Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.