On January 17, 2013, the Federal Department of Health and Human Services (HHS) issued final omnibus amendments to the Privacy, Security, Breach Notification and Enforcement Rules (HIPAA Rules). The modifications implement most of the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The 2013 Amendments include several changes to the HIPAA rules. While some of the changes are not surprising, others are very impactful and will change the obligations imposed on covered entities, business associates and subcontractors. This overview will briefly address and summarize the key provisions and changes contained in the 2013 Amendments.
Previously The U.S. Department of Health and Human Services (HHS) stated that notification was only required if the breach posed a significant risk of harm to affected individuals. The 2013 Amendments modify this to state that any use or disclosure of protected health information that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can defeat this presumption by conducting a risk analysis using factors provided by HHS. However, this amendment will mean an increase in the number of breaches reported throughout the United States.
Privacy Rules and the Security Rule now apply directly to business associates and their subcontractors. This includes anyone that creates, receives, maintains or transmits protected health information (PHI). Therefore, business associate agreements are likely to require updates and increased compliance reviews. Entities should enhance their efforts to review associate compliance and consider appropriate liability protections in their business associate agreements. For an example of compliant business associate agreement provisions, we recommend using the example provided by the U.S. Department of Health & Human Services. For reference please see the below hyperlink. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Enforcement and Penalties
Under the 2013 Amendments, any complaint or violation must be formally investigated if a preliminary review of the facts indicates a possible violation due to willful neglect. If the U.S. Department of Health and Human Services (HHS) determines that a covered entity, business associate or subcontractor is in violation of HIPAA rules then liable parties can face penalties ranging from $100 to $50,000 with an annual maximum of $1.5 million. Therefore, it is highly encouraged for HIPAA-covered entities, business associates and subcontractors to promptly begin working to achieve compliance with applicable provisions to reduce liability risks.
The final rules provide significant changes to privacy issues related to uses and disclosures of protected health information (PHI), such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care and disclosures of student immunization records. Notice of privacy practices, research authorizations, internal policies, and training programs may require updates to address the rule medications.
The HIPAA Security Rule applies to electronic PHI that is created, received, maintained or transmitted by a covered entity. Business associates and subcontractors must comply with the Security Rule in full. Given the complexities of achieving Security Rule compliance, business associates and subcontractors should be making efforts to meet the September 23rd compliance deadline.
The Genetic Information Nondiscrimination Act of 2008 prohibits discrimination based upon an individual’s genetic information. HHS has included “genetic information” as a type of health information subject to HIPPA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes.
Next Steps for Employers
Review and Update Policies and Procedures
Employers should review their existing privacy and security policies and procedures and update them as necessary to reflect the new rules. Although the new rules do not expand the scope of employers’ obligations in material ways, they do make changes that are likely to affect the way employers handle certain existing obligations.
Inventory Business Associates and Prepare for New BBAs
Employers should review their group health plan service provider relationships in light of the expanded definition of “business associate”. Given the new definition, it is possible that service providers who were not considered business associates in the past should now be treated as such. Business associate agreements must also reflect the affirmative, direct compliance obligations described in the new rules. Most well drafted business associate agreements already impose those obligations on business associates, so employers may not see a need for many changes in this regard.
Update and Distribute the Notice of Privacy Practices
A new Notice of Privacy Practices will have to be prepared and distributed (or posted electronically) by September 23, 2013, in order to inform individuals covered by the group health plan of certain new rights as well as any changes in the employer’s privacy policies and procedures. The new Notices will have to include, among other things, changes in the breach notification rules, new prohibitions against the use or disclosure of genetic information by a health plan for underwriting purposes, and new rights to restrict disclosures of PHI to a health plan where the service was paid in full by the individual as an out of pocket expense.
Train your Workforce
Although the 2013 Amendments do not require workforce training, it is highly encouraged to educate employees about the privacy and security requirements of HIPAA and the content of the covered entity’s own HIPAA policies and procedures.
As noted above, employers should aim to complete their HIPAA compliance efforts by no later than September 23, 2013. On this date the Office of Civil Rights of HHS will begin its HIPAA enforcement activities. But it’s worth mentioning that the Final Omnibus Rule officially took effect March 26, 2013 (90 days after the publication of the rule in the Federal Register). While a failure to achieve full compliance by September 23, 2013 is not likely to be fatal, we strongly advise all employers to make a substantial and good faith effort to comply within that time frame.
Powered by Squarespace