Part I
Elizabeth E. Hogue, Esq.
Office: (877) 871-4062
Fax: (877) 871-9739
Twitter: @HogueHomecare
The U.S. Department of Health and Human Services (HHS) has issued final rules to:
– Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
– Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
– Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
– Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness and to increase flexibility and to decrease burden on regulated entities.
The final rules will be published in the Federal Register on January 25, 2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013.
This is the first in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
Major provisions in the form of four final rules include the following:
1. Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act and certain other modifications to improve the Rules that were issued as a proposed rule on July 14, 2010. The modifications include:
– Make business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.
– Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
– Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to health plans concerning treatment for which individuals have paid out of pocket in full.
– Require modifications to and redistribution of covered entities’ notice of privacy practices.
– Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others.
– Adopt the additional HITECH Act enhancements to the Enforcement Rules not previously adopted in the October 30, 2009, interim final, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rules to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act originally published as an interim final on October 30, 2009.
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act that replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes that was published as a proposed rule on October 7, 2009.
Part 2 – New HIPAA Rules Issued: Business Associates
The U.S. Department of Health and Human Services (HHS) has issued final rules to:
– Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
– Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
– Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
– Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.
The final rules were published in the Federal Register on January 25, 2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013. This is the second in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
First, with regard to Business Associates, the new final rules clarify whether “conduits” of protected information are Business Associates. Specifically, entities that provide transmission services only, including any temporary storage of protected health information (PHI) incidental to transmission services, are not Business Associates. Entities that provide storage are considered to be Business Associates, even if the agreement with the covered entity does not contemplate any access, or access on a random or incidental basis only. In short, the “test” under the new final rules is length of custody; not access.
The new final rules also address the issue of whether “downstream contractors” are directly responsible for compliance with the Business Associate requirements of both the Security Rule and the Privacy Rule. According to the final rules, all entities are directly responsible for compliance even if the parties do not enter into a written Business Associate Agreement. Providers are not required to enter into Business Associate Agreement with all downstream contractors. They must sign a Business Associate Agreement with the entity with which they do business directly. Providers’ Business Associates are then required to get written “satisfactory assurances” from each of their immediate subcontractors. In the event of a breach, all “downstream contractors” are required to report up the chain to providers.
An example of the above requirements is a provider who contracts with a shredding company to dispose of records that include PHI. The provider must enter into a Business Associate Agreement with the shredding company. The shredding company, in turn, contracts with a trucking company to pick up the records and deliver them to the shredding company. The shredding company is required to get “satisfactory assurances” of compliance from the trucking company.
The new final rule also clarifies that Business Associates are directly responsible under the Privacy Rule for:
– Limiting uses and disclosure of PHI to requirements of Business Associate Agreements in the Privacy Rule,
– Disclosing PHI to HHS for investigation of business associates’ compliance with HIPAA,
– Disclosing PHI to covered entities or individuals in response to requests for electronic copies of PHI,
– Compliance with the minimum necessary requirements of the Privacy Rule, and
– Entering into Business Associates Agreements with subcontractors.