On January 17, 2013, the Department of Health and Human Services (HHS) released the long-awaited final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) regulations. The 563-page final rule modifies many aspects of HIPAA. Covered entities and business associates must comply with the new regulations by September 23, 2013.
The final rule includes changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) to the HIPAA Privacy, Security, and Enforcement Rules including:
- Making business associates directly liable for compliance with selected HIPAA Privacy and Security Rule requirements;
- Increased limitations on the use and disclosure of Protected Health Information (PHI) for marketing and fundraising purposes;
- Expansion of individual rights to receive health information in electronic form;
- Expansion of individual rights to restrict disclosure of health information to health plans when the individual has fully paid for the costs of treatment out of pocket;
- Requiring modifications to, and redistribution of, a covered entity’s notice of privacy practices;
- Modification to authorization and other requirements to facilitate research and disclosure of immunization information to schools; and
- Additions to the Enforcement Rule including enforcement of noncompliance with HIPAA Rules due to willful neglect and changes to the civil money penalty.
Breach notification requirements were also modified by the final rule. The final rule removed the “harm standard” found in the interim rule that limited notification obligations to those breaches that posed significant financial, reputational, or other harm to individuals. Now under the final rule, any disclosure of protected health information is presumed a “breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” As a result, the breach notification threshold has been effectively lowered.
The final rule also modifies HIPAA as mandated by the Genetic Information Nondiscrimination Act (GINA) to prohibit genetic information from being used in the underwriting process by most health plans.
The final rule is effective on March 26, 2013, with compliance required by September 23, 2013. A dramatic increase in HIPAA enforcement and audit activity has been well-documented. The Office of Civil Rights Audit program protocol covers Privacy, Security, and Breach Notification Rule requirements that are impacted by the final rule. Covered entities’ HIPAA policies and procedures should be updated to ensure compliance.
The experienced health care attorneys of Spencer Fane Britt & Browne LLP are available to assist covered entities and business associates with the necessary policy updates and other steps to facilitate compliance with the final rule.