The Department of Health and Human Services (HHS) last week released its long-awaited final rule implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act. The 563-page document makes significant changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. According to Leon Rodriguez, director of the HHS Office for Civil Rights, which is in charge of enforcing the HIPAA administrative rules, “this final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
The effective date of the final rule is March 26, 2013, and all covered entities and business associates must be in compliance with the rule within 180 days of the effective date. This means all covered entities and business associates, including applicable subcontractors, must be in compliance with the final rule by September 23, 2013.
Some of the rule’s notable provisions include:
- Security rule requirements extended to business associates:The Security Rule’s administrative, physical and technical safeguard requirements apply directly to business associates in the same manner as covered entities. The final rule also adds “subcontractors” to the definition of “business associate” and requires business associates to enter into written agreements with subcontractors.
- Breach notification standard:The final rule eliminates the previous “risk of harm” standard for determining whether individuals must be notified of a breach and replaces it with the “low probability” standard. The new standard establishes a presumption that any impermissible use or disclosure of protected health information (PHI) is a breach that compromises the security or privacy of information, and the covered entity or business associate bears the burden of demonstrating that there is a sufficiently low probability that the PHI has been “compromised” to relieve it of the duty to notify individuals.
- Sale of PHI:The final rule prohibits covered entities and business associates from receiving direct or indirect remuneration in exchange for the disclosure of PHI unless an authorization is obtained in advance. The exchange of PHI through a health information exchange paid through fees assessed on exchange participants is not considered a sale of PHI.
- Marketing:The final rule requires an authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communication from a third party whose product or services is being marketed. Unlike the proposed rule, the final rule treats all subsidized communications that market a health-related product or service as marketing communications.
- Research:The final rule permits the use of compound, non-study-specific authorizations for the use of PHI for research (except psychotherapy notes), including to authorize future research.
- Notice of privacy practices:The final rule requires that all Notice of Privacy Practices (NPP) include a statement indicating that most uses of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures that constitute sale of PHI require an authorization. NPPs also must state that other uses and disclosures not described in the NPP will be made only with authorization from the individual.
- Restrictions on certain disclosures to health plans:The final rule restricts disclosure to health plans regarding treatment for which the individual has paid out of pocket in full. It also prohibits health plans from using or disclosing genetic information for underwriting purposes as required by the Genetic Information Nondiscrimination Act (GINA).
- Electronic access to PHI:The final rule requires that if an individual requests an electronic copy of his or her PHI that is maintained electronically, the covered entity must provide it in the form and format requested if readily accessible, or, if not, in a readable electronic form agreed upon by the covered entity and individual.
- Increased penalties: The final rule applies a tiered system of increasing penalties for violations based on increasing levels of culpability, provides examples of violations falling into different penalty levels and imposes vicarious liability based on “agency” principles.
The final omnibus rule is available in the Federal Register online.
The new rule and other HIPAA-related issues will be among the topics for discussion at the Society’s day-long Medical Records and the Law seminar in May. Watch Medigram and the Society’s website for more details as they become available.
Back to January 24, 2013 Medigram