“The Final Rule represents the most significant development in healthcare privacy law since the issuance of the final Privacy Rule and Security Rule a decade ago.” (Morgan Lewis)
On January 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released its final omnibus rule, strengthening the privacy and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
The final rule becomes effective on March 26, 2013, and covered entities and business associates will need to comply by September 23, 2013. To note: an extension of the deadline is possible if certain conditions are met, write Adam Greene and Rebecca Williams of law firm Davis Wright Tremaine:
“While the new rule establishes a compliance date of Sept. 23, 2013, it includes up to a one-year extension for covered entities and business associates to revise their business associate agreements if such agreements were entered into and compliant with HIPAA as of Jan. 25, 2013, the expected date of formal publication of the new rule in the Federal Register.”
The broad, sweeping changes in the 563-page rule – more than two and a half years in the making – significantly increase the privacy and reporting obligations of covered entities and their businesses associates (as well as their subcontractors) For your reference, here’s a look at five key takeaways:
1. Liability of business associates has gone up:
“[Business Associates] are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements: impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual’s designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.” (BakerHostetler)
2. More entities are now considered to be business associates:
“The definition of ‘business associate’ has been expanded to include subcontractors of business associates, any person who ‘creates, receives, maintains, or transmits’ protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others.” (Dinsmore & Shohl)
3. Thresholds for federal investigations have been lowered:
“Under the new rules, the agency is required (no discretion) to conduct compliance reviews when ‘a preliminary review of the facts’ suggests a violation due to willful neglect. Any reported breach that suggests willful neglect would then appear to require agency follow-up. And they are of course free to investigate any breach reported to them. HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews? Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.” (Poyner Spruill)
4. Breach notification requirements have been tightened:
“Until now, an impermissible use or disclosure of Protected Health Information (‘PHI’) was a Breach only if there was a significant risk of harm. Now, an impermissible use or disclosure of PHI is presumed to be a Breach unless the Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI has been compromised.” (Womble Carlyle)
5. Marketing rules are more clearly defined:
“The Final Rule modifies the Proposed Rule’s approach to marketing, requiring authorization for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. HHS notes the difficulty in distinguishing between ‘treatment’ and ‘health care operations’ communications, as the Proposed Rule required, and therefore HHS will treat as marketing communications ‘all subsidized communications that market a health-related product or service.’” (Morgan Lewis)
—
The updates:
- HHS Releases HIPAA/HITECH Omnibus Final Rule – Morgan Lewis
- One Week to Get Business Associate Agreements Executed Under HIPAA Omnibus Rule’s Grandfather Clause – Davis Wright Tremaine LLP
- The HIPAA/HITECH Final Rule Has Been Released – BakerHostetler
- HIPAA Final Omnibus Rule Brings “Sweeping Change” to Health Care Industry – Dinsmore & Shohl LLP
- HIPAA Rules… Finally! – Womble Carlyle Sandridge & Rice, PLLC
- Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting – Poyner Spruill LLP
—
Further reading:
- Health Care Reform Blog: Who is a Business Associate and Why Do We Care? – Davis, Brown, Koehn, Shors & Roberts, P.C.
- Finally! HHS Office of Civil Rights Releases HIPAA Omnibus Rule With Sweeping Changes to Compliance Requirements and Enforcement – Mintz Levin
- What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I) – BakerHostetler
- Overview of Modifications to the HIPAA Privacy, Security, and Enforcement Rules – Epstein Becker & Green, P.C.
- Final Omnibus HIPAA Rule Released By HHS – Polsinelli Shughart PC
- Federal Government Releases Long-Awaited Changes to HIPAA Rules: All Covered Entities and Business Associates Are Affected – Trenam Kemker
- Data Security Obligations Continue to Tighten Under New HIPAA Rules – McCarter & English, LLP
- HIPAA Omnibus Rule Released – Davis Wright Tremaine LLP
- HHS Announces New Patient Privacy and Security Protections – Proskauer
- Final HIPAA Rules Released – Davis, Brown, Koehn, Shors & Roberts, P.C.
—
Find related law news at JD Supra>>
