Final Rule Amending HIPAA Regulations

On January 17, 2013, the Office for Civil Rights, Department of Health and Human Services, announced the long-awaited final rule implementing changes to HIPAA’s privacy, security, and enforcement rules required under the Health Information Technology for Economic Clinical Health (HITECH) Act (the “Final Rule”). The Final Rule, which takes effect on March 26, 2013, contains numerous provisions that will impact physicians, hospitals, and other health care providers, as well as health plans, and businesses and vendors providing services to or for such health care providers and health plans, including the following:

Notice of Privacy Practices. Covered entities must revise and redistribute their notices of privacy practices, as necessary, to comply with the Final Rule. The revised notice must include additional statements describing uses and disclosures of protected health information (or “PHI”) that require an authorization (e.g. marketing and psychotherapy notes), notifying individuals of rights to opt out of receiving fundraising communications, describing certain circumstances when a covered entity must comply with a request to restrict disclosures to an individual's health plan, and providing information about the individual's right to receive notification of a breach.

Breach Notification Obligations. The Final Rule includes a new, more objective standard for determining whether a HIPAA violation requires breach notification. Under the new standard, any unauthorized use or disclosure of PHI is presumed to be a breach unless there is a low probability that the information has been compromised, or an exception applies. Assessing this probability requires consideration of certain, specified factors such as the type information at issue, the person who used the information, or to whom the information was disclosed, whether the information was in fact acquired or viewed, and the extent of risk mitigation.

Business Associate Agreements. Business associate agreements must include additional provisions requiring the business associate to: comply with applicable requirements of the security rule; report breaches to the covered entity in accordance with 45 CFR 164.410; ensure subcontractors agree to the same restrictions and conditions applicable to business associate with respect to PHI; and comply with privacy rule requirements in connection with any delegated activities under the privacy rule (e.g. distribution of notice of privacy practices). Covered entities will need to review and revise existing business associate agreements to ensure compliance with the Final Rule.

Requirement for Subcontractor Agreements. To ensure information is protected in the hands of “downstream entities,” business associates are required to enter into written agreements with their subcontractors (i.e. persons or entities that perform functions or provide services to a business associate and require access to PHI in doing so) to ensure the information will be appropriately safeguarded. To the extent business associates have existing agreements with subcontractors, they will need to review and revise such agreements to ensure compliance with the Final Rule.

Individual Access Rights to Electronic PHI. Individuals have expanded rights to receive electronic copies of their protected health information that is maintained in electronic form, when requested.

Compliance by Business Associates. Business associates are directly liable for compliance with certain requirements under the HIPAA privacy and security rules.

Marketing and Fundraising Communications. Revisions to the definition of “marketing” require authorizations for all treatment and health care operations communications where the covered entity receives financial remuneration from a third party in exchange for making the communication. Fundraising communications must include a clear and conspicuous opportunity for the recipient to opt-out of receiving further communications.

Requests for Restrictions on Disclosures to Health Plans. A covered entity must comply with an individual’s request not to disclose PHI to an individual’s health plan, if such information pertains solely to an item or service for which the health care provider has been paid out of pocket in full.

Sale of PHI. Subject to certain exceptions, direct or indirect receipt of remuneration (including in kind, non-financial benefits) in exchange for protected health information is prohibited without a valid authorization.

Authorizations for Research. Combined authorizations are permitted for research, provided they distinguish between conditioned and unconditioned research components. Authorizations for use of psychotherapy notes still may not be combined with research authorizations.

Protection for Decedent Information. Information of a deceased individual must be protected for a period of 50 years following the date of death, after which time it is no longer considered protected health information. Covered entities may disclose protected health information to family members of deceased individuals, or to others who were involved in a deceased individual’s health care or payment for health care prior to death, unless disclosing such information would be inconsistent with the deceased individual’s prior expressed preference that is known by the covered entity.

Privacy Protections for Genetic Information. As required by the Genetic Information Nondiscrimination Act (GINA), most health plans are prohibited from using or disclosing “genetic information” for underwriting purposes.

Enforcement and Penalties. Covered entities and business associates are subject to increased civil monetary penalties based on a tiered penalty structure. Penalties range from $100 to $50,000 per violation, with annual caps of 1.5 million for violations of an identical requirement or provision within a calendar year.

Covered entities and business associates have until September 23, 2013 to comply with the Final Rule.

If you have any questions about the Final Rule and its potential impact on your HIPAA policies and procedures, business associate agreements, breach reporting obligations, or other HIPAA compliance activities, please do not hesitate to contact Sarah Spurlock in the Louisville offices of Stites & Harbison, PLLC, at [email protected] or (502) 681-0461.