The Department of Health and Human Services (HHS) has issued final regulations, effective March 26, 2013, that update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and enforcement rules to reflect changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rules also reflect breach notification changes under the HITECH Act and implement privacy protections for genetic information under the Genetic Information Nondiscrimination Act of 2008 (GINA).
On January 17, 2013, HHS issued final regulations addressing various aspects of HIPAA compliance, including changes to:
The HIPAA privacy, security and enforcement rules required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The breach notification rules for unsecured protected health information (PHI).
The HIPAA privacy rules required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
The final regulations are effective March 26, 2013, and covered entities and business associates must comply with all or portions of the regulations, as applicable, by September 23, 2013. However, the final regulations include a limited transition rule under which covered entities and business associates can continue to operate under existing business associate agreements until the earlier of:
The date the agreement is renewed or modified on or after September 23, 2013.
September 22, 2014.
Business Associates
Under the final regulations, business associates of covered entities are directly liable for compliance with certain of HIPAA's privacy and security requirements. The final regulations also adopt HHS' proposal to apply the business associate rules to subcontractors, and clarify the definition of subcontractor to mean "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." In the preamble, HHS takes the position that:
HIPAA covered entities, which include health plans, must obtain satisfactory assurances regarding privacy and security protections from their business associates.
Business associates must similarly obtain assurances regarding an individual's personal health information from their subcontractors, and so on, no matter how far "down the chain" the information flows.
According to HHS, an entity (for example, a data storage company) that maintains PHI on a covered entity's behalf is a business associate, as opposed to a mere conduit (that is, for purposes of the conduit exception for business associates), even if the entity does not actually view the PHI. The definition of business associate was revised to reflect this change.
Also in the preamble, HHS clarifies the HIPAA rules for which business associates are directly liable for compliance. In addition to impermissible uses and disclosures of PHI, the list includes failures to:
Provide breach notification to covered entities.
Provide access to a copy of electronic PHI to an individual or a covered entity.
Disclose PHI where required by the Secretary of HHS to investigate or assess a business associate's HIPAA compliance.
Provide an accounting of disclosures.
Comply with the HIPAA security rule.
Enforcement Penalties
The final regulations adopt the increased penalty structure under the HITECH Act. For example, for violations occurring on or after February 18, 2009 that are due to reasonable cause:
The penalty can range from $1,000 to $50,000 for each violation.
The maximum penalty for all violations of the same requirement in a calendar year cannot exceed $1,500,000.
HHS indicated that it will not impose the maximum penalty in all cases, but will determine penalties based on factors that include the nature and extent of the violation and resulting harm.
Notices of Privacy Practices
Under the final regulations, notices of privacy practices (NPP) must include:
Certain statements regarding uses and disclosures requiring authorization, which were included in the proposed regulations.
A statement regarding fundraising communications and an individual's right to opt out of receiving such communications, if a covered entity intends to contact individuals to raise funds for the covered entity.
A statement of the right of affected individuals to be notified following a breach of unsecured PHI.
The final regulations note, however, that a covered entity need not revise and distribute another NPP if:
It already updated its NPP following enactment of the HITECH Act.
The NPP is consistent with the final regulations.
Individuals have been informed of all material changes to the NPP.
Individual Rights Expanded
The final regulations expand individuals' rights in several ways, including:
Permitting covered entities to disclose a decedent's PHI to family members and others who were involved in the decedent's care, or payment for care, before death, unless:
doing so is inconsistent with the individual's prior expressed preference; and
the covered entity knows of this preference.
Requiring covered entities, following an individual's request for an electronic copy of PHI maintained electronically in one or more designated record sets, to provide the individual access to the information:
in the electronic form and format requested by the individual, if the form and format are readily producible; or
if the requested form and format is not readily producible, a readable form and format agreed to by the covered entity and individual.
If an individual asks a covered entity to transmit the copy of PHI directly to another person, the covered entity must do so, though the request must:
be in writing and signed by the individual; and
clearly identify where and to whom the PHI must be sent.
Expanding the situations in which a covered entity must agree to an individual's request to restrict the disclosure of PHI about the individual to a health plan, for example, if:
the disclosure is for carrying out payment or health care operations and is not otherwise required by law; and
the PHI pertains solely to a health care item or service for which the individual, or a person on the individual's behalf, has paid the covered entity in full.
HITECH Breach Notification
The HITECH Act requires covered entities to provide notice, after the discovery of breaches of unsecured PHI, to:
Affected individuals.
The Secretary of HHS.
The final regulations revise and clarify the definition of breach and a risk assessment approach (used to determine if there was a significant risk of harm to an individual due to an impermissible use or disclosure), both of which were addressed in earlier regulations. Under the amended definition of breach, an impermissible use or disclosure of PHI is presumed to be a breach unless a covered entity or business associate can demonstrate that there is a low probability that the PHI was compromised.
The final regulations removed the harm standard under earlier guidance providing that breach notification was not required if it could be demonstrated that there was no significant risk of harm to the individual. Instead of assessing the risk of harm to an individual, covered entities and business associates must assess the probability that PHI was compromised, based on a risk assessment that considers at least the following factors:
The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification.
The unauthorized person who used the PHI or to whom the disclosure was made.
Whether the PHI was actually acquired or viewed.
The extent to which the risk to the PHI was mitigated.
HIPAA Privacy Changes Required by GINA
GINA added privacy protections for genetic information that required HHS to update the HIPAA privacy rules to:
Clarify that genetic information is health information.
Prohibit group health plans and insurers from using or disclosing genetic information for underwriting purposes.
Among other things, the final regulations apply the prohibition on using or disclosing PHI that is genetic information for underwriting purposes to all health plans that are covered entities. For more information, see Practice Note, GINA Compliance for Health and Welfare Plans.
Practical Impact
In a related press release, HHS refers to the final regulations as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." In light of the increased penalties and recent HHS enforcement activity, covered entities and business associates may wish to revisit their HIPAA compliance efforts in light of the final regulations, which may require revisions to NPPs, updates to business associate agreements and HIPAA policies (for example, to reflect the revised definition of breach) and workforce retraining.
Also, in the preamble, HHS identifies several issues that may be addressed in future guidance, including:
The types of entities that do and not fall within the business associate definition.
The minimum necessary standard, including:
how business associates apply this standard; and
the interaction between the standard and the breach notification requirements.
Rules to assist covered entities and business associates in performing risk assessments under the breach notification rules.