Expanding The Reach Of HIPAA Data Security And Privacy Requirements


imagesCAZ2EVRSIn this information technology era, it is little wonder that the Obama Administration has made enforcement of data security and privacy protections a top priority.  The enforcement emphasis reflects public opinion favoring strong privacy protections.  People fear big government and they fear privacy intrusions through the internet and internet commerce.

Across all enforcement agencies, data security and privacy are high priorities.  The FTC is leading the way on data security; the NLRB is pushing social media protections of privacy; and the CFPB is launching new privacy initiatives.

The healthcare industry is already familiar with data security and privacy restrictions.  HIPAA has been on the books for just over 15 years and the industry is very familiar with its requirements.

Since its inception, the HIPAA requirements have not been aggressively enforced.  That has all changed.  The Office of Civil Rights in HHS, which is now headed by a former prosecutor, has made enforcement a top priority.  OCR uses enforcement actions as an important tool in its overall mission to encourage compliance.

Last month, OCR issued the final “omnibus” rule modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.  It took OCR two and half years to finalize the rules, which are now effective March 26, 2013.imagesCA2OB3V0

Some of the highlights of the new rules:

Application to Business Associates – the rules directly apply security and privacy requirements to Business Associates.  The definition of “Business Associates” has been expanded to include subcontractors of business associates, health information organizations, patient safety organizations and persons that offer personal health information (PHI) to individuals on behalf of a covered entity.  OCR also modified the definition to apply to persons who possess or store PHI even if they never actually access or view the information.

Business associates now have to enter into agreements with subcontractors that handle PHI, and downstream agreements are required for each link in the subcontractor chain.  Given the burden of this new requirement, business associates have one additional year to comply with this requirement.

Breach Definition – the OCR modified the definition of a breach to replace the proposed “harm” analysis with a four-factor test, focusing on the nature of the personal health information (“PHI”) whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated.  Under the rules, there is a presumption that the PHI breach requires notification unless the covered entity or business associate can demonstrate that there was a low probability that the PHI has been compromised.

hipaadataThe rules require a number of changes to notices of privacy practices, which must include (a) notification to affected individuals of a PHI breach; (b) authorizations of specific uses and disclosures (involving marketing or sale of PHI); (c) notifying individuals of right to restrict certain disclosures to health plans; (d) right of individual to opt-out of fundraising notifications; and the prohibition on the use of genetic information for underwriting purposes (if the health plan intends to use PHI for underwriting purposes.

Enforcement – The rules retain the tiered-penalty structure implemented through the interim final enforcement rule.  OCR must investigate any complaint if a preliminary review indicates possible (not probable) noncompliance due to willful neglect; expansion of civil and criminal liability to business associates for violations of the HIPAA Rules; broad liability standards for acts or omissions by agents and business associates.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Written by:


The Volkov Law Group on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.