The following is a summary of the major changes to HIPAA under the new Final Rule:
1. Breach Notification Standard Lowered — In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and wether the breach notification requirements are triggered. Under the current HIPAA regulations, to determine whether a breach has occurred (and whether a breach notification is required), a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.” Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
(ii) The unauthorized person who used the PHI or to whom the disclosure was made.
(iii) Whether the PHI was actually acquired or viewed.
(iv) The extent to which the risk to the PHI has been mitigated.
This “presumption of breach” standard is a much lower standard than the previous “significant risk of harm” standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.
2. Expanded Definition of Business Associate — The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, 2013. The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:
(i) Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI. (Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis. Many Covered Entities will gain an expanded list of Business Associates through this clarification of the Final Rule and will need to put Business Associate Agreements in place by the compliance date.)
(ii) Any subcontractor of a business associate that handles PHI. (If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA. The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place.)
(iii) Any entity that maintains PHI on behalf of a Covered Entity. (Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI. If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA.)
3. Application of HIPAA to Business Associates — The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates, and provides that if a Business Associate violates any HIPAA provision that is now directly applicable to it, the Business Associate is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH. Under the revised HIPAA regulations, Business Associates are now directly liable for:
(i) Impermissible uses or disclosures of PHI;
(ii) Failure to provide proper breach notification to a Covered Entity;
(iii) Failure to provide appropriate access to an electronic copy of PHI to a Covered Entity, individual, or individual’s representative;
(iv) Failure to disclose PHI when required by HHS to investigate the Business Associate’s compliance with HIPAA;
(v) Failure to provide an accounting of disclosures;
(vi) Failure to comply with the applicable requirements of the Security Rule.
Perhaps most significantly, the Final Rule provides that if a Business Associate violates a provision of a Business Associate Agreement, that contractual violation is now a HIPAA violation. The Final Rule also states that Business Associates must comply with HIPAA’s “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
4. New Requirements for Business Associate Agreements — An organization’s Business Associate Agreements may need to be amended or updated to comply with the Final Rule. Under the new regulations, Business Associate Agreements must now require that the Business Associate will do the following:
(i) Comply, where applicable, with the HIPAA Security Rule;
(ii) Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules;
(iii) Make certain that any subcontractors that create or receive PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate (there must now be a Business Associate Agreement in place between a Business Associate and its subcontractors in these circumstances); and
(iv) Comply with the requirements of the HIPAA Privacy Rule whenever the Business Associate is required to perform the Covered Entity's obligation under the Privacy Rule. Business Associate Agreements entered into prior to January 25, 2013, between Covered Entities and Business Associates (as well as Business Associates and their subcontractors) that are not renewed or modified between March 26, 2013, and September 23, 2013, and that met the requirements of HIPPA and HITECH prior to January 25, 2013, will be granted grandfathered status and deemed to continue in compliance until September 23, 2014, or the date the contract is renewed or modified, whichever occurs first. All other Business Associate Agreements must be in compliance with the new regulations by September 23, 2013.
5. New Requirements for Notice of Privacy Practices — The Final Rule requires Covered Entities to revise their Notice of Privacy Practices to include a statement that:
(i) Describes the types of uses and disclosures that require authorization under HIPAA (if the Covered Entity intends to engage in any of them);
(ii) Informs individuals that they have the right to opt out of receiving fundraising communications (if the Covered Entity uses PHI to conduct fundraising activities);
(iii) Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the Covered Entity not submit PHI to the individual’s health plan if they do so; and
(iv) Informs individuals that the Covered Entity has a duty to notify affected individuals following a breach of unsecured PHI.
6. Fundraising — The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission. The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt-out.
7. Expanded Patient Rights — Under the Final Rule, a Covered Entity is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the Covered Entity in full. The new regulations also provide that if an individual requests an electronic copy of their PHI, then a Covered Entity must provide access to that information in electronic form, if it is readily producible in that form. So a Covered Entity will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily producible in this circumstance). Further, under the Final Rule, if an individual directs a Covered Entity, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the Covered Entity must transmit the PHI electronically to that party. Additionally, HIPAA now permits a Covered Entity only one 30-day extension to respond to a request for access. Finally, the new regulations streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child’s immunization with a school.
8. Increased Flexibility with PHI of Deceased Patients — Under the Final Rule, Covered Entities are now permitted to disclose PHI to a decedent’s family members and others who were involved in the patient’s care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the Covered Entity. This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment. Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.
9. Civil Monetary Penalties — The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act. The new tiered penalty system currently applies to Covered Entities and under the Final Rule it will be applicable to Business Associates and their subcontractors. The penalty amounts range from $100 per violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year. Penalties in the four-tiered system increase based on the level of culpability. The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the Covered Entity or Business Associate did not know about the HIPAA violation. The highest penalty level, which starts at $50,000 per violation, applies when the Covered Entity or Business Associate demonstrated “willful neglect” in violating HIPAA, and it failed to correct the violation.