Part I
Elizabeth E. Hogue,
Esq.
Office: (877)
871-4062
Fax: (877)
871-9739
Twitter:
@HogueHomecare
The U.S. Department of Health and Human Services (HHS) has
issued final rules to:
-
Modify the Health
Insurance Portability and Accountability Act (HIPAA) Privacy, Security and
Enforcement Rules to implement statutory amendments under the Health Information
Technology Economic and Clinical Health Act (HITECH Act) to strengthen the
privacy and security protection for individuals’ health
information;
-
Modify the rule for
Breach Notification for Unsecured Protected Health Information (Breach
Notification Rule) under the HITECH Act to address public comments received on
the interim final rule;
-
Modify the HIPAA
Privacy Rule to strengthen the privacy protections for genetic information by
implementing section 105 of Title 1 of the Genetic Information Nondiscrimination
Act of 2008 (GINA); and
-
Make other
modifications to the HIPAA Privacy, Security, Breach Notification and
Enforcement Rules to improve their workability and effectiveness and to increase
flexibility and to decrease burden on regulated entities.
The final rules will be published in the Federal Register on
January 25, 2013, and will be effective on March 26, 2013. Covered
entities and business associates must comply with the final rules by September
23, 2013.
This is the first in a series of articles that will address
key provisions of the rules, their impact on post-acute providers, and practical
solutions for compliance.
Major provisions in the form of four final rules include the
following:
1.
Final modifications
to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act
and certain other modifications to improve the Rules that were issued as a
proposed rule on July 14, 2010. The modifications
include:
-
Make business
associates of covered entities directly liable for compliance with certain
requirements of the HIPAA Privacy and Security Rules.
-
Strengthen the
limitations on the use and disclosure of protected health information for
marketing and fundraising purposes, and prohibit the sale of protected health
information without individual authorization.
-
Expand individuals’
rights to receive electronic copies of their health information and to restrict
disclosures to health plans concerning treatment for which individuals have paid
out of pocket in full.
-
Require
modifications to and redistribution of covered entities’ notice of privacy
practices.
-
Modify the
individual authorization and other requirements to facilitate research and
disclosure of child immunization proof to schools and to enable access to
decedent information by family members or others.
-
Adopt the
additional HITECH Act enhancements to the Enforcement Rules not previously
adopted in the October 30, 2009, interim final, such as the provisions
addressing enforcement of noncompliance with the HIPAA Rules due to willful
neglect.
2.
Final rule adopting
changes to the HIPAA Enforcement Rules to incorporate the increased and tiered
civil money penalty structure provided by the HITECH Act originally published as
an interim final on October 30, 2009.
3.
Final rule on
Breach Notification for Unsecured Protected Health Information under the HITECH
Act that replaces the breach notification rule’s “harm” threshold with a more
objective standard and supplants an interim final rule published on August 24,
2009.
4.
Final rule
modifying the HIPAA Privacy Rule as required by the Genetic Information
Nondiscrimination Act (GINA) to prohibit most health plans from using or
disclosing genetic information for underwriting purposes that was published as a
proposed rule on October 7, 2009.
Part 2 – New HIPAA
Rules Issued: Business Associates
-
Modify the Health
Insurance Portability and Accountability Act (HIPAA) Privacy, Security and
Enforcement Rules to implement statutory amendments under the Health Information
Technology Economic and Clinical Health Act (HITECH Act) to strengthen the
privacy and security protection for individuals’ health
information;
-
Modify the rule for
Breach Notification for Unsecured Protected Health Information (Breach
Notification Rule) under the HITECH Act to address public comments received on
the interim final rule;
-
Modify the HIPAA
Privacy Rule to strengthen the privacy protections for genetic information by
implementing section 105 of Title 1 of the Genetic Information Nondiscrimination
Act of 2008 (GINA); and
-
Make other
modifications to the HIPAA Privacy, Security, Breach Notification and
Enforcement Rules to improve their workability and effectiveness, and to
increase flexibility and decrease burden on regulated
entities.
The final rules were published in the Federal Register on
January 25, 2013, and will be effective on March 26, 2013. Covered
entities and business associates must comply with the final rules by September
23, 2013. This is the second in a series of articles that will address key
provisions of the rules, their impact on post-acute providers, and practical
solutions for compliance.
First, with regard to Business Associates, the new final
rules clarify whether “conduits” of protected information are Business
Associates. Specifically, entities that provide transmission services only,
including any temporary storage of protected health information (PHI) incidental
to transmission services, are not Business Associates. Entities that provide
storage are considered to be Business Associates, even if the agreement with the
covered entity does not contemplate any access, or access on a random or
incidental basis only. In short, the “test” under the new final rules is length
of custody; not access.
The new final rules also address the issue of whether
“downstream contractors” are directly responsible for compliance with the
Business Associate requirements of both the Security Rule and the Privacy Rule.
According to the final rules, all entities are directly responsible for
compliance even if the parties do not enter into a written Business Associate
Agreement. Providers are not required to enter into Business Associate
Agreement with all downstream contractors. They must sign a Business Associate
Agreement with the entity with which they do business directly. Providers’
Business Associates are then required to get written “satisfactory assurances”
from each of their immediate subcontractors. In the event of a breach, all
“downstream contractors” are required to report up the chain to
providers.
An example of the above requirements is a provider who
contracts with a shredding company to dispose of records that include PHI. The
provider must enter into a Business Associate Agreement with the shredding
company. The shredding company, in turn, contracts with a trucking company to
pick up the records and deliver them to the shredding company. The shredding
company is required to get “satisfactory assurances” of compliance from the
trucking company.
The new final rule also clarifies that Business Associates
are directly responsible under the Privacy Rule for:
-
Limiting uses and
disclosure of PHI to requirements of Business Associate Agreements in the
Privacy Rule,
-
Disclosing PHI to
HHS for investigation of business associates’ compliance with
HIPAA,
-
Disclosing PHI to
covered entities or individuals in response to requests for electronic copies of
PHI,
-
Compliance with the
minimum necessary requirements of the Privacy Rule, and
-
Entering into
Business Associates Agreements with subcontractors.