On Friday, January 25, 2013, the Office of Civil Rights of the Department of Health and Human Services published its long-awaited omnibus final rule (Final Rule implementing the Health Information Technology for Economic and Clinical Health Act (HITECH) under the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule ushers in significant changes to many HIPAA/HITECH requirements for covered entities (CEs) and business associates (BAs), most of which must be complied with by September 23, 2013. Some businesses that were never directly subject to HIPAA/HITECH rules before are now included in an expanded definition of BAs under the Final Rule.
In particular, the Final Rule modifies the Privacy Rule, the Security Rule, Breach Notification Rule, the Genetic Information Nondiscrimination Act of 2008 Rule (GINA), and the Enforcement Rule. It also confers BA status on many subcontractors of existing BAs. Some important aspects of the Final Rule include:
- Making BAs and their subcontractors directly liable for breach of certain HIPAA Privacy and Security Rules;
- Placing new limits on how protected health information (PHI) can be used for marketing and fundraising;
- Broadening the definition of “breach” for purposes of the Breach Notification Rule;
- Expanding the rights of individuals to receive electronic copies of their PHI and limiting the rights of health plans;
- Modifying certain aspects of CEs’ notices of privacy practices and requiring redistributions of notices;
- Prohibiting the sale of PHI in most circumstances without the authorization of the individual;
- Strengthening the enforcement of HIPAA/HITECH violations; and
- Modifying the definition of “health information” within the Privacy Rule to include GINA’s definition of “genetic information” and providing definitions for other GINA-related terms.
Complying with the Final Rule will be a significant undertaking for CEs and BAs, requiring revised policies and procedures, training, and documentation to demonstrate compliance. CEs and BAs should update form BA agreements, notices of privacy practices, marketing authorizations, and breach response plans. CEs and BAs are required to conduct a risk analysis regarding the confidentiality, integrity and availability of electronic PHI, and document remedial actions accordingly. For some newly designated BAs, this will be a first.
We continue to analyze the implications and impact of the Final Rule, which is available here. If you have any questions, please contact any member of the Carmody & Torrance LLP Health Care Practice Group for more information.