Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.
While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space), here are some of the highlights we (and the HHS press release) have noted so far:
- Many of HIPAA’s privacy and security requirements will now directly apply to business associates;
- Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million;
- Subcontractors of business associates will automatically become business associates themselves;
- HIPAA won’t protect IIHI for individuals who have been deceased for over 50 years;
- The definition of breach is changed so that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
- Breach notification is not required if it is demonstrated through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.
- The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if PHI has been compromised and breach notification is necessary.
- When individuals pay for their care in cash, they can instruct their provider not to share information about their treatment with their health plan;
- Patients can request a copy of their electronic medical record in an electronic form;
- There are new limits on how information is used and disclosed for marketing and fund-raising purposes; in particular, the sale of an individual’s health information without permission is prohibited;
- An individuals’ ability to authorize the use of his/her health information for research purposes will be streamlined;
- It will be easier for parents and others to give permission to share proof of a child’s immunization with a school; and
- The final rule prohibits using or disclosing protected health information that is genetic information for underwriting purposes by all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies.
The final rule is effective on March 26, 2013; the compliance date is 180 days thereafter (September 22, 2013). Covered entities and business associates will have up to one year after the 180-day compliance date to modify contracts in order to comply with the new rules.