11 February 2013
On January 17, 2013, the Department of Health and Human Services (HHS) issued the final “omnibus” rule modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (Final Rule). As expected, the Final Rule extends the reach and limits of HIPAA’s privacy and security provisions. The Final Rule implements mandated changes to HIPAA set forth by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), enacted February 17, 2009, and, to a lesser extent, the Genetic Information Nondiscrimination Act of 2008 (GINA).
The Final Rule becomes effective on March 26, 2013, with covered entities and business associates expected to comply with the new standards and implementation specifications by September 23, 2013 (180 days from the effective date). We have prepared a more complete report, but summarize certain of the regulations below.
- Business Associates: The Final Rule broadens the definition of “business associate” to include “a[ny] person who ‘creates, receives, maintains or transmits’ protected health information on behalf of a covered entity.” (emphasis added). Subcontractors also now fall within the definition of business associate for which covered entities ultimately will be responsible for following the HIPAA rules. The Final Rule also expands the applicability of the HIPAA Rules to business associates. For example, the Security Rule’s administrative, physical, and technical safeguard requirements and documentation requirements now apply directly to business associates.
- Breach Notification: The Final Rule presumes that any unauthorized access of PHI is a breach, and it requires that the risk assessment focus on the likelihood that the PHI has been compromised. Only if a covered entity or business associate who has suffered a breach can demonstrate that there is a “low probability” that the PHI has been compromised will notification possibly not be required. With regard to a business associate’s notification obligations, the Final Rule establishes that a business associate must provide notice of breach of unsecured PHI to the entity covered by the regulations “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
- Civil Monetary Penalties: The Final Rule adopts the HITECH Act’s tiered system for civil penalties, which features increasing penalty amounts for violations based on increasing levels of culpability associated with each tier. The Final Rule sets a cap in that any penalty for violations of the same requirement or prohibition under any of the above categories may not exceed $1.5 million in a calendar year.
Further guidance and sample business associate agreement provisions to help covered entities and business associates comply with the new requirements under the Final Rule can be found on the HHS website.