HIPAA Game-Changer: Are You Ready? OCR Releases Long-Awaited HIPAA/HITECH Rules

Nossaman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

If your business is affected by HIPAA, 2013 will be a year of significant change. 

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) released an omnibus rule with far-reaching consequences for entities subject to HIPAA. 

Although OCR says the new regulations, which become effective March 26, "are designed to increase flexibility for and decrease burden on regulated entities," they impose many seemingly burdensome obligations on healthcare providers and those with whom they do business.  Covered Entities and Business Associates have until September 23, 2013, to bring themselves into compliance with the new regulations.

Heightened Obligations for Subcontractors

As mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), the new rules make Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.  More notably, the rule converts subcontractors of Business Associates that create, receive, maintain, or transmit protected health information (PHI) on behalf of the Business Associate into Business Associates themselves, regardless of whether they are parties to a formal business associate agreement.

Breach Notification—A New "Harm" Standard

The new rule markedly increases the hurdle for determining when HIPAA breach notification is necessary.  HITECH permits a Covered Entity to avoid notification unless it determines that the unintended disclosure poses a "significant risk" of financial, reputational or other harm to the individual.  The new rule raises the bar by requiring the entity to demonstrate "a low probability" that the PHI has been compromised.  In making that determination, the entity must consider all of the following:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the individual has been mitigated.

Civil Money Penalties

The regulations incorporate HITECH's tiered civil monetary penalty scheme, which imposes a penalty up to $50,000 for each single violation and up to $1.5 million for all violations of the same provision in one calendar year.  (When HIPAA was first enacted, these numbers stood at $100 and $25,000.)  The final rule also sets out more detailed criteria that OCR will use in assessing penalties, including "the number of individuals affected" and "reputational harm."

Increased Privacy Protections

Individual patients and their advocates will praise the increased protections provided in the new rules.  They now have a greater ability to obtain their electronic health records and to restrict disclosures of their PHI to a health plan when paying out-of-pocket in full for health care services.  The new rules also prohibit the sale of patient information without the patient's permission and simplify the process of patient authorization of use of PHI in research.  As required by the Genetic Information Nondiscrimination Act (GINA), the new rules prohibit most health plans from using or disclosing genetic information for underwriting purposes. 

The rules also permit Covered Entities to provide  proof of children's immunizations to schools without written parental authorization.  The new rule also requires that patients be given easy ways to opt out of fundraising and marketing communications. 

New Compliance Measures

While Covered Entities have until September 23, 2013, to bring themselves into compliance with the new regulations, they have a long to-do list, which likely includes:

  • Revising and redistributing updated notices of privacy practices to include the new individuals' rights under the rules;
  • Reviewing and health information privacy and security policies and revising them to ensure they are consistent with the new rules, including the breach notification requirements;
  • Reviewing business associate agreements and amending existing agreements as needed;
  • Ensure that internal HIPAA training curricula incorporate the new information. 

Business Associates will also need to review their existing subcontractor agreements and bring them into compliance with business associate requirements.

How Nossaman Can Help

Nossaman's award-winning Healthcare Practice Group combines a long history of excellence with cutting-edge knowledge of the rapidly changing healthcare industry.  Chambers and Partners recognized Nossaman's 34-member Healthcare Practice Group as one of the best in California, praising the Group's combination of "hands-on knowledge of the legislative process and medicine with legal expertise to offer practical solutions to our clients."  Nossaman healthcare attorneys practice in the regulatory, transactional, legislative and litigation arenas, representing hospitals and other delivery systems, managed care organizations, research organizations, surgicenters, discount plans as well as practice entities and individual professionals.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP
Nossaman LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Nossaman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide