On Jan. 15, Leon Rodriguez, Director of the Office of Civil Rights, released a letter to the nations’ healthcare providers reiterating adherence to what many commonly refer to as the Tarasoff standard. Tarasoff was a California case which basically set forth the provision that if a patient would cause imminent harm or risk to another then the standard rules of confidentiality did not apply in terms of providing information to law enforcement or others who could prevent the harm. Mr. Rodriguez’s letter reiterates this standard as found in the HIPAA Privacy Rule at 45 CFR §164.512(j) and clearly states that providers may provide information to law enforcement or others to prevent significant harm. This reporting must be based on a good faith belief that harm is likely to occur as well as reliance on an appropriate factual basis. This can include direct review by a physician as well as accepting a credible report from a family member or other knowledgeable person.

This position goes hand-in-hand with prior statements made by the OCR about the ability of providers to release, access or utilize information in the wake of significant natural or other disasters. After Hurricane Katrina, the OCR issued several statements regarding the ability of emergency responders and others to access data as needed to provide appropriate medical responses in large-scale emergencies. The basic premise reiterated by the OCR in each of these instances is simple - nobody dies because we were worried about HIPAA. These letters and the prior opinions by the OCR relating to the release of records in certain specific emergencies are clear, direct and straightforward.

On Jan. 17, the Department of Health and Human Services (HHS) issued the long-awaited and long overdue final regulations in regard to many of the changes put into place under HIPAA as part of the American Reinvestment and Recovery Act/HITECH. At almost 600 pages, these regulations are not as easily reviewed as the OCR opinions cited above. The effective date of this rule is March 26, 2013. General compliance is required in 180 days, with the compliance date for business associate (BA) obligations set at September 23, 2013. Existing BA agreements have additional time (1 year) for compliance on a “grandfathered” basis.

The Omnibus regulation is divided into four components. These include the following provisions:

• HIPAA Privacy and Security enforcement rules mandated by the HITECH Act have been implemented;
• Business Associates are now covered entities subject to much of HIPAA;
• The Federal Rules of Agency will apply to assessing breach liability;
• Significant changes to marketing and fundraising regulations and strong prohibitions against the sale of protected health information are included;
• The rules contain an emphasis on the patients’ right to receive electronic copies of the health information and restrict disclosures. This relates to the preexisting proposals supporting the patients’ ability to restrict disclosure of information when the patient pays the full out-pocket-costs for the procedure or treatment;
• Strong support for public health reporting remains;
• Adopts some new standards in relationship to enforcement while maintaining the tiered penalty system with additional mens rea definitions.
• These changes taken as a whole will require significant review and modifications to each entity’s Notice of Privacy Practices. It is anticipated that such updated Notice of Privacy Practice will be reissued to all patients as part of this process;
• The standards for when harm occurs as part of a breach have been changed and should be carefully reviewed in light of your policies and practices.
• Genetic Information Non-discrimination Act- GINA is getting significant attention in this Omnibus Regulation and the regulation clearly establishes that health plans may not use or disclose genetic information for underwriting purposes.