HHS Updates HIPAA Privacy, Security, Enforcement Provisions and Increases Penalty Cap

The omnibus final rule updating provisions of the Health Insurance Portability and Accountability Act (HIPAA) released Jan. 17 is designed to enhance a patient’s privacy protections, provide individuals new rights to their health information, and strengthen the government’s ability to enforce the law. “Much has changed in health care since HIPAA was enacted over 15 years ago,” said Kathleen Sebelius, secretary of the Department of Health and Human Services. “The new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” The rule, published in the Federal Register Jan. 25, contains final modifications to the HIPAA privacy, security, and enforcement rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Specifically, these modifications:

• Make business associates of covered entities directly liable for compliance with certain of the HIPAA privacy and security rules’ requirements;

• Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fund-raising purposes and prohibit the sale of protected health information without individual authorization;

• Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;

• Require modifications to, and redistribution of, a covered entity’s notice of privacy practices;

• Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others; and

• Adopt the HITECH Act enhancements to the enforcement rule not previously adopted in the Oct. 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect.

The final omnibus rule also adopts changes to the HIPAA enforcement rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Aug. 24, 2009. This increased CMPs and caps maximum annual penalties at $1.5 million, up from $25,000. The rule also replaces the breach notification for unsecured protected health information under the HITECH Act with a new harm threshold that encompasses a more objective standard and incorporates the final rule modifying the HIPAA privacy rule as required by the Genetic Information Nondiscrimination Act to prohibit most health plans from using or disclosing genetic information for underwriting purposes. Business Associates’ Compliance While HIPAA privacy and security rules have concentrated on health care providers, health plans, and health clearinghouses, the changes in the new rule expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest data breaches reported to HHS have involved business associates. Historically, a business associate has been defined as a person who, on behalf of a covered entity or an organized health care arrangement, performed or assisted in the performance of a function or activity regulated by HIPAA and involving the use or disclosure of individually identifiable health information. The definition included, by way of example, various functions that a business associate may provide, including legal, actuarial, accounting, consulting, management, administrative, or financial services. Various changes have been made to this definition in the final rule. For one, patient safety activities have been added to the list of functions and activities that a person may undertake on behalf of a covered entity that give rise to a business associate relationship. In addition, the definition of a business associate now includes both a list of activities that constitute business associate activities and those that specifically fall outside the definition of a business associate. The following are now specifically included in the definition as examples of business associates:

• A health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access to such PHI on a routine basis;

• A person who offers a personal health record to one or more individuals on behalf of a covered entity; and

• A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.

Data Breach Incidents HHS replaces the harm standards for data breach incidents, requiring notification to individuals unless there is a low probability the data were compromised. This may be the biggest change, analysts say, since the interim final rule required entities to notify individuals that their protected health information had been breached only if they determined through a risk assessment that the individuals could suffer financial, reputational, or other harm. Patients’ Rights Individual rights are expanded in the new rule as follows:

• Patients can ask for a copy of their electronic medical records in an electronic form;

• When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan;

• New limits are set on how information is used and disclosed for marketing and fund-raising purposes; and

• An individual’s health information cannot be sold without his or her permission.

Effective Dates The rule becomes effective March 26, but covered entities and their business associates have until Sept. 23 to comply with most provisions. In the case of existing business associate agreements, covered entities have until September 2014 to make changes. The omnibus final rule is available at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.