After years of promising a final rule, the United States Department of Health and Human Services released revisions to the privacy, security, enforcement and breach notification rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The multiple changes can be complex, and many in the field have said that we will still be digesting the regulations and commentary in the months to come, but one thing is certain, those covered by the rule and those individuals and entities that are considered Business Associates under the rule have much to do prior to September 23, 2013, when most of the new provisions take effect.
This legal alert discusses some of the items that clients will need to address in the coming months. We would recommend developing a work plan to implement changes as soon as possible to avoid a last minute crunch to complete everything by the September compliance date (those of you that remember April 2003, will know what I am talking about):
- Revisions to your breach notification policies and procedures. The new rules eliminate the "harm standard" and add a new risk assessment methodology.
- Required changes to your Notice of Privacy Practices. Note that health care providers will not be required to redistribute the Notice but must conspicuously post it and have copies available upon request.
- Changes to requirements regarding marketing. The final rule requires an authorization for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communication from the third party whose product or service is being marketed. There are many subtle nuances to this rule.
- Revisions to the rules regarding fundraising.
- Application of certain provisions to Business Associates. New provisions create a "chain of trust" requirement meaning that Business Associates must receive assurances from its subcontractors of compliance with the rules.
- Business Associates now include patient safety organizations when they receive reports of patient safety events or concerns from providers and analyze the events to reporting providers. Health information organizations, e-prescribing gateways or other persons or entities that provide data transmission services with protected health information (PHI) for a Covered Entity are also Business Associates if their functions require access on a "routine basis" to PHI. Those who provide personal health records on behalf of a Covered Entity are Business Associates as well.
- Revisions to Business Associate Agreements. Contracts that were in effect before January 25, 2013, and that are not renewed or modified between March 26, 2013 and September 23, 2013, do not need to be modified until September 22, 2014 unless renewed or modified during that year period.
- The new rules restrict the sale of PHI without authorization with certain definitional exceptions.
- Rule changes regarding the authorizations required for research purposes.
- Changes to rules regarding when family members of a decedent can receive the PHI of a decedent.
- Changes to rules regarding the release of immunization records.
- Changes to the rules regarding the right to request a restriction on disclosure.
- Revisions to the right of access, including requirements that Covered Entities provide an individual with a copy of his or her electronic health record in the form and format the individual requests, or if the form or format is not readily producible, in a readable electronic form and format agreed to by the parties. The rule sets forth limitations on what can be charged for the provision of this information, which must be read in conjunction with New York State laws. The rule also changes the timeliness standard as to how long a Covered Entity has to respond to a request for access, which also must be read in conjunction with New York State law.
Note that changes were also made to the enforcement rules, which all Covered Entities and Business Associates hope will be irrelevant to them. Recent enforcement activities have included recoveries from small and large organizations of all types and ownership, including a hospice that paid $50,000 to settle potential violations of the security regulations related to fewer than 500 individuals. Investigation into the loss of an unencrypted laptop computer containing the electronic protected health information of 441 patients led to the discovery that the hospice had not conducted a risk analysis and did not have in place policies or procedures to address mobile device security.
Hiscock & Barclay has substantial experience in assisting its clients with complying with the HIPAA privacy and security regulations and related New York State privacy and security laws. Should you need assistance in updating or implementing your plan, including document revision and development, and training of Boards of Directors and staff, please contact Melissa Zambri, Chair of the Firm's Health Care and Human Services Practice Area at (518) 429-4229 or mzambri@hblaw.com or any other member of our Practice Area.