Originally posted August 01, 2013 by Callan Carter on http://www.laborlawyers.com
On January 25, 2013, Health and Human Services (HHS), the federal agency in charge of implementing the Health Information Privacy and Accountability Act of 1996 (HIPAA) issued regulations modifying the HIPAA Privacy and Security enforcement rules. These regulations finalized the amendments to HIPAA that were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), modifying the HITECH Act’s interim-breach notification rules and modifying the HIPAA Privacy Rules to implement the Genetic Information Nondiscrimination Act of 2008 (GINA).
The final rules went into effect on March 26, 2013; covered entities and business associates must comply with the final rule by September 23, 2013. Now is the time to make the necessary change to your HIPAA Privacy and Security compliance materials.
Modifications to the proposed HITECH rules include: 1) confirmation that business associates are now directly liable for compliance with the HIPAA Privacy and Security Rules and are subject to HHS enforcement; 2) strengthening the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes and prohibiting the sale of PHI without the individual’s authorization; 3) expanding individuals’ rights to receive electronic copies of their PHI and restrict disclosures to a health plan concerning services for which the individual has already paid in full; 4) modifications to covered entities’ privacy notices; 5) increasing fines for noncompliance; and 6) changing the definition of “breach” by replacing the harm threshold with a more objective standard. To implement GINA, the HIPAA rules are modified to prohibit most plans from using or disclosing genetic information for underwriting purposes.
The January regulations require changes to privacy notices, business associate agreements, authorization forms, training, HIPAA Privacy policies, and HIPAA Security policies, as well as add a new privacy-agreement requirement between business associates and any subcontractors. They will also affect how a covered entity can use information to fundraise and will cause business associate’s subcontractors to implement their own HIPAA compliance measures.