On January 25, 2013 the U.S Department of Health and Human Services (“HHS”) published the long-awaited Final HIPAA Omnibus Rule (“Final Rule”) massively overhauling the HIPAA Privacy, Security, and Breach Notification Rules. Covered entities such as health care providers, health care clearinghouses, and health plans (including self-funded health plans maintained by employers) must be in compliance with the Final Rule by September 23, 2013. Additionally, under the Final Rule, business associates will now be held directly liable for failure to comply with the HIPAA Security Rule and certain aspects of the HIPAA Privacy Rule and will need to meet the September 23, 2013 compliance deadline as well.
Below are a few of the key provisions of the Final Rule that will require attention before the compliance date:
- Business Associates: In general, a business associate is a person or entity who performs functions or activities on behalf of, or services for, a covered entity that involve the use or disclosure of protected health information (“PHI”). The Final Rule expands the definition of “business associate” to include an entity that creates, receives, maintains, or transmits PHI. Further, subcontractors that use or disclose PHI on behalf of business associates are now themselves a “business associate” – even if the subcontractor does not have a direct relationship with the covered entity. Business associates will need to review their own policies to ensure they are in compliance with the Final Rule and all business associate agreements as well as downstream agreements with business associate subcontractors will need to be updated. Certain existing business associate agreements may qualify for an extended compliance deadline of September 22, 2014. Both covered entities and business associates should consider vendor management review when contracting with business associates and subcontractors to ensure compliance with all HIPAA requirements.
- Breach Notification: The Final Rule replaces the “significant harm” standard and creates a new standard for reporting breaches. Under the Final Rule, a breach is presumed to occur unless a risk assessment by the covered entity or business associate, as applicable, demonstrates that there is low probability that the PHI has been compromised. All covered entities and business associates will need to familiarize themselves with this new standard for determining breach and revise their breach notification procedures accordingly.
- Notice of Privacy Practices: The Final Rule includes new content requirements for the Notice of Privacy Practices (“NPP”) such as a statement that the covered entity is required to notify affected individuals following a breach of unsecured PHI and a statement informing individuals of their new right to restrict certain disclosures of PHI which pertain solely to an item or service for which the individual has paid in full. Covered entities should review their NPP in light of the new Final Rule.
- Individual Rights: The Final Rule expands an individual’s right to receive electronic copies of his or her PHI. Covered entities should ensure their HIPAA privacy policies reflect these new rights.
- Marketing: Covered entities must now obtain authorization to use or disclose PHI for all communications relating to treatment or healthcare operations if they are receiving payment from a third party who is marketing a product or service. Business associates and subcontractors who receive payment from a third party in exchange for marketing a product or service also must obtain prior authorization.
- Sale of PHI: The Final Rule generally prohibits the sale of PHI unless the covered entity or business associate has obtained an authorization from the individual.
- Genetic Information: A health plan is no longer permitted to use or disclose PHI that is genetic information for underwriting purposes. Plan documents, summary plan descriptions, policies and procedures must be reviewed and revised to reflect the new Final Rule. In addition, for group health plans that engage in underwriting, the NPP must be revised to include a statement that the plan is prohibited from using or disclosing genetic information for underwriting purposes, except with regard to issuers of long-term care policies, which are not subject to underwriting prohibition.