Major Changes to HIPAA RulesMarch 01, 2013
On January 25, 2013, the Department of Health and Human Services ("HHS") issued the HIPAA Omnibus Rule to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the “Omnibus Rule”). The Omnibus Rule requires material changes to the Notice of Privacy Practices as well as revisions to business associate agreements and HIPAA policies and procedures. It also enhances the HIPAA Enforcement Rule and implements the increased civil monetary penalties provided for under the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
The rules are effective March 26, 2013. Below is a summary of the key provisions.
Notice of Privacy Practices
The new rules require material changes to the Notice of Privacy Practices. Specifically, the Notice must now contain the following:
- description of the types of uses and disclosures that require an authorization
- statement that the individual has a right to restrict certain disclosures of protected health information (“PHI”) to a health plan if the individual paid for the health care in full, out-of-pocket
- statement that the covered entity is required by law to notify affected individuals following a breach of unsecured PHI
- statement that the individual may be contacted to raise funds and that the individual has a right to opt out of such communications (if applicable)
- statement that the covered entity is prohibited from using or disclosing genetic information for underwriting purposes (if applicable)
Commentary from HHS provides that these are “material” changes requiring distribution of the new Notice. If you are a provider, you must post the new Notice in a clear and prominent location and make the new Notice available at your delivery site and upon request from an individual. If you are a health plan, you must prominently post the new Notice on your website and distribute the new Notice in your next annual mailing.
Business Associates and Business Associate Agreements
The Omnibus Rule implements the HITECH provisions making business associates directly liable for compliance with certain HIPAA requirements. It also expands the definition of business associate to include subcontractors, patient safety organizations, health information organizations, e-prescribing gateways, other persons that facilitate data transmissions, and vendors of personal health records. The Omnibus Rule requires additional provisions in the business associate agreement which must be incorporated by September 23, 2013 (September 23, 2014 for existing contracts).
The Omnibus Rule changes the definition of breach and eliminates the harm approach to determining whether notification is required. Specifically, an impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless you can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. These changes will require changes to your breach notification policies and procedures, including your risk assessment factors.
HIPAA Policies and Procedures
In addition to the items discussed above, there are numerous other changes to the privacy and security rules which will require review and revision of your HIPAA policies and procedures. These include changes to the following privacy and security rules:
- changes to numerous definitions, including, business associate, electronic media, PHI, reasonable cause, marketing, health care operations
- uses and disclosures for which an authorization is required
- individual's right to restrict the use and disclosure of PHI to a health plan
- individual's right of access to electronic PHI
- uses and disclosures of PHI of deceased individuals
- authorizations for research purposes
- authorizations for disclosures of immunizations to schools
- prohibition on most health plans from using or disclosing genetic information for underwriting purposes in accordance with the Genetic Information Nondiscrimination Act ("GINA")
- limitations on the use and disclosure of PHI for marketing and fundraising
- prohibition on the sale of PHI without authorization
The HIPAA Privacy Rule requires that when there is a material change to a covered entity’s policies or procedures, the covered entity must train each member of its workforce affected by the material change. Thus, you will need to provide training on the Omnibus Rule modifications within a reasonable time after the effective date.
Accounting of DisclosuresThe Omnibus Rule does not address the proposed requirement that covered entities account for all disclosures of electronic PHI, including disclosures for treatment, payment, and health care operations. This is to be addressed in a separate regulation.