Four years ago, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) introduced major revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The U.S. Department of Health and Human Services (HHS) is now publishing final regulations implementing the HITECH Act changes, as well as additional changes required under the Genetic Information Nondiscrimination Act of 2008 (GINA).
The extensive omnibus regulations:
- Expand the scope and impact of the Privacy and Security Rules on business associates. Anyone providing services to a health plan, health care clearinghouse, or health care providers who receives or generates protected health information (PHI) may be subject to these expanded provisions. Previously, most business associates were subject to the Privacy and Security Rules only through a business associate agreement with the covered entity. The HITECH Act extended the application of HIPAA’s enforcement provisions to business associates directly, and it established an independent requirement that business associates implement many of the Security Rule’s administrative safeguards.
- Impose significant new restrictions on the use of PHI, including new rules governing the use of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without authorization.
- Revise individual rights to reflect various HITECH Act requirements, such as the right to request electronic copies of an individual’s health information and to restrict disclosures to a health plan regarding treatment when the individual has paid in full for the service or product.
- Implement new enforcement of the tiered penalty structure established by the HITECH Act. The regulations maintain the structure established in interim final regulations in 2009. Depending on the degree of knowledge that the covered entity had or should have had regarding the violation, penalties for each violation range between $100 (did not know or have reason to know) and $50,000 (willful neglect without correction), with a maximum penalty for a given year of $1,500,000 for any violations of the same requirement or prohibition.
- Redesign the final HITECH Act breach notification rule. A covered entity must engage in a risk assessment and examine (1) the nature and extent of the PHI involved, (2) any unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) whether the risk to the PHI has been reduced or resolved.
- Include genetic information as in the definition of PHI. The regulations also finalize rules against the use of genetic information for health plan underwriting. The regulations make clear that any health plan covered by the Privacy Rule is subject to this requirement, not just health plans and insurers defined by GINA. Long-term care insurers are excluded by the regulations from this prohibition and may share genetic information for underwriting purposes, but they remain subject to the Privacy Rule.
The final rule is effective March 26, 2013, but provides a 180-day grace period on operational compliance. For existing business associate agreements, the new rule gives most covered entities and business associates an additional year to modify their current contracts to reflect the new regulations. This relief is available to business associate agreements entered into on or before January 25, 2013, the date the regulations are due to be published.
Over the next few weeks we will release a series of blog posts describing these changes in more detail. Please check back for additional information.
Stephen A. Riga is an associate in the Indianapolis office of Ogletree Deakins.