On January 17, the Department of Health and Human Services released its long-awaited final HIPAA/HITECH Omnibus Rule implementing provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA).
The rule makes important changes in the way HIPAA covered entities, business associates and downstream subcontractors are regulated. In several respects, the rule goes beyond statutory requirements to create new requirements and expand the reach of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.
The compliance date for most of the rule’s provisions is September 23, 2013.
Morris, Manning & Martin will present a webinar on the new rule on Tuesday, February 5, 2013. The webinar will discuss key provisions of the rule, explore what is really new in the rule and examine compliance steps regulated entities should take now. Register for the webinar here.
Important elements of the rule include the following:
Business Associates and Subcontractors
The rule implements the provisions of HITECH making business associates subject to civil and criminal penalties for HIPAA violations and requiring business associates to comply with most aspects of the HIPAA Security Rule. In addition, the rule classifies downstream subcontractors of business associates as business associates themselves. Thus, subcontractors will be subject to all of the HIPAA requirements that apply to business associates contracting directly with covered entities. The rule also creates new liability on the part of covered entities for HIPAA violations of their business associates.
Business associates who have not already complied with the Security Rule will need to do so, and given their direct liability for HIPAA violations, will want to be certain their privacy policies and procedures are up to par. Business associates also will want to be certain their agreements with subcontractors incorporate the required HIPAA provisions where appropriate. Subcontractors will need to be certain they comply.
The rule does away with the “significant risk of harm” standard that now applies to determining whether a security breach involving protected health information requires notification of affected individuals and other persons. Instead, the rule requires notice of any impermissible use or disclosure of protected health information unless the covered entity demonstrates there is a low probability that the information has been compromised.
Covered entities will need to amend their security breach policies and procedures to reflect the new standard for notification.
The rule requires covered entities to make several material changes to their HIPAA privacy notice to reflect new rights of individuals.
Covered entities will need to revise their HIPAA privacy notices and distribute the new notices.
The rule requires covered entities that maintain protected health information in electronic form to provide a copy of the information in an electronic format upon request.
Covered entities will need revise their policies and procedures on access to protected health information and be prepared to provide electronic copies.
The rule makes GINA’s prohibition against using genetic information for underwriting purposes apply to all health plans subject to the HIPAA Privacy Rule, except for long-term care plans. Genetic information includes family medical history. Previously, HIPAA “excepted benefits” were not subject to this restriction under federal law. Now, any excepted benefit that is subject to the HIPAA Privacy Rule will be prohibited from using family history or other genetic information for underwriting purposes.
Health plans subject to the HIPAA Privacy Rule, including issuers of certain excepted benefits, will need to evaluate their underwriting practices in light of this restriction.
The rule sets new limits on how covered entities may use or disclose protected health information for marketing and fundraising purposes and prohibits the sale of an individual’s information without their permission.
Covered entities will need to evaluate their marketing and fundraising activities in light of the new requirements. Some communications not now considered “marketing” for purposes of the HIPAA Privacy Rule will be impermissible without an authorization.
The rule creates new standards for the initiation of compliance reviews and resolution of HIPAA violations by federal regulators. The rule also clarifies how federal regulators will apply the four-tiered civil money penalty scheme implemented under HITECH.