In January 2013, HHS issued final regulations updating the HIPAA privacy and security rules. The new regulations reflect changes made by HITECH and GINA,1 along with various other changes and clarifications.
Highlights of the final regulations include:
1. Broader definition of “breach.” HITECH requires that health plans notify the government (HHS) and affected individuals of any breach of unsecured protected health information (“PHI”). Under prior regulations, a “breach” occurred only if the unauthorized use or disclosure of an individual’s PHI posed a significant risk of harm to the individual. HHS believes this standard was too subjective and resulted in underreporting of breaches. Under the final regulations, plans must presume that an unauthorized disclosure of unsecured PHI caused a breach, unless the plan determines (and documents) that there is a “low probability” that the PHI has been compromised.2 If a breach does occur, the plan has the burden of demonstrating that all required notices were timely provided following the breach.
2. Broader definition of “business associate.” Previously, business associate status depended on whether a plan’s vendor used or disclosed PHI while performing services on behalf of the plan. The final regulations define “business associate” more broadly, to cover vendors that create, receive, maintain or transmit PHI while performing services on behalf of the plan. Under this new definition, data storage companies qualify as business associates because they “maintain” PHI (regardless of whether they ever view the PHI). Also, a document shredding vendor now qualifies as a business associate if it disposes of PHI for the plan. As under the prior rules, vendors who are merely couriers and do not access PHI on a routine basis – such as the postal service or internet service providers – do not qualify as business associates.
In addition, as required by HITECH, if a business associate subcontracts any of its business associate duties to a third party, that subcontractor is also a business associate and so is subject to the HIPAA privacy and security rules. The business associate (not the plan) is responsible for entering into a business associate agreement with each such subcontractor. The agreement must be at least as stringent as the one in place between the business associate and the plan.
3. Changes to business associate agreements (BAAs). BAAs must now include additional content – for example, a requirement that the business associate report any breach of unsecured PHI to the plan. BAAs generally had to be updated by September 23, 2013, except that BAAs in place before January 25, 2013 that are not renewed or modified between March 26 – September 23, 2013 do not have to be updated until September 23, 2014 (or, if earlier, when the BAA is renewed or modified). To assist with this process, HHS has issued an updated version of its sample BAA.3
4. Liability for agents’ actions. HITECH makes plans liable for a business associate’s HIPAA violation if the business associate is an “agent” of the plan, as determined under federal common law.4
5. Access to an electronic copy of PHI. Expanding on HITECH, the final regulations allow individuals to request an electronic copy of any PHI maintained electronically in a designated record set (i.e., enrollment, payment, claims adjudication and case or medical management records systems).
6. Changes to the notice of privacy practices. Plans must update their privacy notices to include additional content, effective no later than September 23, 2013. For example, notices must now provide that individuals have the right to be notified of any breach of their unsecured PHI. HHS considers these updates to be material, which under prior rules would have required distribution of the revised notice within 60 days of the changes’ effective date. The final regulations soften the deadline for distributing a revised notice, with the new rules dependent on whether the plan has a website. If the plan does have a website, the plan must: (a) by the effective date of a material change to the notice, either post the change or the revised notice; and (b) in the next annual mailing to participants, include the revised notice (or information about the change and how to obtain the revised notice). If the plan does not have a website, the plan must provide the revised notice (or information about the change and how to obtain the revised notice) within 60 days of a material change.
In addition to updating their privacy notices and business associate agreements, plans should review their internal HIPAA policies and procedures and update as needed to comply with the final regulations. For example, procedures for handling PHI breaches will likely need to be modified to reflect the new definition of a “breach.” Plans and business associates should document that employees are trained on the new rules.
Plans (and business associates) must comply with the final regulations by September 23, 2013, except as described above with respect to amending business associate agreements and distributing updated privacy notices.
Finally, a reminder on the importance of HIPAA compliance: HHS has stepped up its HIPAA compliance audits in the past few years, and some very large penalties have been assessed. In several cases, the audit was triggered by a PHI breach involving a mobile device. For example, a health care provider was audited after a laptop was stolen that contained patients’ unencrypted PHI. HHS found that the provider did not have adequate HIPAA policies and procedures in place, and assessed a penalty of $1.5 million. HHS recently posted guidance on how to protect PHI when using mobile devices. The guidance is available at: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
Not Intended As Legal Advice.
- The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) imposed more stringent HIPAA privacy and security requirements on health plans, business associates and other vendors of personal health information. The Genetic Information Nondiscrimination Act of 2008 (“GINA”) protects individuals from discrimination, in health coverage and in employment, based on genetic information.
- In determining whether there is a “low probability” that PHI has been compromised, the plan must consider the following factors: (a) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the affected individuals; (b) the unauthorized person that used the PHI or to whom the disclosure was made; (c) whether the PHI was actually acquired or viewed; and (d) the extent to which the risk of further impermissible use or disclosure of the PHI has been mitigated.
- HHS’ updated sample BAA is available at: Business Associate Contracts HHS.
- Likewise, a business associate is liable for a subcontractor’s HIPAA violation if the subcontractor is the business associate’s agent, as determined under federal common law.