OCR Issues Advance Release of HIPAA Privacy and Security Rules

The HHS Office of Civil Rights (OCR) has issued an advance release of a final rule that amends the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5), and sec.105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) (P.L. 110-233). According to HHS, this final rule is needed to strengthen the privacy and security protections established under HIPAA for individuals’ health information maintained in electronic health records (EHR) and other formats. The final rule, which becomes effective March 26, 2013, (1) strengthens the privacy and security protection for individuals’ health information, (2) modifies the Breach Notification Rule of the HITECH Act to address public comment received on the interim final rule, (3) modifies the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing the GINA provisions, and (4) modifies other HIPAA Privacy, Security, Breach Notification, and Enforcement Rules to improve their workability and effectiveness and increase flexibility for, and decrease the burden on the regulated entities.

HHS’ Announcement

In its news release announcing the final rule, HHS said that the HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. Explaining that some of the largest breaches reported to HHS have involved business associates of covered entities, HHS noted that this final rule expands many of the HIPAA privacy and security requirements to include business associates that receive protected health information (PHI) (see below). HHS also said that individual rights are expanded in important ways, as described below.

Modifications to the HIPAA Privacy and Security Rules

Under the final rule, business associates of covered entities will be directly liable for compliance with certain HIPAA Privacy and Security Rules requirements. The final rule modifies a number of definitions to address the HITECH Act provisions, including the definition of business associates. The following additional entities will be considered “business associates:” Patient Safety Organizations, Health Information Organizations, E-prescribing Gateways, other persons that provide data transmission services with respect to protected health information (PHI) to a covered entity and require routine access to PHI, and persons who offer a personal health record to one or more individuals on behalf of a covered entity. The definition of business associate also will include a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

In addition, the final rule will strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization. The final rule will further expand individuals’ rights to receive electronic copies of their health information and restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full. The final rule also (1) requires modifications to, and redistribution of, a covered entity’s notice of privacy practices; (2) modifies individuals’ authorization and other requirements to facilitate research and disclosure of child immunization proof to schools; and (3) enables access to decedent information by family members or others who were involved in the care or payment for care prior to the decedent’s death and historians without the need to find a personal representative of the deceased individual to authorize the disclosure.

Amendments to the Enforcement Rule

The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to the enforcement process, including the rules governing investigations by HHS, the process and grounds for establishing the amount of a civil money penalty when a violation of a HIPAA Rule has been found, and the procedures for hearings and appeals when the covered entity challenges a violation determination. OCR has amended the regulations by adopting the HIPAA Enforcement Rule provisions of the HITECH Act that were not adopted in the October 30, 2009 (74 FR 56123), interim final rule, such as addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

Prior to this final rule, the regulations mandated that the Secretary attempt to resolve indicated violations of the HIPAA Rules by informal means; however, the final rule now provides the Secretary with the discretion to resolve violations due to willful neglect to reflect the HITECH Act provisions.

In addition, the final rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. In addition, the HITECH Act’s breach notification rule’s “harm” threshold will be replaced with a more objective standard, supplanting the interim final rule published on August 25, 2009 (74 FR 42962).

Amendments Mandated By GINA

The final rule will amend the HIPAA Privacy Rule to clarify that genetic information is health information. In addition, the final rule will prohibit group health plans, health insurance issuers (including HMOs), and Medicare supplemental policy issuers that are considered covered entities under the HIPAA Privacy Rules (with the exception of long term care plans) from using or disclosing genetic information for underwriting purposes (see Interim final rule published October 7, 2009 (74 FR 51664)).

Compliance Date

Covered entities and business associates of all sizes will have 180 days beyond the March 26th effective date (September 13, 2013) to comply with most of the new requirements or modifications to the HIPAA Rules, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. OCR noted that going forward, covered entities and business entities would be required to comply with any modifications to the HIPAA rules within 180 days unless otherwise specifically stated. In addition, covered entities and business associates must continue to comply with the rules as they existed under the interim final rule until the effective date or compliance requirements of this final rule.