Health and Human Services Department (HHS) Released Final Health Insurance Profitability and Accountability Act (HIPAA) Rule

The Department of Health and Human Services has issued a final rule to modify the HIPAA privacy, security, breach notification and enforcement rules, as well as increasing privacy protections under the Genetic Information Nondiscrimination Act.

For the most part, the final rule is very similar to proposed rules and interim final rules issued in 2009 and 2010. But a major change in the final rule is made in the breach notification section replacing subjective measures of determining whether a breach has or could cause considerable harm to one or more individuals and must be reported with a more objective risk assessment process to determine if protected information has been compromised.

The final HIPAA rule becomes effective on March 26, 2013 with the compliance date for covered entities and business associates on September 23, 2013. Covered entities have one year from the compliance date to amend business associate agreements to match new requirements.

The final rule includes provisions:

  • Setting four-tier financial penalty structure for breaches deemed serious enough to warrant a federal-imposed penalty. Based on fault, fines range from $100 to $50,000 per violation with a $1.5 million cap on violations of an identical provision within a calendar year.
  • Making business associates and subcontractors comply with HIPAA rules in the same manner covered entities must; making BAs and subcontractors directly liable for HIPAA violations – even if a BA failed to enter into a formal contract with a subcontractor – and making covered entities and business associates legally liable for the acts of their business associates. The BA for a business associate would be a subcontractor. The BA – not the covered entity – is responsible for having a subcontractor appropriately safeguard information, but the covered entity is responsible for the BA’s actions.
  • Expanding the definition of business associates to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity and requiring routine access to PHI, or personal health record vendors offering PHRs to individuals on behalf of a covered entity. PHRs offered directly only to individuals are not covered.
  • Clarifying that PHI stored in photocopiers, faxes and other office equipment that retain data, whether intentionally or not, is subject to the privacy and security rules, and PHI should be wiped before a device is removed from the office.
  • Applying to business associates the minimum necessary standard when using or disclosing PHI, or when requesting PHI from another covered entity or business associate.
  • Enabling patients to ask for a copy of their electronic medical record in an electronic form, with fees charged not greater than labor costs.
  • Enabling patients paying with cash to instruct providers to not make information about their treatment available to insurers. Separate or segregated records are not required, but some type of flag or other notification of restrictions in the record are necessary.
  • Enabling patients to easily opt out of receiving fundraising and marketing solicitations.
  • Prohibiting the sale of an individuals’ health information without their express consent, with exemptions when the information is used for public health activities or research purposes.

The Medical Group Management Association (MGMA) has voiced its concern with the new final rule:

“We are strongly supportive of comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information. However, it is critical that the safeguards mandated by the government be practical, flexible and affordable for the broad spectrum of medical practices”.

“We are concerned about the ability of practices to implement the changes associated with this final rule, including the requirement to modify and reissue notices of privacy practices and modify business associate agreements–within the short time frames allotted. We will continue to monitor our member practices to ensure that administrative burdens imposed by the government do not hinder the necessary flow of health information for patient treatment, payment and healthcare operations purposes”.

The final rule is available here for further review.