By Anne Sumpter Arney
Earlier this year, the government published the final regulations (the “Final Rule”) implementing modifications of the rules under the Health Insurance Portability and Accountability Act (HIPAA) and provisions which were enacted in the Health Information Technology for Economic and Clinical Heath Act (HITECH). With the September 23 Final Rule compliance date looming, medical professionals and institutions need to ensure they understand the modifications to their HIPAA obligations and take all necessary steps to review and update their compliance. The following areas are among those that have been modified by the Final Rule: the definition of business associate; the required terms in the business associate agreement; a patient’s right to access his protected health information (PHI); a patient’s right to restrict disclosures of PHI; the rules governing security breach notifications; required information in the notice of privacy practices; the disclosure and use of PHI in marketing, sales or fundraising activities; and enforcement.
The Final Rule expands the definition of business associate. A business associate now also includes personal health record vendors, patient safety organizations and certain subcontractors of a business associate and others who maintain and store PHI. The Final Rule also requires some modification of business associate agreements to include additional obligations.
The Final Rule expands individual rights in several important ways. Patients can now request their medical records in electronic format, which must be produced electronically within 30 days, if the records are readily producible. There are also new rights for a patient to restrict certain disclosures of PHI to a health plan where the individual, a family member or other person pays out of pocket in full for the healthcare service or item. The Final Rule also changes how PHI can be used and disclosed for marketing and fundraising purposes and now explicitly prohibits the sale of PHI without an authorization.
The rules governing breach notification obligations have been amended. Under the Final Rule, any unauthorized access, use or disclosure is now presumed to be a breach unless the covered entity determines there is a low probability the PHI has been compromised. The standard used for risk assessment has been changed from a risk of harm to risk of compromise standard. There are four specific factors that must be considered in making the risk assessment. Further, the limited data set exception has been abolished by the Final Rule.
In the area of enforcement, the Final Rule increases penalties for noncompliance based on a tiered level of negligence for violations occurring after February 18, 2009. The maximum potential penalty is $1.5 million per violation.
The Notice of Privacy Practices must be updated to reflect the changes in the Final Rule, including those related to breach notification, disclosures and marketing of PHI.
Although several of the changes required by September 23 have been briefly summarized here, this is just an overview of the Final Rule and should not be relied upon except as a reminder to review and update your compliance obligations under HIPAA. For assistance in implementing these changes or for additional information on how these changes may affect your practice, please contact one of the attorneys in the Healthcare Practice Group at Bone McAllester Norton.