In January, the Office for Civil Rights of the U.S. Department of Health & Human Services (HHS) published the final rules implementing the HITECH Act’s revisions to HIPAA. With a few exceptions, covered entities and business associates must adjust existing business practices in order to comply with these requirements by the September 23, 2013 compliance deadline. For most in the industry, maintaining the status quo will mean that compliance plans and policies will soon be outdated. Failure to update policies and procedures can pose far-reaching consequences and result in substantial financial penalties. Industry leaders should pay particular attention to the following:
Expansion of the “business associate” definition:
One of the larger changes contained in the final rules is the expansion of the business associate definition, particularly as it concerns subcontractors of business associates. Subcontractors who require access or use of PHI as part of their services to a business associate now must enter into a written agreement meeting regulatory requirements. The amended definition also includes entities that provide data transmission services to a covered entity and require access on a routine basis to PHI. Finally, entities that maintain PHI on behalf of a covered entity, even if they do not view or access the PHI, are also considered business associates per the new rules. The expansion of the definition for “business associate” imposes new contracting responsibilities for arrangements that previously posed limited or no HIPAA concerns.
Amendments to the breach notification rule:
The final rules clarify that a breach is presumed, and therefore notification of affected individuals is necessary, in all situations except where there is a low probability that the PHI has been compromised based on a conducted risk assessment. This revision eliminates the previous more subjective standard that there was no significant risk of harm to the individual. As a result, entities must amend their compliance plans and policies as they relate to conducting a risk assessment following a potential breach of PHI to ensure they meet this new standard.
Increased liability exposure for covered entities:
The final rule removes an exception for civil monetary penalties (“CMP”) that previously protected a covered entity where its business associate was responsible for an improper act and the covered entity had no knowledge of the violation. Now covered entities and business associates face potential CMP liability for the acts or omissions of their agents that occur within the scope of the agency. Particular care must be taken in wording new or amending existing business associate agreements so that covered entities do not unintentionally create a principal-agent relationship with their business associates.
The final rules also require: (i) modifying and redistributing notices of privacy practices; (ii) revising policies regarding the use and disclosure of PHI for marketing and fundraising; and (iii) revising policies to address the expanding rights of patients to receive electronic copies of health information.
HHS allows some existing agreements to be grandfathered for a period beyond the compliance date of September 23, 2013, so covered entities and business associates may wish to determine whether their existing agreements are within the scope of the temporary grandfathering provision.
Timely action is required in order to meet the looming HIPAA compliance deadline and ensure that covered entities and business associates do not expose themselves to potential financial penalties.