It’s Finally Here! HHS Releases the Final Rule to Modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules
Health Law Update 01/18/13 Sarah E. Coyne, Jennifer J. Hennessy
The much anticipated moment has arrived: Today, the Department of Health and Human Services (HHS) released the final rule implementing the HITECH Act. The final rule will be published in the Federal Register on January 25, 2013 and is currently available online: https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules. The effective date of the final rule is March 26, 2013, and covered entities and business associates have 180 days after the effective date to come into compliance with most of the final rule's provisions, including the modifications to the Breach Notification Rule. Simply, you need to be in compliance by September 23, 2013.
Here is a 10,000-foot overview of some key provisions of the final rule:
- Breach Notification Rule: The final rule eliminates the "no significant risk of financial, reputational, or other harm" standard and replaces it with a "low probability" standard. An impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability that the PHI has been compromised. The final rule also identifies objective factors that must be considered when performing the risk assessment.
- Marketing: An authorization is required for all treatment and health care operations communications where the covered entity receives financial remuneration (payments in exchange) for making the communications from a third party whose product or service is being marketed.
- Sale of PHI: The term "sale of protected health information" is specifically defined and excludes payments to a covered entity in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, where the provision of PHI is a byproduct of the service being provided. Further, the exchange of PHI through a health information exchange (HIE) paid for through fees assessed on HIE participants is not considered a sale of PHI.
- Research: The final rule permits the use of compound authorizations for any type of research activities, except to the extent the research involves the use or disclosure of psychotherapy notes. The final rule further provides that HHS no longer interprets the Privacy Rule to require that an authorization for the use or disclosure of PHI for research purposes be study specific and that authorizations may be used to authorize future research.
- Decedents: A decedent's PHI is protected for 50 years after the individual's death. After that point, the information is no longer considered PHI.
- Fundraising: Individuals must be provided with a clear and conspicuous opportunity to opt out of fundraising communications. A covered entity cannot send any fundraising communications to an individual who has elected not to receive such communications. In addition, the categories of information that can be used and disclosed for fundraising purposes without an authorization have been expanded to include department of service information, treating physician information and outcome information.
- Notice of Privacy Practices: The Notice of Privacy Practices (NPP) must include a statement indicating that the following require an authorization: (i) most uses and disclosures of psychotherapy notes (where applicable); (ii) uses and disclosures of PHI for marketing purposes; and (iii) disclosures that constitute a sale of PHI. The NPP must also include a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual.
- Electronic Access to PHI: The final rule adopted the proposed rule that if an individual requests an electronic copy of PHI that is maintained electronically, the covered entity must provide it in the form and format requested by the individual if readily producible, or if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
- Security Rule Applicability to Business Associates: The Security's Rules administrative, physical and technical safeguard requirements apply directly to business associates in the same manner as they apply to covered entities.
Stay tuned for additional updates detailing the requirements of the final rule!