After long anticipation, on January 25, the U.S. Department of Health and Human Services (HHS) published final regulations in the Federal Register (Vol. 78, No. 17) modifying the HIPAA Privacy, Security, Enforcement and Breach Notification rules pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), the Genetic Information Nondiscrimination Act (GINA) and HHS's general rulemaking authority.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), generally speaking, is a federal law that was passed in 1996, the purpose of which is to protect the personal health information of Americans. HIPAA is broken into several categories, including the Privacy Rule, Security Rule and Enforcement Rule.
The final rule is effective March 26, but covered entities will have 180 days until September 23 to bring themselves into compliance. However, it should be noted that the Enforcement Rule changes go into effect March 26 because HHS does not consider these to be changes to standards or implementation specifications, per its comments in the Federal Register. For purposes of the breach notification rule, compliance with the interim final rule is mandated until the final rule changes come into effect September 23.
HHS had previously issued proposed, interim and/or final rules October 30, 2009 (the interim final rule on the HIPAA civil monetary provisions under the HITECH Act); August 24, 2009 (the interim final rule for breach notification pursuant to the HITECH Act); October 7, 2009 (final rules modifying HIPAA pursuant to GINA); and July 14, 2010 (proposed rules for modifications to the HIPAA Privacy, Security and Enforcement rules mandated by the HITECH Act).
While certain provisions of the previous rules were maintained, there were also material changes adopted by this final rule. This article serves as an overview of some of the material changes to HIPAA adopted by the final rule.
Under the final rule, the definition of a "business associate" was modified in certain ways. First, patient safety organizations, health information organizations, e-prescribing gateways and other people providing data transmission services for protected health information are all specifically included in the definition of "business associate."
Furthermore, the definition of "business associate" was broadened to encompass "downstream vendors," meaning that any subcontractor "that creates, receives, maintains, or transmits protected health information on behalf of" a business associate are also business associates to the extent they required access to protected health information. In this way, these subcontractors are directly responsible for compliance with the HIPAA Privacy and Security rules. By way of example of how this could come into effect, a billing company who is a direct business associate of a physician practice may contract with a company to store all of the billing work it has performed. This storage company would be a "subcontractor" required to comply with the HIPAA Security and Privacy rules. Despite the direct liability of business associates, business associate agreements are still required.
Furthermore, business associates and subcontractors are given no additional time to come into compliance with the final rule. They are bound by the same September 23 deadline as covered entities. This may prove to be difficult, particularly for subcontractors who may previously have had little to no HIPAA exposure or training on its requirements.
In reference to these changes to business associate obligations, on January 25, the HHS published on its website sample business associate contract provisions, which may also be adapted for contracts between business associates and subcontractors. This information is available at http://goo.gl/0OYWs. This language is not mandatory, but rather serves as a guide for entities to bring themselves into compliance with the amended HIPAA provisions.
Enforcement Rule Changes
The category of changes to the Enforcement Rule predominantly applies to the HITECH Act's mandate of four tiers of penalties for HIPAA violations, which escalate based upon the state of mind of the violating entity. The lowest category is for violations where the entity did not know, and would not have known, of a violation even by exercising reasonable diligence. The second category applies to violations due to reasonable cause. The third and fourth tiers (the highest) apply to situations of "willful neglect." In the third tier, the violation is cured within a mandated timeframe and in the fourth, the violation is uncorrected.
Pursuant to this tier of penalties, the final rule dealt with the category of violations for "willful neglect." As noted in the Federal Register comments, the HITECH Act mandated that the HHS formally investigate a complaint "if a preliminary investigation of the facts of the complaint indicates a possible violation to willful neglect." The final rule reflects this change by indicating the HHS will investigate any complaint under this circumstance and gives the HHS discretion to investigate other complaints. In its comments, however, the HHS warned that it proceeds with an investigation of any complaint where its preliminary investigation reveals a possible HIPAA violation. The final rule further adds that the HHS will also conduct a compliance review when the preliminary review indicates a possible violation due to willful neglect.
To reflect the HITECH Act mandate that penalties be assessed in cases of willful neglect, the HHS has modified the regulations to permit itself to be able to proceed with willful neglect violations as needed, while being able to resolve cases outside of this category by informal means.