Reece Hirsch
Lauren Licastro
On January 25, the Office for Civil Rights of the Department of Health and Human Services published long-awaited final regulations modifying the privacy, security, enforcement and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), implementing the most significant changes to health care privacy and security law in a decade.
The final rule impacts all HIPAA-covered entities (health plans, health care providers and health care clearinghouses) and, most significantly, "business associates" to those covered entities and their subcontractors. The final rule is effective March 26, with compliance generally required by September 23.
The expansion of HIPAA's regulatory authority to business associates and their subcontractors is consistent with the HITECH Act's incentives promoting the adoption of electronic health records (EHRs) to help contain health care costs. The Office for Civil Rights recognizes that consumers may not have confidence in EHR companies and other vendors handling medical information if they are not directly subject to privacy and security regulations.
A "business associate" is an individual or organization acting on behalf of a HIPAA-covered entity that creates, receives, maintains or transmits protected health information (PHI) in connection with a function or activity regulated by HIPAA. Business associates include a host of companies that touch the health care industry, such as third-party group health plan administrators, wellness program vendors, management companies, billing services, outsourcing vendors, accountants, consultants and even certain attorneys that receive PHI from their clients. Prior to the final rule, business associates were merely subject to the terms of legally mandated business associate agreements entered into with covered entities. Under the final rule, business associates are directly subject to criminal and civil sanctions for HIPAA violations.
The final rule requires a business associate to comply with the HIPAA security regulations in the same manner as a covered entity, meaning that business associates must perform a formal security risk assessment, implement policies and procedures that address security-rule standards, appoint a security officer and conduct security training for workforce members. In contrast, the final rule does not extend all aspects of the HIPAA privacy regulations to business associates, but does provide that uses and disclosures of PHI in violation of a business associate agreement will constitute HIPAA violations.
The final rule amends the definition of "business associate" to include all downstream subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of a covered entity. As a result, a business associate must enter into business associate agreements with subcontractors receiving PHI, and those subcontractors will now be directly regulated by HIPAA in the same manner as business associates. In short, a vast array of businesses that are directly or indirectly related to the health care industry will be required to implement security compliance programs and take other steps to comply with new privacy and security obligations under the final rule by September 23.
The final rule also includes new requirements with respect to business associate agreement terms, security breach notification, subsidized marketing communications to patients, fundraising by covered entities, sales of PHI, a patient's rights to request certain restrictions on information provided to a health plan and access to electronic PHI, covered-entity notices of privacy practices, authorizations obtained from patients to participate in clinical research, and protections for the PHI of decedents.
The final rule retains the tougher enforcement regime introduced under the HITECH Act, including civil penalties of up to $1.5 million per year and criminal penalties of up to $250,000 and 10 years' imprisonment. The Department of Health and Human Services will conduct random audits of covered entities and business associates and investigate significant breaches and complaints.
How Are Group Health Plans AFfected?
Employer-sponsored group health plans are covered entities subject to HIPAA. There are a number of steps employers that sponsor such plans will need to take this year to bring their health plans into compliance with the final rule, as explained below.
• Review Business Associate Agreements
Subscribe to The Legal Intelligencer
