On January 25, the Office for Civil Rights of the Department of Health and Human Services published long-awaited final regulations modifying the privacy, security, enforcement and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), implementing the most significant changes to health care privacy and security law in a decade.

The final rule impacts all HIPAA-covered entities (health plans, health care providers and health care clearinghouses) and, most significantly, "business associates" to those covered entities and their subcontractors. The final rule is effective March 26, with compliance generally required by September 23.

The expansion of HIPAA’s regulatory authority to business associates and their subcontractors is consistent with the HITECH Act’s incentives promoting the adoption of electronic health records (EHRs) to help contain health care costs. The Office for Civil Rights recognizes that consumers may not have confidence in EHR companies and other vendors handling medical information if they are not directly subject to privacy and security regulations.

A "business associate" is an individual or organization acting on behalf of a HIPAA-covered entity that creates, receives, maintains or transmits protected health information (PHI) in connection with a function or activity regulated by HIPAA. Business associates include a host of companies that touch the health care industry, such as third-party group health plan administrators, wellness program vendors, management companies, billing services, outsourcing vendors, accountants, consultants and even certain attorneys that receive PHI from their clients. Prior to the final rule, business associates were merely subject to the terms of legally mandated business associate agreements entered into with covered entities. Under the final rule, business associates are directly subject to criminal and civil sanctions for HIPAA violations.

The final rule requires a business associate to comply with the HIPAA security regulations in the same manner as a covered entity, meaning that business associates must perform a formal security risk assessment, implement policies and procedures that address security-rule standards, appoint a security officer and conduct security training for workforce members. In contrast, the final rule does not extend all aspects of the HIPAA privacy regulations to business associates, but does provide that uses and disclosures of PHI in violation of a business associate agreement will constitute HIPAA violations.

The final rule amends the definition of "business associate" to include all downstream subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of a covered entity. As a result, a business associate must enter into business associate agreements with subcontractors receiving PHI, and those subcontractors will now be directly regulated by HIPAA in the same manner as business associates. In short, a vast array of businesses that are directly or indirectly related to the health care industry will be required to implement security compliance programs and take other steps to comply with new privacy and security obligations under the final rule by September 23.

The final rule also includes new requirements with respect to business associate agreement terms, security breach notification, subsidized marketing communications to patients, fundraising by covered entities, sales of PHI, a patient’s rights to request certain restrictions on information provided to a health plan and access to electronic PHI, covered-entity notices of privacy practices, authorizations obtained from patients to participate in clinical research, and protections for the PHI of decedents.

The final rule retains the tougher enforcement regime introduced under the HITECH Act, including civil penalties of up to $1.5 million per year and criminal penalties of up to $250,000 and 10 years’ imprisonment. The Department of Health and Human Services will conduct random audits of covered entities and business associates and investigate significant breaches and complaints.

How Are Group Health Plans AFfected?

Employer-sponsored group health plans are covered entities subject to HIPAA. There are a number of steps employers that sponsor such plans will need to take this year to bring their health plans into compliance with the final rule, as explained below.

• Review Business Associate Agreements

Employer plan sponsors should review agreements with plan vendors to ensure that they require the business associate to comply with the security rule and report any security breach to the covered entity, comply with the privacy rule as it applies to obligations delegated to the business associate under the agreement, and enter into a business associate agreement with each subcontractor that receives the plan’s PHI that contains the same (or greater) protections as the agreement with the covered entity.

• Employ New Risk-Analysis Standard for Breach Reporting

Under the prior rules, a "breach" was defined as an impermissible use or disclosure that compromised the security or privacy of PHI and posed a significant risk of financial, reputational or other harm to the affected individual. The final rule eliminates the "significant risk of harm" standard, which was deemed too subjective. Under the new definition of "breach," an impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." The final rule requires an analysis that, at a minimum, takes into account the nature and extent of the PHI, who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI was mitigated. Employer plan sponsors should review and revise, as necessary, their policies and procedures with respect to breach investigations to ensure compliance with the new risk-assessment standards.

• Provide Access to PHI in Electronic Form

The final rule expands individuals’ rights to receive copies of their PHI by requiring covered entities to provide access to PHI in the electronic form and format requested by the individual, if the PHI is maintained electronically in one or more designated record sets (e.g., enrollment, payment, claims and medical and billing records). Covered entities still have 30 days to respond to a request for PHI, even if the PHI will be sent electronically. Employer-plan sponsors should revise their policies and procedures to provide individuals access to electronic PHI in accordance with the final rule.

• Revise and Redistribute Notice of Privacy Practices

A number of provisions in the final rule will require changes to the notice of privacy practices required to be issued by covered entities. Health plans must post the revised notices on their websites and provide hard copies to participants at the next annual open enrollment.

• Train Privacy Employees

All privacy employees (i.e., those who have access to PHI) should be trained on the privacy rule and security rule and the health plan’s policies and procedures shortly after hire and periodically thereafter. Training programs should be updated to reflect changes required by the final rule.

HIPAA-covered entities with existing HIPAA compliance programs should review their privacy and security policies and procedures and documentation and make required changes before the compliance date of September 23. Covered entities that have not had a comprehensive HIPAA compliance program in the past, and business associates that are newly subject to the rules, must quickly take steps to implement the final rule and fill compliance gaps.

Reece Hirsch is a partner in Morgan Lewis’ FDA and health care practice, resident in the firm’s San Francisco office. He specializes in privacy and security law and can be reached at 415-442-1422 or rhirsch@morganlewis.com.

Lauren Licastro is of counsel in the firm’s employee benefits and executive compensation practice, resident in the firm’s Pittsburgh office. She specializes in employee benefits, including the application of HIPAA to employer group health plans, and can be reached at 412-560-3383 or llicastro@morganlewis.com.