The U.S. Department of Health and Human Services has issued final rules to:
- Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information.
- Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
- Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
- Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.
- The final rules were published in the Federal Register on January 25, 2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013. This is the second in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
First, with regard to business associates, the new final rules clarify whether “conduits” of protected information are business associates. Specifically, entities that provide transmission services only, including any temporary storage of protected health information (PHI) incidental to transmission services, are not business associates. Entities that provide storage are considered to be business associates, even if the agreement with the covered entity does not contemplate any access, or access on a random or incidental basis only. In short, the “test” under the new final rules is length of custody; not access.
The new final rules also address the issue of whether “downstream contractors” are directly responsible for compliance with the business associate requirements of both the Security Rule and the Privacy Rule. According to the final rules, all entities are directly responsible for compliance even if the parties do not enter into a written business associate agreement. Providers are not required to enter into business associate agreement with all downstream contractors. They must sign a business associate agreement with the entity with which they do business directly. Providers’ business associates are then required to get written “satisfactory assurances” from each of their immediate subcontractors. In the event of a breach, all “downstream contractors” are required to report up the chain to providers.
An example of the above requirements is a provider who contracts with a shredding company to dispose of records that include PHI. The provider must enter into a business associate agreement with the shredding company. The shredding company, in turn, contracts with a trucking company to pick up the records and deliver them to the shredding company. The shredding company is required to get “satisfactory assurances” of compliance from the trucking company.
The new final rule also clarifies that business associates are directly responsible under the Privacy Rule for:
- Limiting uses and disclosure of PHI to requirements of business associate agreements in the Privacy Rule,
- Disclosing PHI to HHS for investigation of business associates’ compliance with HIPAA,
- Disclosing PHI to covered entities or individuals in response to requests for electronic copies of PHI,
- Compliance with the minimum necessary requirements of the Privacy Rule, and
- Entering into business associates agreements with subcontractors.
Stay tuned for more articles in this series on the new final HIPAA rules!
No portion of this material may be reproduced in any form without the advance written permission of the author.
© 2013 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author.