The Department of Health & Human Services has issued the long-awaited HIPAA final entitled: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
This notice is comprised of four final rules:
1. Final rule to modify the HIPAA Privacy, Security, and Enforcement Rules (proposed July 14, 2010)
- Make business associates of covered entities directly liable for compliance with HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information
- Restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule (Oct. 30, 2009 interim final rule) to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
3. Final rule on Breach Notification for Unsecured Protected Health Information (Aug. 24, 2009 interim final rule), replacing the breach notification rule’s ‘‘harm’’ threshold.
4. Final rule modifying the HIPAA Privacy Rule (October 7, 2009 proposed rule).
The final rules become effective on March 26, 2013. The National Association for Home Care and Hospice will provide information on provisions of interest to home health and hospice providers for each of these final rules in a series of articles. This article will address definitions and compliance requirements in 42CFR §§160.101 through 160.534
This rule expands the definition of covered entities to include subcontractors, or business associates of business associates. According to this final rule all standards, requirements, and implementation specifications will apply to business associations, as well as criminal and civil penalties. Business associates have been redefined to include all persons who, on behalf of a covered entity, create, receive, maintain or transmit protected health information, including claims processing, data analysis, information processing and administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and re-pricing, legal, actuarial, accounting consulting, data aggregation, management, administrative, accreditation, or financial services. In this definition, business associates will include Health Information Organizations, E-prescribing Gateway and persons that provide data transmission services related to protected health information.
Electronic media has been defined to mean electronic storage material in which data is recorded electronically (e.g. computers, hard drives, and digital memory media; and transmission media used to exchange information (e.g. intranet, leased lines, dial-up lines, private networks, and the physician movement of electronic media). The rule excludes transmission of protected health information via paper, via facsimile, and voice via telephone.
Certain education records, employment records, and records for persons deceased more than 50 years are exclusions to the requirements. The rule does relax 50-year protections for a decedent’s personal health information (PHI) by allowing release of information to personal representatives, family members, and other involved in the care or payment for care of the decedent.
HHS expects compliance of all covered entities and business associates. As in the past, the principle of compliance is based on cooperation with the provisions of the HIPAA regulations. Complaints against covered entities and business associates will continue to be filed with the Secretary. Complaints will be investigated in all cases where facts point to willful neglect. Records and compliance reports must be kept and submitted to the Secretary within 30 days of request if questions arise about an entities’ compliance. Once a determination is made as to compliance or noncompliance, the Secretary will inform the entity which has the right to refute with additional information.
Civil Money Penalties
The Secretary will impose civil money penalties on any covered entity or business associate, and their affiliated organizations, that has violated the rules. The amount of the penalties will vary based on whether the entity knew and exercised reasonable diligence, the violation was due to willful neglect that was corrected, or the violation was due to willful neglect that was not corrected within 30 days. Additional factors that will be considered in determining the amount of civil money penalties include the number, nature and extent of the violation, the number of individuals affected, any resultant harm, an entity’s history or prior non-compliance, and financial considerations.
Under the rule, penalties for noncompliance based on the level of negligence are increased with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. Formerly penalties were about $250,000.
The next in this series of articles will address impermissible disclosures and breaches. The Federal Register publication of the HIPAA rule can be found here.