U.S. Department of Health and Human Services Issues Final Rule Implementing Changes to HIPAA Arising from the Hitech Act

Since its enactment in 1996, the Health Insurance Portability and Accountability Act (“HIPAA”) has prohibited covered entities from using or disclosing a patient’s individually identifiable health information except either as HIPAA permits or requires or as the patient authorizes in writing.  Last month, the U.S. Department of Health and Human Services (“HHS”) published a final rule implementing significant changes to HIPAA.  The final rule becomes effective on March 26, 2013, and persons subject to HIPAA will have 180 days thereafter (until September 23, 2013) to come into compliance with the applicable requirements of the final rule.  The changes include the following:

1.  The final rule contains final modifications implementing several significant amendments to HIPAA that were included in the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), which was enacted by the U.S. Congress on February 17, 2009 as part of the federal stimulus bill, the American Recovery and Reinvestment Act of 2009 (the “ARRA”).  In brief, some of the more important modifications include the following: 

• Under the HITECH Act, business associates of covered entities were made directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.  The final rule clarifies that the definition of a business associate includes subcontractors of business associates, certain health information exchange organizations, and personal health record vendors.
• The final rule contains more stringent limitations on the use and disclosure of protected health information for marketing and fundraising purposes.
• The final rule provides greater rights to individuals seeking to obtain electronic copies of their health information.
• The final rule requires covered entities to make significant changes to the notice of privacy practices that they are required to make available to patients.
• The final rule modifies certain requirements of HIPAA in order to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.

2.  The final rule adopts an increased and tiered civil money penalty structure for HIPAA violations. 

3.  The final rule modifies the “breach notification” interim final rule that was adopted on August 24, 2009, which had required a covered entity, upon discovering that any unsecured protected health information held by it has been used or disclosed in breach of the privacy requirements of HIPAA, to notify the affected patients, HHS, and, in the case of a breach involving at least 500 patients, the media.  The final rule replaces the breach notification rule’s ‘‘harm’ threshold with a more objective standard.  Under the former “harm” threshold, the notification obligations were triggered only if the breach “pose[d] a significant risk of financial, reputational, or other harm to the individual” whose health information was the subject of the breach.  Under the final rule, instead of assessing the risk of “harm” to an individual, a covered entity must assess the “probability” that the health information has been compromised, based on a risk assessment that considers at least the following factors: (1) The nature and extent of the protected health information involved; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated. 

4.   The final rule also modifies HIPAA to implement requirements mandated by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.