Final HIPAA Regulations Issued: Provisions Regarding Business Associates, Penalties, Breach Notification Amended

On January 17, the Office of Civil Rights posted its omnibus Final Breach Notification Rule (the "Final Rule"), which modified many provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Final Rule, published in the Federal Register on January 25, sets forth new responsibilities for business associates and subcontractors, amends the Breach Notification Rule, adds to the notifications required to be included in the Notice of Privacy Practices, and adopts the tiered penalty provisions of the Interim Final Rule (released on August 24, 2009), among many other provisions.

The Final Rule is effective March 26, 2013 with compliance required by covered entities and business associates by September 23, 2013, unless otherwise provided in the Final Rule.

This is a summary of some pertinent provisions of the Final Rule.

Liability of Business Associates and Subcontractors

Under the Final Rule, subcontractors and business associates may be directly liable for certain Privacy and Security Rule violations. A "business associate" is a third party that a covered entity may engage to assist it in performing its covered services. To be considered a business associate, the third party must create, receive, maintain or transmit Protected Health Information ("PHI"). A "subcontractor" is a person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the workforce of such business associate, and also creates, receives, maintains or transmits PHI. Consistent with the previous rule, covered entities must have written business associate agreements with their business associates. Pursuant to the Final Rule, the definition of "business associate" has been extended to include subcontractors. Therefore, the requirements of business associates has extended to subcontractors. Business associates must ensure that they have agreements with all subcontractors that comply with the new regulations.

Compliance Date for Revised Business Associate Agreements

The compliance date for revising business associate agreements ("BAAs") to comply with the Final Rule is September 23, 2013. However, an opportunity to grandfather in existing BAAs exists if the BAA complied with the HIPAA regulations and is not set to be renewed between January 25 and September 23 of this year. If a BAA renews after September 23, 2013, the BAA must comply by the earlier of (a) the date of the BAA's renewal, or (b) September 22, 2014. Those BAAs renewing between January 25 and September 23, 2013 must be revised to comply with the Final Rule by September 23.

Notice of Privacy Practices

The Final Rule requires certain amendments to Notices of Privacy Practices (the "Notice") and requires certain statements regarding uses and disclosures that require authorization. For instance, one of the changes requires a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosure that constitute a sale of PHI require authorization.

Individual's Access to His/Her Own PHI

Upon an individual's request to obtain an electronic copy of his/her own PHI, the covered entity must furnish the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or in a format as agreed to by the covered entity and the individual.

Breach Notification

The most significant changes in the Final Rule appear in the revisions to the Breach Notification Rule. Most considerable is the revision within the Breach Notification Rule to the definition of "breach". Whereas, prior to the Final Rule, a use or disclosure of PHI was presumed to be a breach if it posed a significant risk of financial, reputation or other harm to the individual, a use or disclosure of PHI is now presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. In other words, the Final Rule demonstrates a shift from the subjective risk-of-harm standard to the objective low-probability-of-compromise standard. The Final Rule sets forth a number of factors that must be considered when performing a risk assessment and determining the probability that PHI has been compromised, including:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information;
2. The unauthorized person who impermissibly used the PHI or to whom the disclosure was made; and
3. Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.

The Final Rule has also made a number of revisions to the notification obligations which arise upon discovery of the breach.

Tiered Penalties

The Final Rule adopted the tiered and increased civil monetary penalty structure to conform with HITECH. The new penalty provisions are summarized in the following table.

While the foregoing is merely a summary of some of the major changes and provisions of the Final Rule, it is a reminder to all healthcare industry stakeholders that the healthcare regulatory environment continues to be dynamic and attention must be paid to new developments. Since its release and during the next six months in which the industry has to comply with the Final Rule, Clark Hill's healthcare attorneys have been, and will be, at the forefront of any new developments and will be available to assist new and existing clients with ensuring compliance with the new requirements.