On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a new final rule (“Final Rule”) which requires covered entities, a category that includes medical practices, ASCs, ancillary providers, and pharmacies (“Covered Entities”), to significantly modify both their HIPAA compliance plans and agreements with entities with which they conduct business (“Business Associates”). Covered Entities should be aware that the compliance deadline was September 23, 2013; any Covered Entity that has not yet incorporated the applicable changes into its HIPAA compliance plan may face significant liability for its non-compliance.
The changes required by the Final Rule include:
- Covered Entities must provide increased patient access to Protected Health Information (PHI) by providing PHI within 30 days of a request from a patient, in the “electronic form and format requested by the individual”
- Business Associates are now directly regulated by HIPAA, and are liable for violations in the same manner as Covered Entities (including the imposition of direct civil money penalties)
- Business Associates must also have a Business Associate Agreement (BAA) with all subcontractors (entities that contract with and work at the direction of, or on behalf of, a Business Associate) who have access to or utilize PHI
- Covered Entities must revise their BAAs (including those currently in effect) to incorporate the relevant provisions of the Final Rule in order ensure that the Business Associate complies with all applicable provisions of HIPAA
- The Notice of Privacy Practices must be modified pursuant to the Final Rule, including the addition of the notification requirement to patients in the event of a breach of unsecured PHI, and be redistributed to patients by a Covered Entity
- The requirements for a Covered Entity which experiences a breach of unsecured PHI have been revised and clarified, including a methodology to be employed in determining whether or not a “Breach” of PHI has occurred. These new requirements should be incorporated in the Covered Entity’s HIPAA compliance plan
- New restrictions have been placed on the use of PHI for marketing and fundraising, as well as the disclosure of genetic information, and there are new consent requirements regarding using PHI for research
These changes must all be reflected in a Covered Entity’s HIPAA compliance plan for the Covered Entity to be considered compliant. It is also advisable for Business Associates to have their own HIPAA compliance plans, as they are now directly liable for violations.
The Final Rule also increases HHS’s authority to investigate and sanction Covered Entities, and subjects Covered Entities to significantly higher fines for their failure to comply with HIPAA – up to $50,000 per occurrence and $1,500,000 annually. Such changes coincide with the ongoing rise in HHS enforcement activity, evident since prior to the Final Rule. Covered Entities should be aware that it is becoming increasingly important for a medical practice, ASC, pharmacy, or any other type of Covered Entity to ensure that its HIPAA compliance plan and related documents are up-to-date, and that all employees are adequately trained in the policies and procedures in place to keep patient information confidential. Contact Frier Levitt to speak to an attorney.
