A 562-page, unofficial version of the final HIPAA / HITECH Rule was posted today. The final version of the document (“the 2013 Rule) is scheduled to be published on January 25, 2013 at http://federalregister.gov/a/2013-01073. This 2013 Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013.
This 2013 Rule is comprised of four final rules that are intended to update the existing HIPAA Privacy, Security, and Enforcement Rules to strengthen privacy and security protections for health information, improve enforcement, and implement the provisions of the HITECH Act (enacted in 2009) and the Genetic Information Nondiscrimination Act of 2008 (GINA). Most of these changes are not a surprise. Some were clearly required by the HITECH Act, for example the increased duties and responsibilities of the Business Associates. Others had been identified in prior interim versions of the Rules. Other changes result from a clear intent to simplify procedures, and reduce redundancies and unnecessary burdens. Nevertheless, it will take time to decipher and analyze the 562 pages of the 2013 Rule (in PDF format). Further observations will be published later on this blog. In the meantime, some of the changes or additions are listed below.
Under the 2013 Rule, business associates of covered entities become directly liable for compliance with certain requirements of the HIPAA Privacy Rule and most provisions of the Security Rule. Further, the definition of business associates is slightly expanded to include additional entities and intermediaries. In addition, subcontractors of business associates are also included. Portions of the Privacy Rule are modified, as well, to identify clearly which provisions of the Privacy Rule apply to business associates.
Limit to Use for Marketing and Resale
The 2013 Rule strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes. It prohibits the sale of protected health information without individual authorization.
Increased Rights for Individuals
Individuals are granted the right to receive electronic copies of their health information. They also have the right to prohibit disclosures concerning their treatment to a health plan if the individual has paid out of pocket in full for this treatment. In addition, the 2013 Rule grants family members or others the right of access to decedent information.
The 2013 Rule requires modifications to a covered entity’s notice of privacy practices, such as to add statements regarding uses and disclosures that require authorization, fund raising, and an individual’s right to opt-out of receiving these communications. The privacy notice must also inform individuals of their right to restrict disclosure of protected information when the individual pays out of pocket in full for a health service or health care item. The notice of privacy practices must be redistributed after these changes to the Rule have been implemented.
Portions of the Security Rule are modified as well. There are technical changes; for example expanding obligations that apply to employees to include as well non-employees who operate in a quasi employee capacity, such as volunteers. Provisions that are duplicative of certain provisions of the Privacy rule are removed.
The 2013 Final Rule also replaces the current version of Breach Notification Rule under the HITECH Act, originally published in 2009. The most important change is the replacement of “harm” threshold with a more objective standard.
The 2013 Final Rule implements the Genetic Information Nondiscrimination Act of 2008 (GINA) into the HIPAA Privacy Rule by prohibiting most health plans from using or disclosing genetic information for underwriting purposes.
The modified HIPAA Enforcement Rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act. Other modifications include the addition of provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect, and change to the definition of “reasonable cause,” in connection violations of the Rule.