Health care reform builds on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and requires the government to revise certain HIPAA provisions. Toward that end, the Department of Health and Human Services, along with the Office of Civil Rights, issued 563 pages of long-awaited guidance on the privacy and security provisions of HIPAA. This final rule codifies existing guidance, incorporates the amendments to HIPAA made as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and makes other changes.
Covered Entities, including providers, group health plan sponsors, and health care clearinghouses, will have to review their policies and procedures, and potentially implement new policies and procedures, to comply with the final HIPAA rule.
The omnibus final rule incorporates four separate rules: (1) final modifications to the HIPAA Privacy Security, and Enforcement Rules under HITECH; (2) final rule with changes to the HIPAA Enforcement Rule; (3) final rule on breach notification for unsecured protected health information; and (4) final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA).
Specifically, the rule enhances patients' privacy protections, gives individuals increased rights to their health information, and provides the government an increased ability to enforce violations. It also expands the compliance responsibilities for business associates of covered entities that receive protected health information.
Notable provisions of the final rule include:
- Changes to a covered entity's Notice of Privacy Practices and a requirement that the Notice be re-distributed;
- Changes to business associate agreements and confirmation that business associate agreements are required between business associates and their subcontractors;
- Modifications to the HIPAA Authorization to allow disclosure of immunization results to schools and correspondence with a decedent's family members;
- Changes to the standards on what will constitute a "breach" of unsecured electronic PHI that will require reporting to participants and the media;
- Enhanced limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
- Restrictions on the sale of PHI without individual authorization;
- Expansion of an individual's right to receive copies of electronic health records;
- Restrictions on a provider's right to disclose patient information to a health plan when the patient pays for treatment, in full, out of pocket; and
- Prohibitions on health plans using or disclosing genetic information for underwriting purposes.
The omnibus rule also makes business associates of covered entities directly liable for compliance with certain HIPAA requirements.
Penalties for violations of HIPAA are increased under the new rule based on the level of negligence. There is a maximum penalty of $1.5 million per violation.
The rule is effective March 23, 2013, but most provisions have a delayed compliance date until September 23, 2013. Covered entities are given time to update policies and procedures and modify contracts to comply with the final rule. Covered entities that have business associate agreements with contractors in place on January 25, 2013 will have a year to amend those contracts for the new rules. Covered Entitles without current business associate agreements on file will have to enter into such agreements with their contractors that handle PHI by September 23, 2013.
HIPAA is here to stay, and HHS has increased its enforcement efforts for HIPAA compliance. All employers who offer group health plans will want to pay attention to these new HIPAA rules and make sure their health plans and business practices are compliant with HIPAA.