Department of Health Issues Final HIPAA and HITECH Act Rules

On January 25, 2013, the Department of Health and Human Services (HHS) published its omnibus Final Rule regarding the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA).

According to HHS, the Final Rule “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” Here is a brief summary of some of the Final Rule’s provisions.

Breach Notification Standard

Previously, an incident involving the impermissible use or disclosure of protected health information (PHI) was generally not considered a breach unless an internal risk assessment revealed a significant risk of harm to those whose information was compromised. Under the Final Rule, an impermissible use or disclosure of PHI is presumed to be a breach unless an internal risk assessment demonstrates that there is a low probability that the PHI has been compromised.

Although the Final Rule keeps the risk assessment requirement, it is more structured and objective than before. It requires a covered entity to consider:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

Modifications to HIPAA Required by the HITECH Act

The Final Rule implements previous proposed and interim rules regarding HIPAA modifications required by the HITECH Act. These modifications:

• Make business associates of covered entities directly liable for compliance with various requirements of HIPAA’s Privacy and Security Rules.
• Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.
• Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
• Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
• Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
• Adopt additional HITECH Act enhancements to HIPAA’s Enforcement Rule that were not previously implemented, such as the provisions addressing enforcement of noncompliance with HIPAA due to willful neglect.

Genetic Information

The Final Rule modifies the HIPAA Privacy Rule as required by GINA to prohibit health plans, but not long-term care policies, from using or disclosing genetic information for underwriting purposes. It also clarifies that “health information” includes genetic information.

The effective date of the Final Rule is March 26, 2013, and the compliance date for covered entities and business associates is September 23, 2013. Since much of the Final Rule merely implements previously issued non-final rules, many covered entities and business associates should find that they are already in compliance.

Covered entities and business associates should consider insuring against the substantial costs associated with a security breach. Various insurance products protect against privacy injuries resulting from security breaches, such as identity theft. Insurance may also help cover the significant cost of complying with applicable breach notification laws like those discussed above. Given the variety and complexity of these products, an experienced insurance agent should be consulted to ensure that proper coverage is obtained and that no gaps remain.

If you would like to learn more about insuring against data security breaches, contact us.

Additionally, clients of Setnor Byer Insurance & Risk enjoy access to various risk management services such as our affiliate’s HIPAA Standards Training which has been approved by the HR Certification Institute as well as the Florida Bar.

If you’d like to subscribe to our weekly newsletters please click here.