Overview, Thoughts and Comments on HIPPA Privacy & Security Regulations

Released January 17, 3013

Long-anticipated HHS regulations released on Jan. 17, 2013, make significant changes in HIPAA privacy and security rules for health plans and their business associates. The final omnibus regulation is comprised of four final rules that modify the substantive provisions of the privacy and security rules, incorporate increased civil monetary penalties, replace the interim rule on breach notification and restrict health plans’ use and disclosure of genetic information. Covered entities must comply with the new rules by Sept. 23, 2013.

Although the 600-page regulation will take some time to digest, highlights include:

Direct Liability for Business Associates. The business associate definition is broadened to include entities that create, receive, maintain or transmit protected health information (PHI) in connection with services to a covered entity. Business associate agreements will need to be updated to reflect this new liability. A special transition rule applies to valid business associate agreements in effect before Jan. 25, 2013.

Increased Access. Individuals can obtain electronic access to their PHI that is maintained electronically in a designated record set. This generally requires a covered entity to provide PHI in the form and format requested, or agreed to, by the individual. Individuals can also direct the covered entity to transmit electronic PHI to a third party.

Increased Civil Penalties. The final regulations implement the increased penalty amounts under the HITECH Act and extend potential liability to business associates that violate an applicable HIPAA provision. Further, both covered entities and business associates may be liable for civil penalties if their “agents” violate HIPAA.

Breach Notification. The final regulations change the definition of a “breach” of unsecured PHI. The new definition presumes there is a breach – and generally requires notification – unless a risk assessment demonstrates a low probability that PHI has been compromised. The risk assessment must consider at least the following factors: the nature of the PHI, the unauthorized person who received the disclosure, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

Genetic Information Nondiscrimination Act. The regulations prohibit health plans from using or disclosing genetic information for underwriting purposes.

Here is the entire Final Rule