Rule finalizes many provisions of the proposed rule, imposing new privacy and security obligations directly on business associates and modifying the definition of "breach" and the required factors to be considered in a risk assessment.
On January 17, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released its much-anticipated and long-awaited omnibus final rule (Final Rule)[1] modifying certain aspects of the Privacy Rule, the Security Rule, and the Enforcement Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification for Unsecured Protected Health Information Rule (Breach Notification Rule) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule represents the most significant development in healthcare privacy law since the issuance of the final Privacy Rule and Security Rule a decade ago.
The Final Rule comes approximately two and a half years after HHS published its notice of proposed rulemaking (Proposed Rule) to implement provisions of the HITECH Act. The Final Rule takes effect on March 26, 2013, and covered entities and business associates are required to comply with the applicable requirements of the Final Rule by September 23, 2013. The Final Rule comprises modifications to the four individual rules described below.
HIPAA Privacy, Security, and Enforcement Rules
The Final Rule finalizes modifications to the HIPAA Privacy, Security, and Enforcement Rules, including, but not limited to, those mandated by the HITECH Act. For the most part, the Final Rule adopts the provisions of the Proposed Rule, with a host of clarifications but relatively few significant modifications. The Final Rule's notable provisions include the following:
Civil Money Penalty Structure
The Final Rule adopts the HITECH Act's tiered system of increasing penalty amounts for violations based on increasing levels of culpability associated with each tier.
Breach Notification Rule
The Final Rule modifies the definition of "breach" and the risk assessment approach set forth in the Breach Notification Interim Final Rule issued by HHS on August 24, 2009 (Interim Final Rule). Under the new definition of "breach," an impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." This standard replaces the "significant risk of harm" standard set forth in the Interim Final Rule. HHS notes that the prior focus on "harm to an individual" was too subjective, risking inconsistent interpretations and results across covered entities and business associates. As stated above, HHS is instead requiring covered entities and business associates to demonstrate, through a risk assessment, that there is a "low probability" of the PHI having been "compromised."
The Final Rule also modifies the factors that covered entities and business associates must consider when performing a risk assessment with respect to a potential breach. HHS suggests that covered entities and business associates examine their policies to ensure that all required factors are considered when conducting a breach risk assessment.
GINA
The Final Rule modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
Implications
Business associates should prepare for compliance with new HIPAA obligations on September 23, including implementation of a Security Rule compliance program. Covered entities should also begin conforming their HIPAA compliance programs to reflect the new requirements of the Final Rule, including updating and redistributing notices of privacy practices and amending business associate agreements.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:
San Francisco
W. Reece Hirsch
Heather Deixler
Chicago
Saghi "Sage" Fattahian
Philadelphia
Georgina L. O'Hara
Pittsburgh
Lauren B. Licastro