HIPAA Alert: Rule Changes and Deadline

On January 17, a final, 563-page Health Insurance Portability and Accountability Act rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates and subcontractors of business associates.

The rule becomes effective March 26, 2013 and compliance is required by September 23, 2013. Covered entities, business associates and subcontractors of business associates should conduct a critical reassessment of their data security and privacy policies as soon as possible.

Some of the major changes to the HIPAA rules include the following:

• Holds business associates directly liable for compliance with certain HIPAA privacy and security rule requirements
• Changes the definition of business associate to include subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of business associates. Subcontractors for business associates have the same compliance obligations, regardless of how far “downstream” the services they provide are from the covered entity
• Changes the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI was compromised
• Requires covered entities and business associates to consider four factors when determining whether a breach must be reported: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated
• Requires covered entities to protect decedents’ PHI in accordance with the privacy rule for 50 years following the date of death
• With few exceptions, prohibits the sale of PHI without an individual’s authorization
• Maintains a tiered system of civil penalty amounts based on increasing levels of culpability. The final rule retains a $1.5 million civil monetary penalty cap

Bernstein Shur’s Health Care Practice Group and Data Security Team are actively engaged in analyzing the final rule and advising clients about the implications. For more information, contact 207 774-1200.