Persons and businesses subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have until September 23, 2013 to comply with the final rule published earlier this year regarding the protection of certain protected health information (“PHI”).
The Final Rule, in part, affects certain independent contractors (“Business Associates”) providing services to “Covered Entities” (such as health care providers, health insurers, etc.) who in the course of such services have access to, create, receive, maintain, or transmit PHI (including providers of data transmission or storage services who require more than random access to PHI). Business Associates, and their subcontractors, must now comply with both the HIPAA Security Rule and the HIPAA Privacy Rule. Business Associates are now directly liable for compliance failures, and as a result face greater exposure to potential civil penalties.
The Department of Health and Human Services Office of Civil Rights has published minimum standards for agreements between Business Associates and third parties handling PHI (“Business Associate Agreements”). For example, these Business Associate Agreements must contain language establishing the permitted and required uses and disclosures of PHI, restricting the disclosure of PHI, requiring appropriate safeguards be used to protect electronic PHI, and requiring that impermissible disclosures and uses of PHI be reported, as well as other provisions.
The new rules also modified the content requirements for the Notice of Privacy Practices for PHI, which must be distributed by most Covered Entities. Updated notices must contain statements regarding the right of individuals to restrict certain disclosures, the circumstances under which authorization from the individual will be required before disclosure, and other provisions.
The new rules also change the requirements governing notification of security and privacy breaches. Business Associates must now presume that notification of a breach is required in the event that PHI is acquired, used, accessed or disclosed in a manner not permitted by HIPAA’s Privacy Rule, unless a risk assessment shows a low probability that PHI has been compromised. Certain exceptions to the notification requirement have also been eliminated.
Business Associates should review and modify PHI-sensitive agreements and internal policies and procedures relative to the protection of PHI to bring those documents into compliance prior to the September 23, 2013 deadline.