Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties

1. The nature and extent of the PHI, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used or accessed the PHI;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk is mitigated (e.g., by obtaining reliable assurances by a recipient of PHI that the information will be destroyed or will not be used or disclosed).

Expansion of Business Associate Obligations

The Final Rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Privacy and Security Rules directly to business associates and by imposing civil and criminal penalties on them for HIPAA violations. The Final Rule also extends obligations and potential penalties to

direct and indirect subcontractors of business associates if they delegate a function, activity or service to the subcontractor and the subcontractor creates, receives, maintains or transmits PHI on behalf of the business associate. Any business associate that delegates a function involving the use or disclosure of PHI to a subcontractor will be required to enter into a business associate agreement with the subcontractor.

Additional Provisions of the Final Rule

The Final Rule also:

• Requires covered entities to modify their Notices of Privacy Practices;
• Requires covered entities to agree to an individual’s request to restrict disclosure of PHI to a health plan when the individual (or someone other than the health plan) pays for the health care item or service in full;
• Permits compound authorizations for clinical research studies;
• Revises the definition of PHI to exclude information about a person who has been deceased for more than 50 years;
• Prohibits the sale of PHI without authorization from the individual and adds a requirement of authorization in order for a covered entity to receive remuneration for disclosing PHI;
• Restricts marketing activities;
• Allows individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record;
• Clarifies OCR’s view that covered entities are allowed to send electronic PHI to individuals in unencrypted e-mails only after notifying the individual of the risk;
• Prohibits health plans from using or disclosing genetic information for underwriting, as required by the Genetic Information Nondiscrimination Act of 2008;
• Allows covered entities to disclose relevant PHI of a deceased person to a family member, close friend or other person designated by the deceased, unless the disclosure is inconsistent with the deceased person’s known prior expressed preference;
• Allows disclosure of proof of immunization to schools if agreed by the parent, guardian or individual;
• Revises the Enforcement Rule (previously revised in 2009 as an interim final rule) to:
  • Require the Secretary of HHS to investigate a HIPAA complaint if a preliminary investigation indicates a possible violation due to willful neglect;
  • Permit HHS to disclose PHI to other government agencies (including state attorneys general) for civil or criminal law enforcement purposes; and
  • Revise standards for determining the levels of civil money penalties.

Effective Date and Compliance Date

Although most provisions of the Final Rule became effective on March 26, 2013, covered entities and business associates (including subcontractors) have until September 23, 2013 to become compliant. The 180-day compliance period does not apply to modifications of the Enforcement Rule, which will apply beginning on the March 26, 2013 effective date. Moreover, breach notification continues to be governed by the interim Breach Notification Rule until the September 23, 2013, compliance date.