HIPAA Final Rule Strengthens Privacy and Security Protections

On January 17, 2013, the long awaited final rule was announced. It will be published in the Federal Register on January 25, 2013. Providers need to be aware that the final rule, which replaces the current interim rule, is effective on March 26, 2013. The compliance deadline for covered entities is September 23, 2013.

This final rule modifies HIPAA and HITECH in the following ways:

  1. Strengthens the privacy and security protection for individuals’ health information.
  2. Modifies the Breach Notification Rule.
  3. Modifies the HIPAA Privacy Rule to strengthen the privacy protections for genetic information.
  4. Improves their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

The following is from the official announcement (emphasis added):

    "The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the privacy and security requirements to business associates that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

    "Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual’s health information without their permission.

    "...The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes."

We have all been living with the interim rule for quite some time and we are all aware of the increased penalties and fines that have been taking place on a regular basis. However, there are some clarifications that providers should be aware of, such as this quote from the final rule (emphasis added):

    "...protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules. Although such devices are not generally relied upon for storage and access to stored information, covered entities and business associates should be aware of the capabilities of these devices to store protected health information and must ensure any protected health information stored on such devices is appropriately protected and secured from inappropriate access, such as by monitoring or restricting physical access to a photocopier or a fax machine that is used for copying or sending protected health information. Further, before removal of the device from the covered entity or business associate, such as at the end of the lease term for a photocopier machine, proper safeguards should be followed to remove the electronic protected health information from the media."

In most cases, the proposed rule was simply adopted in the final rule without any changes. In some cases there were some minor wording changes for clarification and in a few cases, there were some significant changes from the proposed rule to the final rule. For example, there were some significant changes to the definitions of marketing:

    "The final rule significantly modifies the proposed rule’s approach to marketing by requiring authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed...We, therefore, believe that requiring authorizations for all subsidized communications that market a health related product or service is the best policy."

During the next several months, watch for additional announcements regarding the sections of the ruling which have significant changes.

To read the entire 563 page ruling, click on the following Federal Register link: "HIPAA Privacy, Security, Enforcement, and Breach Notification Rules".

Complete & Easy HIPAA Compliance is a simple and practical guide to implementing all current HIPAA and HITECH components. Includes all forms and policies needed to meet compliance requirements.