HIPAA Privacy and Security Rules Update
The U.S. Department of Health and Human Services (“HHS”) has released a Notice of Proposed Rulemaking proposing modifications to rules implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by last year’s Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), in anticipation of broader use of electronic health records. Although the underlying statutory provisions that the new rules implement are generally effective February 18, 2010, the proposed rules will generally not be effective until 180 days after publication of the final rules. In addition, the proposed rules provide up to an additional year in which to amend business associate agreements. (The rules published last year relating to notification of data breaches pursuant to HIPAA were not changed by these new rules and remain effective as interim guidance. Proposed final breach notification rules were expected to be released soon, but HHS recently announced that “given the Department's experience to date in administering the [rule]” it had removed those final regulations from administrative review to allow for further consideration.)
The HITECH Act and the new rules would enhance the protection of protected health information (“PHI”) subject to HIPAA while expanding enforcement of HIPAA’s Privacy, Security, and Enforcement Rules by:
- enhancing individuals’ rights to access their PHI and restrict certain types of disclosures of PHI to health plans;
- extending the coverage of HIPAA’s Security and Enforcement Rules, certain portions of the Privacy Rule, and the penalty provisions directly to business associates of covered entities;
- implementing the expanded penalty enforcement regime;
- establishing new limitations on the use and disclosure of PHI for sale, marketing, and fundraising purposes;
- explicitly prohibiting the sale of PHI without patient authorization; and
- making a number of other minor modifications to existing rules.
In an attempt to ensure that various parties dealing with PHI are subject to these rules, HHS is proposing to expand the definition of business associates to include “subcontractors” of business associates (that is, persons that perform functions for or provide services to business associates and in doing so need access to PHI). One result of this proposed change is to create direct civil (and potentially criminal) liability under HIPAA for these organizations in the event of noncompliance.
Notices of Privacy Practices will also need to be updated.
For more information about recent developments in the privacy and data security area, of which the HIPAA rules are just a part, please refer to the 2010 Mid-Year Update of Sullivan & Worcester’s Privacy and Data Security group. If you are interested in learning more about the group or would like to receive regular mailings from this group, please click here.