The Rheumatologist
COVID-19 NewsACR Convergence
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Gout Resource Center
      • Axial Spondyloarthritis Resource Center
      • Psoriatic Arthritis
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties

Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties

April 1, 2013 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF
Are You Ready for the HIPPA Changes?

On January 17, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an omnibus final rule implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule revises the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the interim final Breach Notification Rule. This will affect not only physician practices, but also their business associates who have access to protected health information (PHI), and even business associates’ subcontractors. Now is the time to make sure your agreements with business associates comply with these new rules.

You Might Also Like
  • HHS Enforces Stricter Rules on HIPAA
  • Omnibus Rule Compliance Deadline Imminent
  • HIPAA Security Standards: What Rheumatologists Need to Know
Explore This Issue
April 2013
Also By This Author
  • Physician Texting Could Violate HIPAA

Background

On February 17, 2009, President Barack Obama signed the American Recovery and Reinvestment Act of 2009 into law, which included the HITECH Act. The HITECH Act expanded the obligations of covered entities and business associates to protect the confidentiality and security of PHI.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

Under HIPAA, covered entities may disclose PHI to business associates, and permit business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. A “covered entity” is defined as a health plan, healthcare clearinghouse or healthcare provider (e.g., physician practice or hospital) that transmits health information electronically. In general, the HIPAA regulations have traditionally defined a “business associate” as a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs a function or activity involving the use or disclosure of PHI, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative, or accreditation services to or for a covered entity.

Prior to the HITECH Act, business associates were contractually obligated under their business associate agreements to maintain the privacy and security of PHI, but could not be sanctioned for failing to comply with HIPAA. However, the HITECH Act expanded the obligations and exposure of business associates by:

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE
  1. Applying many of the privacy and security standards to business associates;
  2. Subjecting business associates to the breach notification requirements; and
  3. Imposing civil and criminal penalties on business associates for HIPAA violations.

In addition, the HITECH Act strengthened the penalties and enforcement mechanisms under HIPAA, and required periodic audits to ensure that covered entities and business associates are compliant.

Expansion of Breach Notification Requirements

The Final Rule expands the breach notification obligations of covered entities and business associates by revising the definition of “breach” and the risk assessment process for determining whether notification will be required. Under the Final Rule, a use or disclosure of unsecured PHI that is not permitted under the Privacy Rule is presumed to be a breach (and therefore requires notification to the individual, OCR, and possibly the media) unless the incident satisfies an exception* or the covered entity or business associate demonstrates a low probability that PHI has been compromised. This risk analysis is based on at least the following four factors:

  1. The nature and extent of the PHI, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used or accessed the PHI;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk is mitigated (e.g., by obtaining reliable assurances by a recipient of PHI that the information will be destroyed or will not be used or disclosed).

Expansion of Business Associate Obligations

The Final Rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Privacy and Security Rules directly to business associates and by imposing civil and criminal penalties on them for HIPAA violations. The Final Rule also extends obligations and potential penalties to direct and indirect subcontractors of business associates if they delegate a function, activity, or service to the subcontractor and the subcontractor creates, receives, maintains, or transmits PHI on behalf of the business associate. Any business associate that delegates a function involving the use or disclosure of PHI to a subcontractor will be required to enter into a business associate agreement with the subcontractor.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Additional Provisions of the Final Rule

The Final Rule also:

  • Requires covered entities to modify their Notices of Privacy Practices;
  • Requires covered entities to agree to an individual’s request to restrict disclosure of PHI to a health plan when the individual (or someone other than the health plan) pays for the health care item or service in full;
  • Permits compound authorizations for clinical research studies;
  • Revises the definition of PHI to exclude information about a person who has been deceased for more than 50 years;
  • Prohibits the sale of PHI without authorization from the individual, and adds a requirement of authorization in order for a covered entity to receive remuneration for disclosing PHI;
  • Restricts marketing activities;
  • Allows individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record;
  • Clarifies OCR’s view that covered entities are allowed to send electronic PHI to individuals in unencrypted e-mails only after notifying the individual of the risk;
  • Prohibits health plans from using or disclosing genetic information for underwriting, as required by the Genetic Information Nondiscrimination Act of 2008;
  • Allows covered entities to disclose relevant PHI of a deceased person to a family member, close friend, or other person designated by the deceased, unless the disclosure is inconsistent with the deceased person’s known prior expressed preference;
  • Allows disclosure of proof of immunization to schools if agreed by the parent, guardian, or individual;
  • Revises the Enforcement Rule (which was previously revised in 2009 as an interim final rule) to:
    • Require the Secretary of HHS to investigate a HIPAA complaint if a preliminary investigation indicates a possible violation due to willful neglect;
    • Permit HHS to disclose PHI to other government agencies (including state attorneys general) for civil or criminal law enforcement purposes; and
    • Revise standards for determining the levels of civil money penalties.

Effective Date and Compliance Date

Although most provisions of the Final Rule became effective on March 26, 2013, covered entities and business associates (including subcontractors) have until September 23, 2013 to become compliant. The 180-day compliance period does not apply to modifications of the Enforcement Rule, which will apply beginning on the March 26, 2013 effective date. Moreover, breach notification continues to be governed by the interim Breach Notification Rule until the September 23, 2013, compliance date.

In certain circumstances, the Final Rule allows additional time (in addition to the 180-day compliance period) to revise business associate agreements to make them compliant. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business associate agreements for up to one year beyond the compliance date (until September 22, 2014) if the business associate agreement:

  1. Is in writing;
  2. Was in place prior to January 25, 2013 (the publication date of the Final Rule);
  3. Is compliant with the Privacy and Security Rules as in effect immediately prior to January 25, 2013; and
  4. Is not modified or renewed.

This additional time for grandfathered business associate agreements applies only to the written documentation requirement. Covered entities, business associates, and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business associate agreement qualifies for grandfathered status.


*The exceptions relate to 1) unintentional, good faith access, acquisition, or use by members of the covered entity’s or business associate’s workforce; 2) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure; and 3) good faith belief that the unauthorized recipient would be unable to retain the PHI.


Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. He may be reached at [email protected].

To-Do List for Final Rule Compliance

  • Covered entities and business associates should review their business associate agreements and determine whether the agreements qualify for grandfathered status and enter into new business associate agreements by the compliance date (September 23, 2013).
  • Covered entities and business associates will need to review their policies and procedures prior to the compliance date so that they can implement all necessary changes.
  • Notices of Privacy Practices will need to be revised and appropriate training should be provided to personnel of covered entities and business associates prior to the compliance date.
  • Any vendor or business that performs functions for a covered entity or another business associate involving the use or disclosure of PHI should determine whether it is a “business associate” and, if so, what needs to be done in order to comply with the Final Rule by the compliance date.

Pages: 1 2 3 | Multi-Page

Filed Under: Legal, Legislation & Advocacy Tagged With: Department of Health and Human Services, HIPAA, Legal, protected health information, violationIssue: April 2013

You Might Also Like:
  • HHS Enforces Stricter Rules on HIPAA
  • Omnibus Rule Compliance Deadline Imminent
  • HIPAA Security Standards: What Rheumatologists Need to Know
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

American College of Rheumatology

Visit the official website for the American College of Rheumatology.

Visit the ACR »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use / Cookie Preferences

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2023 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)