Health Care Law Alert: Sweeping Changes to HIPAA Announced
Yesterday, final regulations modifying the HIPAA privacy and security regulations were issued by the Department of Health and Human Services (HHS). The regulations are scheduled to be published in the Federal Register on January 25. Among other things, these regulations implement provisions of the federal HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA).
The final regulations:
- Adopt new rules for business associates and subcontractors
- Expand the right of individuals to receive electronic copies of their protected health information (PHI)
- Modify existing uses and disclosures of PHI including allowing for the disclosure of PHI of a deceased patient to those involved in the patient's care prior to death
- Revise the definition of "marketing" to delineate which specific activities constitute marketing of PHI
- Allow for compound authorizations for research and authorization of future research
- Restrict disclosure of PHI to health plans when patients pay out of pocket
- Require covered entities to obtain authorization from an individual for any disclosure of the individual's PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities)
- Require modification and redistribution of notices of privacy practices
- Revise and replace the Interim Breach Notification Rules
- Implement the provisions of the HITECH Act imposing higher penalties/fines for noncompliance
- Contain a new exemption for PHI of persons who have been deceased for more than 50 years
These regulations will likely require revisions to HIPAA privacy and security policies, notices of privacy practices, summary plan descriptions for health plans, and business associate agreements. Employees with access to PHI at the workplace will need to be trained in the new rules.
The effective date of the final regulations is March 26, 2013, but in general covered entities (such as health plans) and business associates will have until September 23, 2013, to bring documentation (e.g., business associate agreements, limited data set agreements, policies and procedures) into compliance; however, organizations with business associate agreements or other documentation that must be renewed or modified between March 26 and September 23 should begin to identify those now so that they can prioritize them appropriately in the compliance process. Current business associate contracts in existence as of January 25, 2013, need to be amended to comply with the final regulations by the earlier of (1) the date on or after September 23, 2013 on which the contract is renewed or modified; or (2) September 23, 2014.
If you have questions about the content of this alert, please contact a member of the Stoel Rives Health Care team.