SHARE   |  

Final HIPAA HITECH Regulations Released

This article was originally featured in our ADP Eye on Washington update.

On January 25, 2013, the United States Department of Health and Human Services (HHS) published final regulations implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) made by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). The final regulations update existing HIPAA regulations to reflect the requirements of HITECH and GINA, including updating the privacy and security provisions, outlining increased civil money penalties for violations of HIPAA, and restricting health plans’ use and disclosure of genetic information as required under GINA. In addition, the final regulations finalize the breach notification rules.

The final regulations become effective March 26, 2013.  Generally, covered entities and business associates must comply with the provisions as modified by the final regulations by September 23, 2013. However, enforcement-related provisions become effective March 26, 2013 with no compliance period.

In addition to the compliance period, as discussed later, the final regulations include an extended compliance period that allows covered entities and business associates to operate under business associate agreements that were effective prior to January 25, 2013 and that comply with the requirements in effect prior to that date. 

The final regulations are expansive and the following is only a brief summary of some of the specific provisions impacting group health plans, including those provisions relating to business associates, business associate agreements, privacy notices, breach notifications, individual rights, GINA, and enforcement and penalties.

Business Associates  
The final regulations clarify the extent to which business associates are directly responsible for compliance with HIPAA as modified by HITECH, including direct responsibility for penalties associated with violations of HIPAA privacy, security and administrative rules. The final regulations specify that business associates must comply with the Security Rule’s administrative, physical, and technical safeguard requirements, as well as its written compliance policy and documentation requirements. In addition to a business associate’s contractual liability to a covered entity for a breach of the business associate agreement with the covered entity, the business associate has direct responsibility for civil and criminal penalties assessed by the Office of Civil Rights of HHS for violations of those Security Rule requirements and the Privacy Rule’s business associate agreement requirements.

The definition of business associate has now been expanded to include entities that create, receive, maintain, or transmit protected health information (PHI) in connection with services provided to a covered entity. In addition, a business associate includes the subcontractor of a business associate. Consequently, the primary business associate is required to “obtain satisfactory assurances” from the subcontractor that subcontractor will appropriately safeguard the PHI. The primary business associate is subject to the same business associate agreement requirements as a covered entity with respect to its subcontractor. It is important to note that “a covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”

The final regulations also clarify the extent to which an entity would be considered a mere conduit for purposes of determining whether such entity constitutes a business associate. In the preamble to the final regulations, HHS explains that “[t]he conduit exception is a narrow one” and only relates to the transmission of information such as through the postal services when such entity would only randomly access PHI. 

Business Associate Agreements
The HIPAA Privacy Rule provides that a covered entity must enter into a business associate contract or “other written agreement or arrangement” in order to disclose PHI to a business associate or to allow a business associate to create or receive PHI on the covered entity’s behalf. Similarly, the Security Rule provides that a covered entity must enter into a business associate contract or “other arrangement” in order to allow a business associate to create, receive, maintain, or transmit electronic PHI on the covered entity’s behalf.

The final regulations modify the content required in the business associate agreement between a covered entity and business associate. A few of the required changes include:

• Reflect that the obligation to obtain “satisfactory assurances” from a business associate that is a subcontractor that will handle PHI as required under law is the responsibility of the business associate and not the covered entity.

• Add a provision stipulating that if the business associate becomes aware of noncompliance by the subcontractor, the business associate must respond as a covered entity is required to do, including terminating the agreement if warranted.

• Demonstrate in the revised business associate agreement that the business associate must report any breaches of PHI to the covered entity.

As noted earlier, the final regulations provide for a special transition period for certain business associate agreements. 

Valid business associate agreements currently in place, entered into prior to January 25, 2013 and not renewed or modified between March 26, 2013 and September 23, 2013, are deemed to be compliant with the final regulations until the earlier of (1) the date each contract is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.

Business associate agreements executed after January 25, 2013 do not qualify for the transition rule and will need to comply with the requirements of the final regulations.

Notices of Privacy Practices
Under HIPAA, a covered entity is required to provide a notice of privacy practices to each individual who is the subject of PHI, describing the uses and disclosures of PHI that may be made by the covered entity, the individual’s rights, and the covered entity’s legal duties with respect to PHI.

The final regulations have added information to be incorporated into the privacy notice, including the following:

• Description of certain circumstances where authorization will be required from the individual to whom the PHI pertains for the use or disclosure of PHI.

• Information regarding fundraising communications and the option to decline receiving such communications.

• A statement regarding the individual’s right to be notified where the individual’s PHI has been breached.

The final regulations reiterate that covered entities must update and distribute the Notice of Privacy Practices. In reiterating the covered entity’s responsibility, the preamble to the final regulations states: “business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official…”

The updated Notice of Privacy Practices must be provided by covered entities no later than September 23, 2013.

Definition of Breach and Required Notification
The final regulations continue to require that a covered entity must notify each individual whose unsecured PHI was or is reasonably believed by the covered entity to have been accessed, acquired, used or disclosed due to a breach, not later than sixty (60) days following the discovery of such breach.

The final regulations modify the definition of breach. Under the interim final breach notification rule, a breach would have been considered to have occurred if the access, use or disclosure poses “a significant risk of financial, reputational or other harm to an individual.” The final regulations stipulate that “an acquisition, access, use, or disclosure of protected health information in a manner not permitted…is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”

The assessment of whether there is a low probability that the protected health information has been compromised must be based on an assessment of at least the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

• The identity of the unauthorized person who used the PHI or to whom the disclosure was made.

• Whether the PHI was actually acquired or viewed.

• The extent to which the risk to the PHI has been mitigated.

The final regulations continue to require that the covered entity notify the individual that his or her PHI has been subject to a breach. A business associate “shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.”

The final regulations provide clarification regarding the circumstances under which a business associate would be an agent of the covered entity for purposes of the obligations under HIPAA, including the calculation of the notification period under the breach notification rules. Previously, the HIPAA regulations were silent as to which laws would apply for determining whether a business associate is an agent. The final regulations now specify that the determination will be based upon the facts and circumstances, and will be determined using federal common law principles of agency.

Individual Rights
The HIPAA Privacy Rule provides individuals certain rights with respect to their health information. Specifically, covered entities must provide individuals with the right to access and amend their PHI, provide individuals with an accounting of disclosures of their PHI, allow individuals the right to request restrictions on the uses and disclosures of their PHI, and allow individuals the right to request that they receive their PHI at alternative locations or by alternative means.

The final regulations expand individuals’ rights in a number of ways including the following:

• Individuals may obtain electronic access to their PHI that is maintained electronically on a designated record set.

• If an individual requests a covered entity to transmit PHI directly to another person, the covered entity must do so. However, the individual’s request must be in writing, signed by the individual, and clearly identify where and to whom the PHI must be sent.

• Permit covered entities disclosure of a decedent’s PHI “to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

• Expand the situations in which a covered entity must agree to an individual’s request to restrict the disclosure of PHI about the individual to a health plan. For example, if the disclosure is for carrying out payment or healthcare operations and is not otherwise required by law.

GINA
GINA prohibits health plans and health insurers from using or disclosing genetic information, such as family history, for underwriting purposes. The final regulations adopt the prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long-term care policies.

In addition, the final regulations incorporate “genetic information” into the definition of health information by stating: The final rule modifies § 160.103 of the Privacy Rule to: (1) Revise the definition of ‘‘health information’’ to make clear that the term includes ‘‘genetic information;’’

The term “underwriting purposes” means:

• Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy.

• The computation of premium or contribution amounts under the plan, coverage, or policy.

• The application of any pre-existing condition exclusion under the plan, coverage, or policy.

• Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

Civil Monetary Penalties
The final regulations adopt the monetary penalties that may be levied on covered entities and business associates for violations of HIPAA as permitted under HITECH. The final regulations define the four categories of violations that reflect increasing levels of culpability and corresponding tiers of penalties as follows:

Violation category

Each violation

All such violations of an identical provision in a calendar year
Did Not Know

$100-$50,000

$1,500,000

Reasonable Cause

$1,000-$50,000

$1,500,000

Willful Neglect – Corrected

$10,000-$50,000

$1,500,000

Willful Neglect –Not Corrected

$50,000

$1,500,000

In determining the penalty, HHS will take into consideration the following:

• The nature and extent of the violation, consideration of which may include but is not limited to:
  o The number of individuals affected. 
  o The time period during which the violation occurred.

• The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
  o Whether the violation caused physical harm.
  o Whether the violation resulted in financial harm.
  o Whether the violation resulted in harm to an individual’s reputation.
  o  Whether the violation hindered an individual’s ability to obtain healthcare.

• The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:

  o Whether the current violation is the same or similar to previous indications of noncompliance.
  o Whether, and to what extent, the covered entity or business associate has attempted to correct previous indications of noncompliance.
  o How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort.
  o How the covered entity or business associate has responded to prior complaints.

• The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:

 o Whether the covered entity or business associate had financial difficulties that affected its ability to comply.
 o  Whether the imposition of a civil monetary penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, healthcare.

• The size of the covered entity or business associate.

It is important to note that the final regulations eliminated the defense to the imposition of penalties if the covered entity or business associate “did not know and with the exercise of reasonable diligence would not have known of the violation.” These violations are now punishable under the lowest tier of penalties.

The final regulations provide as follows:

“the Secretary may not impose a civil money penalty on a covered entity or business associate for a violation if the covered entity or business associate establishes to the satisfaction of the Secretary that the violation is— (1) Not due to willful neglect; and (2) Corrected during either: (i) The 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred; or (ii) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.”

For a copy of the final regulations as published in the January 25, 2013 Federal Register, please click on the link provided below.

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

Learn more about employment tax solutions from ADP that work with your existing payroll system



1-855-864-1712

Sign Up for
Email Updates

featured webinar