After several delays, the Department of Health and Human Services ("HHS") released final omnibus regulations under the Health Insurance Portability and Accountability Act ("HIPAA") on January 17. Totaling over 550 pages, the rules generally update HIPAA's privacy, security and enforcement rules, implement the breach notification rule under the Health Information Technology for Clinical Health Act ("HITECH Act"), and modify the HIPAA privacy rule to provide increased protections for genetic information. These final rules will be published in the Federal Register on January 25, 2013. The new rules include significant changes that will affect covered entities, including group health plans and the employers that sponsor such plans, as well as business associates. The final regulations are effective March 26, 2013 and covered entities and business associates generally should be prepared to implement and comply with the applicable provisions of the new rules beginning September 23, 2013.
While the full impact of the lengthy omnibus rules will take some time to digest, the rules address various areas of HIPAA compliance, including:
- direct liability of business associates for failure to comply with certain HIPAA privacy and security requirements (which will require changes to Business Associate Agreements);
- application of rules affecting business associates to subcontractors;
- the standard for determining whether a HIPAA breach has occurred (which would appear to increase the likelihood of having to report breaches to HHS);
- new required provisions for Notices of Privacy Practices;
- individual rights to electronic protected health information ("PHI");
- additional limits on the use of PHI for marketing or fundraising; and
- the adoption of the increased civil monetary penalty structure under the HITECH Act.
Covered entities will need to update their Notices of Privacy Practices and Business Associate Agreements. This includes employers that sponsor group health plans. Key action items include the following:
Distributing an updated Notice of Privacy Practices that includes, among other things, information about (a) an individual's right to receive a security breach notification upon such occurrence, (b) HIPAA's prohibition of the use of genetic information for underwriting purposes, and (c) the requirement that covered entities obtain authorization before using PHI for marketing purposes or before selling PHI.
Updating and amending existing Business Associate Agreements with service providers who receive PHI to comply with the new rules. In addition to prior requirements, Business Associate Agreements must now require business associates to (a) enter into a business associate agreement with all subcontractors who receive PHI attributable to the covered entity serviced by the business associate, (b) comply with administrative safeguards under the HIPAA security rule, (c) report any security breach to the covered entity, and (d) comply with all provisions of the HIPAA privacy rule for obligations delegated by the covered entity to the business associate as such provisions would apply to the covered entity. For Business Associate Agreements in effect as of January 25, 2013, employers have until September 22, 2014 to make these amendments, unless the existing agreement is modified after September 23, 2013, in which case the modified Business Associate Agreement must comply with the new rules.
Covered entities, including employers that are also plan sponsors, should update all HIPAA policies and procedures and conduct any necessary workforce training to educate those individuals with access to PHI on the new rules. In addition, employers should be on the lookout for additional information about their obligations under the new regulations as the HIPAA omnibus regulations are further analyzed in weeks to come.