HIPAA Rules Finalized, Effective March 26

The Department of Health and Human Services has issued a comprehensive final set of regulations designed to modify the Health Insurance Portability and Accountability Act rules. The rules were promulgated in order to implement changes provided for under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act of 2008, as well as to make other changes related to privacy, security and enforcement under HIPAA. The regulations are effective on March 26, 2013 but covered entities and business associates have until September 22, 2013 to come into compliance. Some highlights of the changes under the regulations include: (1) business associates (including their subcontractors) of covered entities being directly liable for HIPAA privacy and security compliance; (2) more stringent standards for determining the need to notify where there has been a breach of unsecured protected health information (an impermissible use or disclosure is "presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised," which will likely result in a need to report more breaches than the prior "significant risk of harm" standard); (3) individuals will have expanded rights to receive electronic copies of their health information and to restrict any disclosures of treatment paid for by the individual; (4) increased enforcement penalties for HITECH violations; and (5) the need to send to participants updated notice of privacy practices.

TIP: In light of these sweeping regulations, covered entities (including employer group health plans), business associates and entities that perform services for business associates will need to review and update their HIPAA privacy and security policies and procedures, their business associate agreements and their breach notification obligations. Employer group health plans will need to be reviewed and updated, employees will need to be trained with respect to the new requirements and the updated notices of privacy practices will need to be distributed.

This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.