Having reached the one year anniversary of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, many changes to the HIPAA Privacy and Security Rules are now effective. Unfortunately, since the Department of Health and Human Services has not yet issued guidance with respect to most of these changes, Covered Entities and Business Associates must begin good faith compliance based solely on the language of the HITECH Act. Below are some highlights.
Direct Liability for Business Associates
Most significantly, Business Associates are now directly subject to the HIPAA Security Rule and most aspects of the HIPAA Privacy Rule, which, among other things, includes taking the following actions:
- Designate a HIPAA security officer and provide security awareness and training for the workforce.
- Conduct a written risk analysis to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Business Associate.
- Establish policies and procedures for the implementation specifications required by the HIPAA Security Rule.
Changes to the Privacy Rule
Additional changes now effective under the HIPAA Privacy Rule include:
- Minimum Necessary Restrictions. Under the minimum necessary standard, Covered Entities and Business Associates using or disclosing Protected Health Information (PHI) must take reasonable efforts to limit PHI to the “minimum necessary” to accomplish the intended purposes. Until HHS issues guidance to define “minimum necessary” (expected by Aug. 17, 2010), the safe harbor to automatically comply with this standard now requires that Covered Entities and Business Associates limit use and disclosure of PHI to the “Limited Data Set.”
- Right to Electronic Copy. For PHI maintained in an electronic health record, an individual now has the right to receive an electronic copy and/or designate that the PHI be sent to another entity or person.
- Right to Require Non-Disclosure for Out-of-Pocket Services. Health care providers must now comply with an individual’s request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the individual paid out-of-pocket, in full, for that item or service.
- Mandatory Audits. The Secretary of HHS must perform periodic compliance audits on Covered Entities and Business Associates.
Sanctions for Failure to Provide Breach Notifications
To provide adequate time for Covered Entities and Business Associates to implement and begin good faith compliance with the breach notification final interim regulations, HHS temporarily suspended imposing sanctions for six months. Consequently, the enforcement provisions now become effective for breaches of unsecured PHI discovered on or after Feb. 22, 2010.
McGuireWoods Can Assist
In light of the newly effective changes to HIPAA as a result of the HITECH Act, Covered Entities and Business Associates are encouraged to review and update HIPAA documents and practices to reflect the new changes under the HITECH Act, particularly business associate agreements, policies and procedures, and notices of privacy practices. McGuireWoods is prepared to assist with updating these HIPAA documents and provide training sessions and/or materials for organizations of any sort to ensure compliance with HIPAA under the HITECH Act.
For more information on the HIPAA changes under the HITECH Act, please see our recent McGuireWoods’ HIPAA articles or contact the authors.
- HIPAA Breach Notification Under HITECH: What Employers Should Do Now (9/8/2009)
- HHS Issues Regulations Regarding Notification of Breaches of Unsecured Protected Health Information (8/24/2009)
- FTC Finalizes Security Breach Notification Rules, HHS Delayed (8/19/2009)
- HIPAA Guidance and Request for Comments: Securing Protected Health Information and Breach Notification (5/7/2009)
- Stimulus Legislation Expands Privacy Regulation for Health Care Businesses (2/26/2009)
- Federal Stimulus Bill Significantly Expands the Scope of HIPAA’s Privacy and Security Requirements (2/23/2009)