On July 14, 2010, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (Proposed Rule) to implement modifications to the Health Insurance Portability and Accountability Act's (HIPAA) Privacy, Security and Enforcement Rules. The Proposed Rule implements changes made to Health Information Technology for Economic and Clinical Health Act (HITECH Act) and are intended to strengthen the privacy and security of protected health information (PHI). Highlights of the Proposed Rule, which are important to group health plans, are outlined below:
Business Associates. Business associates will be directly liable for Privacy and Security Rule failures related to PHI held by the business associate. The definition of "business associate" will be expanded to include subcontractors of business associates who receive PHI. Business associates will be required to obtain from subcontractors written assurances that meet the business associate contract requirements regarding the safeguarding of PHI. Subcontractors will be business associates for purposes of HIPAA.
Covered Entity Liability. Covered entities remain liable for civil penalties for violations made by business associates; this will be true even if there is no business associate contract.
Notice of Privacy Practices. Privacy notices will be required to include a specific statement regarding those uses and disclosures of PHI that require individual authorization.
Additional Authorization Event. Individual authorization will be required if disclosure of PHI is in exchange for direct or indirect remuneration received by the covered entity or business associate.
Disclosure of PHI. Covered entities will be permitted to disclose a deceased individual's PHI to family members and others involved in the care or payment for care of the individual prior to death. Covered entities will be permitted to disclose proof of immunization to schools in states that have school entry and similar laws.
Restrictions on Uses and Disclosures. Covered entities will be required to agree to restrictions on uses and disclosures of PHI if the request pertains to the disclosure of PHI to a health plan for payment or health care operations, to the extent that the health care item or service that is the subject of the restriction was paid for by the individual, or paid by another person on behalf of the individual.
Access to Electronic Records. If PHI is used or maintained in an electronic format, a covered entity, if requested, must provide access in such electronic form, if reproducible, or in a format agreed to by the individual. Also, access must be made directly to the individual's designee, if requested.
Effective Date. A 180-day period to comply with the statutory provisions is expected once the final rule is published. An additional transition period to modify certain business associate agreements will be included.
Although the provisions under the Proposed Rule are not yet effective, we encourage employers to begin to review their plans and prepare for the impending changes that will need to be made to HIPAA procedures and privacy notices.
This article is presented for informational purposes only and is not intended to constitute legal advice.
