Coronavirus Resources
powered by LeadingAge New York
  1. Home
  2. » Providers
  3. » Nursing Homes
  4. » Fall 2016 CFO Council Meetings
  5. » Expanded HIPAA Compliance Requirements

Expanded HIPAA Compliance Requirements

Introduction

The Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) have released comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandating a compliance deadline of Sept. 23, 2013. These changes are being characterized as the most comprehensive update to the HIPAA Privacy Rule since its initial inception in 1996. According to the official press release: “Much has changed in health care since HIPAA was enacted over fifteen years ago.  The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”  The new rule in its entirety can be viewed at the Federal Register at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

Key Provisions

In this final rule HHS implements modifications to the HIPAA Privacy, Security, and Enforcement Rules incorporating many of the privacy, security, and enforcement provisions of the HITECH Act along with other changes to the Rules; modifies the Breach Notification Rule; finalizes the modifications to the HIPAA Privacy Rule to strengthen privacy protections for genetic information; and responds to the public comments received on the proposed and interim final rules. The most sweeping and immediate changes imposed by the rules apply to the terms of business associate agreements.

This omnibus final rule is comprised of the following four final rules:

1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010.

These modifications include:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity's notice of privacy practices.
  • Modify the individual authorization and other requirements to facilitate research and
    • disclosure of child immunization records to schools, and to enable access to decedent information by family members or others.
  • Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the Oct. 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance due to willful neglect.

2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.

3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.

4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

Key Dates

  • Sept. 23, 2013:  Covered entities must comply with most of the new Rules’ provisions.
  • Sept. 25, 2013:  Disclosures of PHI become subject to the new restrictions on sale of PHI.
  • Sept. 22, 2014:  Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.

Conclusion

For a complete analysis of the final rule by LeadingAge New York's legal counsel, Hinman Straub P. C., please click here. Other resources you may find helpful include Privacy Rule FAQs on the OCR website and the OCR resource on covered entities and business associates. As noted above, the most critical and expansive impact of the new rules involves the relationship between the health care provider and its business associates.

Contact: Patrick Cucinelli, pcucinelli@leadingageny.org, 518-867-8827

Share

13 British American Blvd Suite 2
Latham, NY 12110
518.867.8383
518.867.8384 fax