Delayed HIPAA/HITECH Final Rules promise big changes

January 3, 2013

By Tom Dumez, President of Prime Compliance

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July 2010. The Office of Management and Budget (OMB) received the much delayed U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called “Omnibus Final Rulemaking.” One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucracy, and political influences. For covered entities (CEs, which are your clients), business associates (BAs, which is you), and their agents and subcontractors (the people you outsource a covered service to), things are changing.

The original NPRM read:“The HHS OCR will issue final rules to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH, Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expected the rules to be finalized in early 2012. Right.

We knew the NPRM would contain changes to four of the HIPAA/HITECH related rules. The rules to be included were the following: Genetic Information Non-Discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM. The HITECH changes address areas such as BAs, enforcement, electronic access (accounting of disclosures), marketing, fundraising, no sale of personal health information (PHI) and the right to request restrictions.

Among the biggest changes will be those related to BAs, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BAs accountable to consumers and to HHS for protecting the privacy and security of PHI. These sections also make them directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules. As it specifically relates to those in the document destruction business (as a BA), the NPRM originally proposed the following:

1. Requiring that BAs comply with the technical, administrative and physical safeguard requirements under the Security Rule
2. Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule
3. Clarifying BAs are liable regardless of whether they have an agreement in place with the CE
4. Defining subcontractors as Bas, clarifying that BA liability flows to all subcontractors
5. Higher fines for failing to secure PHI

My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BAs and CEs. There are rules that BAs will be expected to follow that have historically only applied to CEs. The four items above will impact BAs. However, these are also simply good business practices. More regulations, more liability, more responsibility, and more risk. A real world, relevant training program for your employees is paramount.