This year, the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections afforded protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations took effect on March 26, 2013. Startups, medical organizations and Business Associates had until September 23, 2013 to fully comply. If your company is still trying to figure out compliance, be aware of the following changes to the law that may affect your business.

1. GAMABrief:
Got HealthTech? Get HIPAA/HITECH Aware
This year, the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections afforded
protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new
regulations took effect on March 26, 2013. Startups, medical organizations and Business Associates had until September 23, 2013
to fully comply.
If your company is still trying to figure out compliance, be aware of the following changes to the law that may affect your
business.
Modifica(ons
to
HIPAA
Under
the
HITECH
Act
Expanded Definition of Business Associate
The definition of a “Business Associate” has been expanded to include a person or entity that “maintains” PHI while performing
certain functions or activities on behalf of a Covered Entity (CE). Examples include a data storage company that stores PHI on
behalf of a CE or a software provider that stores PHI on its own server on behalf of a CE, regardless of whether the person or
entity actually views the PHI. The new definition also adds “patient safety activities” to the list of functions or activities performed
on behalf of a CE that give rise to a Business Associate relationship.
The definition of a “Business Associate” now includes the following three categories:
✓ Any person or entity that provides data transmission services of PHI to a CE or another Business Associate and that
requires “access on a routine basis” to such PHI, and (2) any person who offers a personal health record (PHR) to
one or more individuals on behalf of a CE.
✓ “Access on a routine basis.” Examples of routine access include access to PHI by a software provider when
providing troubleshooting services to its CE user or the storage of PHI. Thus, even if the entity doesn’t actually
view the PHI, only stores it, it is still a Business Associate. Mere conduits (e.g., ISPs, the postal service or
telecommunications service providers) are not considered Business Associates due to the transient manner in
which they handle PHI. Many CEs will now need to put Business Associate Agreements in place with vendors
who require access to PHI on a routine basis.
✓ The determination of whether a PHR vendor is a Business Associate is a fact-specific inquiry. For example, a
vendor that contracts with a CE to allow the vendor to access and then offer a PHR to a patient is considered a
Business Associate because the vendor is providing a service on behalf the CE. On the other hand, a vendor that
offers PHRs to individuals through its own service, and not on behalf of a CE, is not a Business Associate.
✓ This section also defines health information organizations (HIOs)— organizations that oversee and govern the
exchange of health-related information among organizations—as Business Associates.
✓ Public Safety Organizations (PSO) – Any entity that undertakes “patient safety activities” on behalf of a CE. This
means any entity that receives reports of patient safety events or concerns from providers and provides analysis of
events to reporting providers is a Business Associate. Previously, a PSO would only be treated as a Business Associate
during the time that it actually engaged in analysis using PHI.
✓ Sub-contractor – An entity that works at the direction or on behalf of a Business Associate and handles PHI (e.g.,
companies that shred documents containing PHI) must also comply with applicable Privacy and Security Rule
provisions. Sub-contractors will be held liable for violations. Essentially, sub-contractors of Business Associates need to
comply with the exact same requirements as the Business Associates.
A GAMA White Paper produced by Chris4na Gagnier & Emily Poole © 2013. Gagnier Margossian LLP. All rights reserved.

2. Application of HIPAA to Business Associates.
Business Associates are now directly liable for:
✓
✓
✓
✓
✓
Impermissible uses or disclosure of PHI;
Failure to provide proper breach notification to a CE;
Failure to provide appropriate access to an electronic copy of PHI to a CE, individual or individual’s representative;
Failure to provide an accounting of disclosures; and
Failure to comply with the applicable requirements of the Security Rule.
If a Business Associate violates any part of a Business Associate Agreement, such violation is now considered a HIPAA violation.
Business Associates must only use, disclose or request PHI from another entity if they limit PHI to the minimum amount
necessary to accomplish the intended purpose of the use, disclosure or request.
Business Associate Agreements
Due to the expanded definition of “Business Associate,” many CEs will have to either put new Business Associate Agreements
into place or update agreements they already have. To comply with the HIPAA amendments, Agreements must now require that
Business Associates:
✓
✓
✓
✓
Comply with the Security Rule;
Report breaches to the CE;
Ensure that sub-contractors agree to and comply with all of the provisions that apply to Business Associates; and
Comply with the Privacy Rule to the extent that the Business Associate carries out an obligation of the CE that is
regulated by the Privacy Rule.
Notification
CEs must revise and distribute their notice of privacy policies and include a statement that:
✓ Describes the types of uses and disclosures that require authorization under HIPAA;
✓ Informs individuals of their right to opt out of receiving fundraising communications;
✓ Informs individuals of their right to require CEs not to submit treatment information to their health plan if the
individual pays in cash; and
✓ Informs individuals of their right to receive notice following a breach affecting their PHI.
Marketing and Fundraising Modification
This modification strengthens limitations of use and disclosure of PHI for marketing and fundraising purposes and prohibits the
sale of PHI without individual authorization. Marketing has been redefined as any patient communication where the provider
receives financial remuneration from a third party whose products or services are being marketed. When marketing is based on
PHI, patient authorization is required.
Individuals’ Rights Modification
This modification expands individuals’ rights to receive electronic copies of their health information upon request and to restrict
disclosures to a health plan concerning treatment when the individual pays by cash.
Individual Authorization Modification
This modification facilitates the process for an individual to give authorization for use of PHI for research purposes, for disclosing
a child’s immunization records to school and for enabling access to decedent information by family members and others.

3. Breach
No(fica(on
Modifica(on
The breach notification standard has been lowered and breach notification requirements strengthened. When PHI is
compromised in some way, there is an automatic presumption of breach.
Before the amendments, to determine whether something was a “breach,” the CE assessed whether the use or disclosure posed
a significant risk of financial, reputation or other harm to the patient. Now, an improper use or disclosure of PHI is presumed to
be a breach unless the CE can demonstrate that there is a low probability that the PHI was compromised. The CE does this
through assessing the nature and extent of the PHI involved, the entity who used the PHI or to whom the disclosure was made,
whether the PHI was actually obtained or viewed and the extent to which the risk has been mitigated.
Increased
Penal(es
for
Viola(ons
Penalties have increased for non-compliance based on level of negligence (did not know; reasonable cause; willful neglect—
corrected; willful neglect—uncorrected). The maximum penalty is $50K per violation and $1.5M per multiple identical violations.
Reasonable lack of knowledge used to be an affirmative defense. Now, a CE can only claim a complete defense if the violation
was not due to willful neglect and was corrected within 30 days of being discovered by the CE.
Gene(c
Informa(on
The Genetic Information Nondiscrimination Act (GINA) amendments prohibit “health plans” from using or disclosing genetic
information for “underwriting purposes” and define genetic information as “health information.”
✓ “Health Plan.” Prior to the amendments, HIPAA considered almost any plan that provides or pays for the cost of
medical care a health plan. The modifications now expand the definition of health plan and prohibit four specific type
of entities—group health plans, health insurance issuers, health maintenance organizations and Medicare
supplemental policies—from using genetic information for underwriting purposes. Long-term health care providers
are not included in this definition. Health plans that perform underwriting must include a statement in their notice of
privacy polices that they are prohibited from using or disclosing genetic information for underwriting purposes.
✓ “Underwriting Purposes.” The amendments define underwriting purposes as anything related to the creation,
renewal or placement of a contract for health insurance benefits, such as determining eligibility, cost of premiums or
exclusion due to a preexisting condition.
✓ “Genetic Information.” The amendments define genetic information to mean information about the genetic tests of
an individual, the genetic test of an individual’s “family members” and genetic information about the manifestation of a
disease or disorder of an individual’s family members. Genetic information also includes info about any request for, or
receipt of, “genetic services,” as well as info about participation in clinical research that includes genetic services.
✓ “Family member.” The amendments define family members to encompass up to “fourth-degree” blood relatives of
the individual and relatives by marriage or adoption.
✓ “Genetic Services.” Such services include a genetic test, genetic counseling or genetic education.
For
more
informa(on
or
guidance
on
geBng
your
business
ready
for
these
regulatory
changes,
contact
a
privacy
aHorney
at
Gagnier
Margossian
LLP.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco