This year, the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections afforded protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations took effect on March 26, 2013. Startups, medical organizations and Business Associates had until September 23, 2013 to fully comply.
If your company is still trying to figure out compliance, be aware of the following changes to the law that may affect your business.
2. Application of HIPAA to Business Associates.
Business Associates are now directly liable for:
✓
✓
✓
✓
✓
Impermissible uses or disclosure of PHI;
Failure to provide proper breach notification to a CE;
Failure to provide appropriate access to an electronic copy of PHI to a CE, individual or individual’s representative;
Failure to provide an accounting of disclosures; and
Failure to comply with the applicable requirements of the Security Rule.
If a Business Associate violates any part of a Business Associate Agreement, such violation is now considered a HIPAA violation.
Business Associates must only use, disclose or request PHI from another entity if they limit PHI to the minimum amount
necessary to accomplish the intended purpose of the use, disclosure or request.
Business Associate Agreements
Due to the expanded definition of “Business Associate,” many CEs will have to either put new Business Associate Agreements
into place or update agreements they already have. To comply with the HIPAA amendments, Agreements must now require that
Business Associates:
✓
✓
✓
✓
Comply with the Security Rule;
Report breaches to the CE;
Ensure that sub-contractors agree to and comply with all of the provisions that apply to Business Associates; and
Comply with the Privacy Rule to the extent that the Business Associate carries out an obligation of the CE that is
regulated by the Privacy Rule.
Notification
CEs must revise and distribute their notice of privacy policies and include a statement that:
✓ Describes the types of uses and disclosures that require authorization under HIPAA;
✓ Informs individuals of their right to opt out of receiving fundraising communications;
✓ Informs individuals of their right to require CEs not to submit treatment information to their health plan if the
individual pays in cash; and
✓ Informs individuals of their right to receive notice following a breach affecting their PHI.
Marketing and Fundraising Modification
This modification strengthens limitations of use and disclosure of PHI for marketing and fundraising purposes and prohibits the
sale of PHI without individual authorization. Marketing has been redefined as any patient communication where the provider
receives financial remuneration from a third party whose products or services are being marketed. When marketing is based on
PHI, patient authorization is required.
Individuals’ Rights Modification
This modification expands individuals’ rights to receive electronic copies of their health information upon request and to restrict
disclosures to a health plan concerning treatment when the individual pays by cash.
Individual Authorization Modification
This modification facilitates the process for an individual to give authorization for use of PHI for research purposes, for disclosing
a child’s immunization records to school and for enabling access to decedent information by family members and others.
3. Breach
No(fica(on
Modifica(on
The breach notification standard has been lowered and breach notification requirements strengthened. When PHI is
compromised in some way, there is an automatic presumption of breach.
Before the amendments, to determine whether something was a “breach,” the CE assessed whether the use or disclosure posed
a significant risk of financial, reputation or other harm to the patient. Now, an improper use or disclosure of PHI is presumed to
be a breach unless the CE can demonstrate that there is a low probability that the PHI was compromised. The CE does this
through assessing the nature and extent of the PHI involved, the entity who used the PHI or to whom the disclosure was made,
whether the PHI was actually obtained or viewed and the extent to which the risk has been mitigated.
Increased
Penal(es
for
Viola(ons
Penalties have increased for non-compliance based on level of negligence (did not know; reasonable cause; willful neglect—
corrected; willful neglect—uncorrected). The maximum penalty is $50K per violation and $1.5M per multiple identical violations.
Reasonable lack of knowledge used to be an affirmative defense. Now, a CE can only claim a complete defense if the violation
was not due to willful neglect and was corrected within 30 days of being discovered by the CE.
Gene(c
Informa(on
The Genetic Information Nondiscrimination Act (GINA) amendments prohibit “health plans” from using or disclosing genetic
information for “underwriting purposes” and define genetic information as “health information.”
✓ “Health Plan.” Prior to the amendments, HIPAA considered almost any plan that provides or pays for the cost of
medical care a health plan. The modifications now expand the definition of health plan and prohibit four specific type
of entities—group health plans, health insurance issuers, health maintenance organizations and Medicare
supplemental policies—from using genetic information for underwriting purposes. Long-term health care providers
are not included in this definition. Health plans that perform underwriting must include a statement in their notice of
privacy polices that they are prohibited from using or disclosing genetic information for underwriting purposes.
✓ “Underwriting Purposes.” The amendments define underwriting purposes as anything related to the creation,
renewal or placement of a contract for health insurance benefits, such as determining eligibility, cost of premiums or
exclusion due to a preexisting condition.
✓ “Genetic Information.” The amendments define genetic information to mean information about the genetic tests of
an individual, the genetic test of an individual’s “family members” and genetic information about the manifestation of a
disease or disorder of an individual’s family members. Genetic information also includes info about any request for, or
receipt of, “genetic services,” as well as info about participation in clinical research that includes genetic services.
✓ “Family member.” The amendments define family members to encompass up to “fourth-degree” blood relatives of
the individual and relatives by marriage or adoption.
✓ “Genetic Services.” Such services include a genetic test, genetic counseling or genetic education.
For
more
informa(on
or
guidance
on
geBng
your
business
ready
for
these
regulatory
changes,
contact
a
privacy
aHorney
at
Gagnier
Margossian
LLP.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco