EBIA Weekly 1/24/13
- Privacy and Security Rule Modifications.
— Business associates are directly subject to the security rule requirements (including administrative, physical, and technical safeguards, and related policies and procedures) and many privacy rule requirements. OCR can take direct enforcement action against business associates for violations of these provisions.
— The business associate definition is broadened to include entities that create, receive, maintain, or transmit PHI in connection with services to a covered entity. [EBIA Comment: The prior definition focused on use or disclosure, prompting some service providers that did not regularly access PHI to disavow business associate status. The change reflects HHS’s narrowing of the conduit exception. The preamble explains that vendors storing PHI are business associates if they have the ability to access PHI—even if actual access is not part of their services. The conduit exception is limited to couriers (and their electronic equivalents) that have only a “transient” ability to access PHI.]
— Subcontractors may be business associates. If a business associate delegates a function that makes it a business associate to a third party, that party also becomes a business associate, and the delegating business associate (not the covered entity) must have a business associate contract with the subcontractor. For example, a document disposal service hired by a business associate to dispose of PHI is a business associate, directly subject to the applicable provisions of HIPAA’s privacy and security rules.
— Individuals can obtain electronic access to their PHI that is maintained electronically in a designated record set. This generally requires a covered entity to provide PHI in the form and format requested by, or agreed to by, the individual. Individuals also can direct the covered entity to transmit electronic PHI to a third party. (Business associates must provide such access only as agreed to under a business associate contract.)
— The Notice of Privacy Practices must reflect additional content, including the requirement for breach notification and the prohibition on using genetic information for underwriting purposes. HHS considers these changes to be material—generally requiring distribution of a revised Notice within 60 days of the revision. However, for this and future revisions, a health plan that posts its Notice on its website can post the revised Notice on the compliance date and, in its next annual mailing, provide the revised Notice (or information about how to obtain it).
- Increased Civil Penalties. The final regulations implement the increased penalty amounts under the HITECH Act and extend potential liability to business associates that violate an applicable HIPAA provision. Further, both covered entities and business associates may be liable for civil penalties if their “agents” violate HIPAA. The preamble provides an extensive discussion of agency, noting that an agent’s status is determined under federal law and depends on the authority to control the performance of services.
- Breach Notification. The final regulations change the definition of a “breach” of unsecured PHI. The new definition presumes there is a breach—and generally requires notification—unless a risk assessment demonstrates a low probability that PHI has been “compromised.” The risk assessment must consider at least the following factors: the nature of the PHI, the unauthorized person who received the disclosure, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
- GINA. The regulations prohibit health plans from using or disclosing “genetic information” for “underwriting purposes.” (These definitions track existing GINA regulations. For example, a health plan may not use or disclose genetic information for determining eligibility, coverage, or payments under the plan; an exception allows use for determining medical appropriateness of a treatment.) This prohibition applies to all health plans that are subject to the privacy rule, except issuers of long-term care insurance.