Expansion of Business-Associate Obligations
The Final Rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Privacy and Security Rules directly to business associates and by imposing civil and criminal penalties on business associates for HIPAA violations. It also extends obligations and potential penalties to subcontractors of business associates if a business associate delegates a function, activity, or service to the subcontractor, and the subcontractor creates, receives, maintains, or transmits PHI on behalf of the business associate. Any business associate that delegates a function involving the use or disclosure of PHI to a subcontractor will be required to enter into a business-associate agreement with the subcontractor.
Additional Provisions
The Final Rule addresses the following additional issues by:
- Requiring covered entities to modify their Notices of Privacy Practices;
- Allowing individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record;
- Restricting marketing activities;
- Allowing covered entities to disclose relevant PHI of a deceased person to a family member, close friend, or other person designated by the deceased, unless the disclosure is inconsistent with the deceased person’s known prior expressed preference;
- Requiring covered entities to agree to an individual’s request to restrict disclosure of PHI to a health plan when the individual (or someone other than the health plan) pays for the healthcare item or service in full;
- Revising the definition of PHI to exclude information about a person who has been deceased for more than 50 years;
- Prohibiting the sale of PHI without authorization from the individual, and adding a requirement of authorization in order for a covered entity to receive remuneration for disclosing PHI;
- Clarifying OCR’s view that covered entities are allowed to send electronic PHI to individuals in unencrypted e-mails only after notifying the individual of the risk;
- Prohibiting health plans from using or disclosing genetic information for underwriting, as required by the Genetic Information Nondiscrimination Act of 2008 (GINA);
- Allowing disclosure of proof of immunization to schools if agreed by the parent, guardian, or individual;
- Permitting compound authorizations for clinical-research studies; and
- Revising the Enforcement Rule (which was previously revised in 2009 as an interim Final Rule), which:
- Requires the secretary of HHS to investigate a HIPAA complaint if a preliminary investigation indicates a possible violation due to willful neglect;
- Permits HHS to disclose PHI to other government agencies (including state attorneys general) for civil or criminal law-enforcement purposes; and
- Revises standards for determining the levels of civil money penalties.
Effective Date, Compliance Date
Although most provisions of the Final Rule became effective on March 26, many provisions impacting covered entities and business associates (including subcontractors) required compliance by Sept. 23. However, if certain conditions are met, the Final Rule allows additional time to revise business associate agreements to make them compliant. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business-associate agreements for up to one year beyond the compliance date (until Sept. 22, 2014) if the business-associate agreement:
- Is in writing;
- Is in place prior to Jan. 25, 2013 (the publication date of the Final Rule);
- Is compliant with the Privacy and Security Rules, in effect immediately prior to Jan. 25, 2013; and
- Is not modified or renewed.
This additional time for grandfathered business-associate agreements applies only to the written-documentation requirement. Covered entities, business associates and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business-associate agreement qualifies for grandfathered status
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC in Chicago. Write to him at [email protected].