In the 1979 movie “The Jerk,” Steve Martin excitedly announced “The new phone book’s here! The new phone book’s here!” With the HHS release of the new Final Rule yesterday (January 17, 2013), watchers of HHS and its HIPAA regs are yelling “The new privacy rules are here! The new privacy rules are here!” With an estimated cost to the economy in the first year of implementation of between $114 million and $225 million, the updates to the privacy and security rules strive to increase the privacy and security protections that already exist under HIPAA and HITECH. In what HHS has described as “[t]he final omnibus rule,” changes are spread across four separate rules and include:
- Final modifications to the interim Privacy, Security, and Enforcement Rules that were part of a proposed rule in 2010 and that resulted from the HITECH Act.
- Finalization of the “increased and tiered civil money penalty structure” under the HIPAA Enforcement Rule, established originally under a 2009 interim rule.
- The final rule on breach notification under HITECH that “replaces the breach notification rule’s “harm” threshold [established under a 2009 interim rule] with a more objective standard”
- A final rule that modifies the Privacy Rule to prohibit use or disclosure of genetic information for underwriting purposes.
The updates to the Privacy, Security, and Enforcement Rules contained in the Final Rule reiterate or clarify many of the provisions of the proposed rule from 2010. Chief among these is the requirement to make business associates (the companies that provide services involving protected health information to covered entities, like hospitals and physicians) liable directly for compliance with some of the requirements under the Privacy and Security Rules. The Final Rule also adopts several of the expansions to the definition of “business associate” that result in various types of entities being included as business associates. These include Health Information Organizations (HIOs), E-prescribing Gateways, and vendors of public health records. The definition also incorporates subcontractors by adding to the definition that a business associate includes any “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” These changes significantly expand the scope and applicability of the business associate rules; entities that currently are business associates or those who are considering becoming business associates should carefully vet these new rules and consider how they will impact their operations.
Other aspects of the Privacy, Security, and Enforcement Rules contained in the Final Rule include (a) tightening of requirements around use of PHI for marketing purposes and a prohibition on the sale of any PHI with the consent of the data subject, (b) expanded rights for data subjects to receive copies of their PHI, (c) certain required changes to privacy practice notices, and (d) adoption of certain changes to the Enforcement Rule that were in HITECH but weren’t adopted in the 2009 interim final rule.
At 563 pages and with an effective date of March 26, 2013, the Final Rule is not for the faint of heart. In recognizing the breadth of the Rule, however, the HHS responses to comments provide for some very interesting reading. As just one example, the HHS authors confront certain feedback that questioned the ability of covered entities and business associates to meet the 180-day compliance window. After first pointing out that the Social Security Act requires a 180-day period, HHS states that “providing a 180-day compliance period best protects the privacy and security of patient information, in accordance with the goals of the HITECH Act.” For companies thinking they can leisurely integrate the new rules, HHS seems to be saying “think again.” It will be interesting to see if equally firm enforcement occurs as a result of the Final Rule.