The Health Information Technology for Economic and Clinical Health (HITECH) Act’s compliance deadline for its HIPAA amendments is just around the corner. On September 23, 2013, the Department of Health and Human Services (HHS) will require covered entities, including most health care providers, and many of their business associates to meet the new Privacy Rule, Security Rule, and Breach Notification requirements for protected health information (PHI). In preparation, covered entities and business associates should have updated policies, procedures, and business associate agreements, as well as trained employees on the new rules. Business associate agreements created, modified, or renewed on or after January 25, 2013 must be compliant by September 23, while agreements existing before January 25 that have not been subsequently renewed or modified must be compliant by September 22, 2014.
As HHS tightens PHI privacy standards and steps up enforcement activity, it is increasingly important for health care providers, and especially for their business associates, to be vigilant about HIPAA compliance. Some of the most important changes in the new HITECH standards are described below. The HITECH amendments to HIPAA are available online here.
Privacy Notices. Covered entities must update and prominently post updated Notices of Privacy Practices. § 164.520.
Marketing and Sale of PHI. The use of PHI in marketing and sales activities has been further restricted. Almost all such activities permissible under the old rules are now prohibited if a covered entity or business associate fails to get authorization from the individual while receiving financial benefit, whether directly or indirectly. There are some limited exceptions to the authorization requirement for marketing purposes. § 164.508.
Fundraising. Disclosures to a business associate or to an institutionally-related foundation for the purpose of targeted fundraising is permissible so long as the recipient is informed of the right to opt out of future fundraising communications. § 164.514(f).
Individual Access to PHI. Individuals have greater rights to receive their own PHI. They also have a new right to restrict otherwise permissible disclosures to health plans about medical treatment for which they have paid out-of-pocket. § 164.524.
Business Associates. The Security Rule’s data security safeguards now apply to business associates as well as covered entities. Under a newly expanded definition of “business associate,” entities that receive and maintain PHI, whether it is received directly or indirectly from a covered entity, must update their policies, procedures, and business associate agreements. §§ 164.314(a); 164.502(e); 164.504.
Breach Notification Requirements. An impermissible use or disclosure of PHI is now presumed to be a breach unless the covered entity or business associate shows that there is a low probability that the PHI has been compromised. This means that notification is required in all situations except those in which there is a demonstrable, low probability that PHI has been compromised. A covered entity or business associate must objectively demonstrate this low probability through a risk assessment. § 164.402.
If you have questions about these updates to the Privacy Rule, Security Rule, or Breach Notification Requirements, please feel free to contact a member of Benesch’s health care department.