HHS has released final
regulations implementing many provisions of the Health Insurance
Technology for Economic and Clinical Health Act ("HITECH").
In particular, the final regulations modify the HIPAA Privacy,
Security, Enforcement and Breach Notification Rules under HITECH and
create numerous new compliance obligations for covered entities,
including health plans and their business associates. This Alert
summarizes some of the key changes made by the final regulations that
directly impact health plans and their business associates.
New Content and
Distribution Requirements for Notice of Privacy Practices. Health plans must currently maintain and
distribute a Notice of Privacy Practices. The Notice describes the
plan's permitted uses and disclosures, privacy practices, and legal
duties regarding protected health information ("PHI"). The
final regulations require plans to revise their Notices to include
- A statement
that certain PHI disclosures (i.e., disclosures involving
psychotherapy notes, disclosures of PHI for marketing purposes,
disclosures that constitute a sale of PHI, and disclosures other
than those listed in the Notice) require an individual's prior
authorization and that such authorization may be revoked.
- If the plan
intends to contact an individual for fundraising purposes, a
statement of such intent and the individual's right to opt out
of receiving fundraising communications.
- If the plan
intends to use or disclose PHI for underwriting purposes, a
statement that the plan is prohibited from providing genetic
information about an individual for such underwriting purposes.
- A statement
informing individuals of their right to be notified following a
breach of unsecured PHI.
The final regulations
provide that the inclusion of these required statements creates a
material change to the Notice, thereby requiring plans to notify
individuals of the changes. The final regulations provide health
plans with the following methods for distributing this information:
- For a health
plan that currently posts its Notice on a website, the
regulations require the health plan to: (1) prominently post the
changes on the website by the effective date of the change; and
(2) provide a copy of the revised Notice, or information about
the changes and how to request a copy of the revised Notice, in
the plan's next annual mailing.
- For a health
plan that does not currently post the Notice on a website, the
regulations require the plan to provide a copy of the revised
Notice, or information about the changes and how to request a
copy of the revised Notice, within 60 days of the changes.
Definition of Business
Associate. HIPAA allows a health
plan to disclose PHI to its business associates if both parties meet
certain requirements, including the execution of a Business Associate
Agreement ("BAA"). The final regulations change the
definition of business associate to include subcontractors of
business associates. As a result, business associates must now
execute BAAs with any subcontractors that create, receive or maintain
PHI on behalf of the business associate.
Agreements. Health plans and
business associates must revise their current BAAs to incorporate
certain new requirements specified in the final regulations. For
example, BAAs must now provide that:
- The business
associate will not only report any security incidents of which
it becomes aware, but also any breaches of unsecured PHI; and
- If the
health plan delegates any of its Privacy Rule obligations, the
business associate will comply with the Privacy Rule when
performing those obligations.
Expansion of Individual
Rights. The Privacy Rule allows
an individual to request that the health plan restrict both the use
and disclosure of PHI for treatment, payment and healthcare
operations. Previously, plans were generally not required to
accommodate an individual's request to restrict PHI disclosures. The
final regulations now require plans to agree to an individual's
request to restrict PHI disclosure if: (1) the disclosure is for the
purpose of payment or health care operations; (2) the disclosure is
not required by law; and (3) the PHI relates only to a health care
item or service that has already been paid in full by a source other
than the plan.
The Privacy Rule generally
permits individuals to request access to their PHI. Within 30 days
after receiving such a request, plans must either grant such access
or provide a written explanation of why access is being denied.
Previously, plans that did not maintain PHI on-site had 60 days to
respond to such requests. The final regulations require plans to
respond within the 30-day period. In addition, if a plan maintains
the PHI in electronic form and an individual requests an electronic
copy, the plan must provide the PHI in the form and format requested
by the individual if it is readily producible in that form and
format. If the PHI is not readily producible in the requested form
and format, the plan must provide the PHI in a readable electronic
form and format that is acceptable to the individual. Finally, if an
individual requests in writing that the plan provide his or her PHI
directly to another person, the plan must comply with the request if
it is signed by the individual and identifies the designated
individual and where to send the PHI.
Breach Notification. HITECH requires plans to provide notification
to affected individuals, HHS and, in some cases, the media following
the discovery of a breach of unsecured PHI. The final regulations
make the following changes regarding breach notifications:
is now defined so that an impermissible use or disclosure of PHI
is presumed to be a breach, unless the plan or business
associate demonstrates that there is a low probability that PHI
has actually been compromised.
- The risk
assessment to determine if breach notification is required now
focuses on the probability of whether the PHI has been
compromised instead of the risk of harm posed by the breach. If
the plan or business associate can demonstrate that there is a low
probability that PHI has been compromised, breach notification
is not required. (Under the proposed regulations, breach
notification was not required if a plan or business associate
could demonstrate that the breach presented no risk of
significant harm to individuals.)
assessments must evaluate: (1) the nature and extent of PHI
involved; (2) the unauthorized person who used PHI or to whom
the disclosure was made; (3) whether PHI was actually acquired
or viewed; and (4) the extent to which the risk to PHI has been
Compliance Date. The official effective date of the final
regulations is March 26, 2013. However, health plans and their
business associates have until September 23, 2013, to comply with
applicable provisions. Existing BAAs may remain in effect without
revision until either the contract is up for renewal or until
September 23, 2014, whichever is earlier.
Actions Steps for Health
Plans. In response to the final
regulations, health plans should promptly:
- Review their
HIPAA policies and procedures and revise them as necessary to
ensure compliance by the applicable date.
- Review and
revise Privacy Notices to ensure that they accurately describe
their policies and procedures regarding privacy practices,
including any required changes made by the final regulations.
- Review BAAs
to determine the required revision date.
strategies to train front-line staff on implementing the
- Review HIPAA
training and education materials and update as required.