On January 17, 2013, the Department of Health and Human Services (“HHS”) announced the issuance of the final rule (the “Rule”) arising from the Health Information Technology for Economic and Clinical Health Act (“HITECH”). The Rule is scheduled to be published in the Federal Register on January 25, 2013.
The Rule implements changes made to the HIPAA Privacy and Security Rules by HITECH, plus additional changes. The long-awaited Rule covers several different aspects of HIPAA compliance that will impact every covered entity and business associate. The Rule will become effective March 26, 2013, and compliance will be required 180 days later on September 23, 2013.
The Rule covers a broad range of topics, including the following highlights:
- Expanding HIPAA’s enforcement provisions, including the application of penalties against business associates; increasing the penalty cap to $1.5 million depending on level of culpability, plus providing examples of violations that fall into the different penalty levels; and imposing vicarious liability based on “agency” principles
- Extending certain Privacy and Security Rule requirements to business associates, such as the Security Rule requirements to adopt administrative, technical and physical safeguards for electronic protected health information (“PHI”)
- Clarifying the reporting obligations for security incidents and breaches by subcontractors, business associates and covered entities
- Clarifying the new limitations on the use and disclosure of PHI for marketing
- Making it easier to disclose immunization records to schools
- Clarifying an individual’s right to access their PHI in the form and format requested by the individual (if it is readily producible in that form or format) and receive an accounting of disclosures of their PHI from an electronic medical record
- Clarifying an individual’s right to obtain restrictions on disclosures of PHI to health plans for services paid out-of-pocket in full
- Streamlining an individual’s ability to authorize the use of their information for research purposes
The Director of the HHS Office for Civil Rights (“OCR”), Leon Rodriguez, was quoted as saying the Rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Mr. Rodriguez also specifically noted that the Rule will strengthen OCR’s ability to “vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Over the next several weeks, we will publish a series of alerts summarizing the various components of the Rule as part of our HIPAA Impact Series. Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at:
www.hallrender.com/impact.
The pre-publication version of the Rule may be accessed at:
https://www.federalregister.gov/public-inspection.
If you need additional information about HIPAA/HITECH, please contact Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com, Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@hallrender.com or your regular Hall Render attorney.
