On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) released final “omnibus” regulations (the “Final Regulations”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Final Regulations make many significant changes to the privacy, security, and enforcement rules under HIPAA and implement the breach notification rules under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Final Regulations become effective on March 26, 2013. Covered entities and business associates will generally be required to comply with the Final Regulations by September 23, 2013.
Some highlights of the Final Regulations include the following:
- The Final Regulations change the standard for reporting breaches under the HITECH Act. A violation of the HIPAA rules will be presumed to be a “breach” unless the covered entity (or business associate, as applicable) can demonstrate that there is a low probability that the protected health information (“PHI”) has not been compromised.
- Business associates are now required to enter into written agreements with subcontractors to ensure that such subcontractors will appropriately safeguard PHI. “Subcontractors” are entities that perform functions for, or provide services to, a business associate, other than in the capacity as a member of the business associate’s workforce. They are now considered “business associates” under HIPAA and are required to comply with HIPAA’s privacy and security requirements.
- The Final Regulations include required changes to Business Associate Agreements and Notices of Privacy Practices. The Final Regulations provide a grace period until September 2014 for updating existing, HIPAA-compliant Business Associate Agreements.
- The Final Regulations expand individuals’ rights to request electronic copies of their PHI.
- The Final Regulations make changes to the HIPAA rules regarding the sale of PHI and the use of PHI for marketing or fundraising.
We will continue to provide updates regarding the changes made to HIPAA as a result of the Final Regulations. For more information regarding the Final Regulations, and assistance with updating your HIPAA policies and procedures, please contact your SGR Executive Compensation and Employee Benefits Counsel.