Fall 2013
IN THIS ISSUE
d&G Lawyer News
Visit Our Site:
101 E. Kennedy Blvd.,
Suite 2000
Tampa, FL 33602
813-229-2775
|
2013 HIPAA Law Changes
By: Patrick J. McNamara and Kristin K. Morris
Effective March 26, 2013 the Health Insurance Portability and Accountability Act
("HIPAA") underwent significant changes that will affect medical providers, their patients, and their Business
Associates. HIPAA is intended to protect the protected health information ("PHI") of patients
from use and disclosure not authorized under the rules. PHI is 1) health information created
or received by a Covered Entity, 2) that relates to the health of an individual, or 3) to the
payment for health care which identifies (or could reasonably identify) an individual and is
transmitted or maintained by any form or medium. Covered Entities include health plans, specifically
group health plans, health care clearinghouses, or health care providers who transmit any
health information in electronic form. Covered Entities must comply with the requirements
of HIPAA and failure to do so results in direct liability under HIPAA.
HIPAA is comprised of four (4) major sections: the Enforcement Rule, the Security Rule, the Privacy Rule, and the Breach Notification Rule. While the changes were effective March 26, 2013, the compliance deadline is September 23, 2013. This article will discuss the most notable changes to HIPAA.
The definition of a "Business Associate" has changed. An important distinction in the definition is those who merely transmit PHI are not Business Associates, while those who store and/or maintain it are Business Associates. Another important change is that a Business Associate now includes the subcontractors of a Business Associate. A subcontractor is a person that creates, receives, maintains, or transmits PHI on behalf of the Business Associate, and a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate. This major change subjects subcontractors of Business Associates to direct liability under HIPAA.
The changes to the Enforcement and Security Rules are not the most noteworthy, but a few of the changes will have widespread implications. Under the new rule, Covered Entities, Business Associates, and subcontractor Business Associates are liable for their Business Associate agents. The Security Rule now directly applies to the Business Associates of Covered Entities. Essentially, any Business Associate of a Covered Entity, including subcontractor Business Associates, must comply with all provisions of the Security Rule. Failure of a Business Associate to comply with these provisions will result in the Business Associate’s direct liability under HIPAA. In addition, under the Security Rule, a Business Associate of a Covered Entity is required to enter in the Business Associate Agreement with any subcontractor of that Business Associate. Finally, any security incidents, like breaches, must now be reported up the chain to the Covered Entity. For example, a subcontractor Business Associate must report a breach to the Business Associate, who then must report to it Covered Entity; the Covered Entity is then responsible for
notifying the proper party.
The bulk of the changes came to the Privacy Rule provisions, specifically as they relate to Business Associates.
It is important to remember that a person becomes a Business Associate by meeting the definition of a Business
Associate regardless of the presence of a Business Associate Agreement. A Business Associate is now also directly
liable for certain provisions of the Privacy Rule including: uses and disclosures of PHI that are not in accord with the
governing Business Associate Agreement or the Privacy Rule; failure to provide breach notification to the Covered Entity;
failure to provide access of Electronic PHI to the individual or Covered Entity; failure to disclose PHI to the Secretary;
failure to provide an accounting of disclosures; and failure to comply with the requirements of the Security Rule.
Further, Business Associates must comply with the Minimum Necessary principle: that PHI is not disclosed, unless
necessary or to the least extent necessary, to perform the required job. The final important change in this section
is that requirements in Business Associate Agreements trickle down to sub-contractors and sub-sub-contractors on down the line.
The final HIPAA section that underwent significant change is the Breach Notification Section.
The definition of a breach has now been modified to state that an impermissible use or disclosure
of PHI is now presumed to be a breach, which triggers the Breach Notification requirements, unless
the Covered Entity or Business Associate demonstrates through the use of a Risk Assessment that there
is a low chance that the PHI has been compromised. A risk assessment of a Covered Entity or Business
Associate must consider at least the following factors: a) the nature and extent of the PHI involved; b)
the unauthorized person who used the PHI; c) whether the PHI was actually acquired or viewed; and d) the extent
to which the risk to the PHI has been mitigated. A Risk Assessment is only necessary when the Covered Entity or
Business Associate believes no notification is necessary, and should be performed as soon as possible upon the
discovery of a potential breach as the Breach Notification timeframe remains unchanged.
The implications of the HIPAA changes are great, particularly for law firms and other Business Associates that
were not previously directly liable under HIPAA. Law firms in particular need to take great care to ensure that
their Business Associate Agreements and office policies and procedures reasonably and appropriately protect PHI,
comply with the minimum necessary requirement; and are adequately equipped to prevent, detect, and deal with any
potential breaches of HIPAA.
This article is just a brief summary of some of the major changes that will affect medical providers, other Covered
Entities, Business Associates, and patients. For a more in depth analysis please visit
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. If you have any questions regarding
the changes to HIPAA, please contact Pat McNamara at pmcnamara@dgfirm.com or Kristin Morris at kmorris@dgfirm.com.
|