January 18, 2013
To learn more about Lathrop Gage, click here ›
OCR Releases Final HIPAA Regulations
The Office of Civil Rights has released the text of the long-anticipated final Health Insurance Portability and Accountability Act (“HIPAA”) regulations, which are scheduled to be published in the federal register on January 25, 2013. The regulations are effective on March 26, 2013, providing covered entities and business associates until September 23, 2013 to comply.
One of the highly anticipated provisions in the final regulations relates to breach notification. This final rule replaces the interim rule for HIPAA breach notification, originally published on August 24, 2009. Under the 2009 rule, a “breach” only included those impermissible uses or disclosures of protected health information that posed a significant risk of financial, reputational, or other harm to the individual. This was often referred to as the “risk of harm” threshold. The final rule removes the risk of harm threshold from the definition of a breach.
Under the new rules, an impermissible use or disclosure of protected health information is presumed to be a “breach” unless the covered entity demonstrates there is a low probability that the protected health information has been compromised. This demonstration is accomplished through a risk assessment demonstrating that there is low risk that the information has been compromised.
The risk assessment must consider the following four factors: 1) the nature and extent of protected health information involved, including the types of identifiers and likelihood of re-identification; 2) the unauthorized person who used the protected health information or to whom the disclosure was made; 3) whether the protected health information was actually acquired or viewed; and 4) the extent to which the risk to the protected health information has been mitigated. If the risk assessment fails to demonstrate there is low probability that the information has been compromised, breach notification to the individual, HHS, and, in some circumstances, media is required.
HIPAA Privacy and Security Changes
The final regulations also implement numerous additional changes to HIPAA required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Of greatest significance is the direct application of HIPAA Privacy and Security requirements to business associates. Under these changes, the HIPAA Privacy and Security regulations and associated penalties apply to business associates as if they were covered entities.
Additionally, the final HIPAA regulations modify several definitions including minimum necessary, marketing, electronic media, and business associate. They require revision of notice of privacy practices and business associate agreements in addition to policies and procedures. The regulations implement the new penalty structure established under HITECH and provide clarification of the levels of intent and factors to be considered by OCR when assessing penalties.
Expectations of Covered Entities and Business Associates
The publication of these final regulations has started the clock on compliance for covered entities and business associates. It is necessary for these organizations to:
Watch for future client alerts from Lathrop Gage discussing detailed requirements under these regulations.
© 2019 LATHROP GAGE LLP, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
Lathrop Gage LLP, 2345 Grand Blvd., Suite 2200, Kansas City, MO 64108.
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop Gage shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop Gage, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.