On January 17, 2013, the Department of Health and Human Services released final regulations which provided sweeping changes to the rules under privacy, security, enforcement, and breach notification requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic Health (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). “Covered entities”, as defined by these regulations, must implement the new revisions by September 23, 2013, unless otherwise stated.

Below is an overview of the required revisions and changes.

Business Associates (BAs)

Definition of a BA has been clarified and updated to include those who create, receive, maintain or transmit Private Health Information (PHI) on behalf of a covered entity (whether or not there is a contract for services).

Also, HIPAA BA provisions will now apply to subcontractors of BAs under certain circumstances. Group health plans are not required to enter into Business Associate Agreements (BAAs) with the subcontractors, but the BAA must be revised to contain protective provisions.

BAs are now directly liable for complying with certain HIPAA privacy and security rules that were previously required for group health plans only.

Employer Action: Revise existing BAAs to include the above revised provisions and other revised notices.

Notice of Privacy Practices (NPP)

NPP must be amended to include four additional revisions/provisions about (1) use and disclosure of psychotherapy notes, (2) individual rights to receive notifications of breaches of his/her unsecured PHI, (3) statement prohibiting use or disclosure of genetic PHI for underwriting purposes, (4) statement regarding an individual’s rights to opt out of receiving fundraising communications.

Employer Action: For group health plans that post the NPP on their websites, post the changes or revised notice by September 23, 2013, and issue the revised notice to all covered individuals in the next annual mailing (i.e. open enrollment communications).

Breach Notification

The definition of a breach has been changed and the previously used “risk of harm standard” has been replaced. The new rule states that, unless one of the enumerated exceptions is applicable, an unauthorized use or disclosure of PHI is presumed to be a breach. These changes clarify what constitutes a breach.

The breach notice requirements have been revised in regard to notification to the Department of Health and Human Services, BAs, printing costs for media notices and time period for notices to be released.

Employer Action: Revise the HIPAA Privacy and Security Policies and Procedures to include the above provisions.

Use and Disclosure of PHI

Several specific uses and disclosures of PHI have been added/clarified including for marketing purposes, fundraising purposes, sale of PHI and others.

Employer Action: Revise the HIPAA Privacy and Security Policies and Procedures to include the specific uses and disclosures.

Changes to Individual Rights

An individuals’ right to access PHI held by a group health plan has been revised to include access to electronic PHI. The new regulations also provide guidance on turn-around time allowed, procedural revisions, and guidance on how much can be charged for such requests.

Processes surrounding an individuals’ request to restrict disclosure of PHI have been revised regarding interaction with health providers and pending payment.

Employer Action: Revise the HIPAA Privacy and Security Policies and Procedures to include the revised provisions surrounding individual rights.

Penalties – Consequences of Noncompliance

The consequences of noncompliance have been significantly increased for covered entities and BAs.

Covered entities and BAs will be liable under federal common law of the acts of their agents.

Assessment of penalties will be left to fact-specific analyses and the DHHS’s discretion. Four categories of HIPAA violations with four tiers of monetary penalties have been identified ranging from $100 to $50,000 per violation. The application of penalties will be assessed based on the extent of the violation. For example, a breach that affects multiple individuals will be punished based on the number of individuals affected. Willful neglect will result in increased penalty amounts.

Employer Action: Revise the HIPAA Privacy and Security Policies and Procedures to include the above provisions.

GINA Implementation

Genetic information will be considered health information for purposes of HIPAA privacy and security rules and will therefore be subject to HIPAA privacy and security requirements. All health plans subject to HIPAA are prohibited from using or disclosing PHI that is genetic information for underwriting purposes (except with insurance issuers of ltc policies).

Employer Action: Revise the HIPAA Privacy and Security Policies and Procedures and the Notice of Privacy Practices to include the above provisions.