About HIPAA Changes for 2013

The Final rule on Breach Notification for Unsecured Protected Health Information goes into effect on March 26, 2013.   Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

1.  Individuals’ Right to Restrict Disclosures; Right of Access

A covered entity is required  to provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be provided to the individual if it is readily producible. Covered entities must provide individuals only with an electronic copy of their PHI, not direct access to their electronic health record systems.

The 2013 amendment provides the right to individuals to direct a covered entity to transmit an electronic copy of PHI to an entity or person designated by the individual. Furthermore, the amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable, cost-based and identify separately the labor for copying PHI (if any).

The 2013 Amendments modify the timeliness requirement for right of access, from up to 90 days currently permitted to 30 days, with a one-time extension of 30 additional days.

2.  Must Provide Notification of Breach

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised   HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

3.  Data Encryption is Recommended

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, please remember that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)  It is strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.

4.  Notice of Privacy Practice Must Change

HHS indicated that a simple statement in the Notice of Privacy Practice that an individual has a right to or will receive notifications of breaches of his or her unsecured protected health information will suffice for purposes of this requirement.

5.  Business Associates Rules have changed

Under HITECH, business associates are now civilly and criminally liable for violations of these provisions.  In the definition of a business associate are entities that create, receive, maintain or transmit PHI through electronic means, such as health information organizations (“HIOs”); vendors of personal health records; and others that facilitate data transmission. As HHS explains, the business associate definition now applies to an entity that “maintains” PHI (in addition to creating, receiving or transmitting it)—i.e., an entity that accesses PHI “on a routine basis.” There is an exception for a “conduit” of PHI, i.e., an entity that provides mere courier or transmission services (in digital or hard form). Only an “opportunity to access” PHI is needed to implicate HIPAA.   Specifically, HHS noted that entities that “manage” the exchange of PHI through a network, including oversight or governance functions for the electronic HIO, fall within the purview of HIPAA because they have more than random access to PHI. Whether or not they view PHI is not key. HHS stated that this area is evolving and that additional guidance will be provided in the future, as the areas of healthcare information technology and exchanges develop.

6.  Inclusion of Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”  In other words, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate.

HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.  Covered entities must obtain satisfactory assurances from their business associates in writing that the HIPAA requirements are being met.  Business associates must also receive satisfactory assurances from their subcontractors also no matter how far down the chain of information flows.

7. Communicate to your Business Associates What They Need to Know

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,

  2. for failure to provide breach notification to the covered entity

  3. for failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)

  4. for failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules

  5. for failure to provide an accounting of disclosures

  6. for failure to comply with the requirements of the Security Rule.

  7. Business associates remain contractually liable for other requirements of the business associate agreement.

  8. Business associates will also have to comply with new requirements for notification of breaches.

  9. Business associates need to evaluate their subcontractors

In conclusion,

This information is provided to you keep you updated regarding these important changes.
Please consult an attorney for clarification and for more info please visit:

Good luck and best wishes for a prosperous 2013!

Carol A. Mapp, LCSW

Be Sociable, Share!

About the Author

At Therapist 2 Go we create organization and information management tools for psychotherapists that are straightforward and easy to use. We believe that forms do not have to be complicated to be functional and efficient and to capture the client information that you need to provide effective therapeutic treatment. Our goal is to help you run an efficient, profitable business, allowing you to spend more time focused on the therapeutic process and less time on routine administrative tasks.