On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules. The final rule became effective on March 26, 2013, and providers have just over a month left to comply with the new rule.  Compliance is required by September 23, 2013.

Changes to Breach Identification

Under the old standard, a reportable breach was an unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual. Under the new standard, all unauthorized uses and disclosures of PHI are presumed to be reportable breaches unless, following a risk assessment, it is determined that there is a low probability that the PHI has been compromised.

Previously, we recommended including the following factors in breach risk assessments:

  1. the type and amount of PHI disclosed;
  2. to whom the PHI was disclosed; and
  3. the risk of further disclosure.

Now, the new “objective” standard requires assessment of:

  1. the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the PHI was disclosed;
  3. whether the PHI was actually acquired or viewed; and
  4. the extent to which the risk to the PHI has been mitigated.

While these factors are similar to those that may have been assessed under prior risk of harm analyses, their increased importance and the presumption of a breach under the new rule could have a significant impact on breach reporting.  Accordingly, covered entities and business associates should review their breach notification policies and procedures prior to the September 23, 2013 compliance date to ensure they are consistent with these changes.

Changes to the Definition of Business Associate

The new definition of business associate covers health information organizations, personal health record vendors, subcontractors of the business associate and individuals or entities that create, receive, maintain or transmit PHI for a covered entity. Significantly, this definition now includes subcontractors of business associates and entities that maintain PHI. So, whereas before there was no such thing as a business associate of a business associate, under the new rule, business associates who subcontract out functions involving PHI will need to enter into business associate agreements with those subcontractors. Further, based on the addition of the word “maintain” to the definition, covered entities can now require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.

The rule also provides that business associates may only use or disclose PHI in the same manner as covered entities under the Privacy Rule and are and that Business
Associates are directly responsible for breach notification and compliance with the Security Rule.

HHS/OCR has published a form business associate agreement incorporating the new HIPAA regulations here. Covered entities should compare their templates to the new form. Business associates should require applicable subcontractors to sign business associate agreements that track the new form and address the terms of the business associate agreement with the covered entity.

Next week, we will be exploring the Omnibus Rule changes to the marketing and sale of PHI.

In case you missed it, here is the first installment in the series:

HIPAA: Are you up to date?