February 4, 2013

More than two years in the making, the long-awaited final changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were published by the United States Department of Health and Human Services (HHS) on January 25, 2013 in the Federal Register. The revisions will become effective on March 26, 2013. In most cases, compliance with the final rules is required by September 23, 2013. Health care attorneys say one of the most significant changes will impact outside entities and vendors who provide services to health care providers.

“Substantial changes to the HIPAA regulations haven’t been made since their enactment in 2003 and much has changed in the area of information technology since then. Many of these changes address the health care sector’s transition in order to appropriately protect such electronic health information,” said Erin Fleming Dunlap, a health care attorney with Polsinelli Shughart.”

The modifications affect HIPAA covered entities and business associates. Perhaps most significantly, the new rules impose direct liability on persons and entities that are business associates of covered entities and require business associates to comply with certain sections of HIPAA to which they were not previously bound.

“The changes open up a lot of questions including ‘What does a lost laptop mean for health care today, and who really owns my health care information?’” said Polsinelli Shughart Health Care Chair Matt Murer. “Health care security creates new challenges and headaches for providers already facing big challenges.”

Prior to the new rules, many entities that contract with or provide services to covered entities were already considered business associates including billing companies, accountants, and even attorneys. The new rules expand the definition of a business associate to now include entities that maintain but do not access protected health information, as well as subcontractors of business associates. This expansion could trigger the inclusion of those who provide cloud-computing services or record storage services to health care entities and other types of related businesses who previously were not obligated to comply with the current HIPAA rules.

“One of the first, crucial steps health plans and health care providers should undertake is to review arrangements with any third-party person or entity that creates, receives, maintains or transmits protected information on its behalf, to determine if they meet the new definition of a business associate,” Dunlap said. “Businesses that contract with health care providers or health plans to provide services for such entities are also going to need to determine whether or not they are business associates, and therefore obligated to comply with HIPAA.”

Among other modifications, the final rule:

1. Changed the breach notification rule to presume impermissible uses or disclosures of protected information constitute a “breach” requiring notification, unless the covered entity can prove otherwise using a four-factor objective standard.
2. Modified certain requirements related to using protected health information for marketing and research purposes, and placed restrictions on the sale of protected health information.
3. Modified certain obligations of a covered entity related to an individual’s rights with respect to his or her health information.
4. Implemented tiered civil money penalties for violation of HIPAA rules.

The bolstering of the civil-money penalties which HHS may impose for violations of the HIPAA rules, particularly those for noncompliance due to willful neglect, is another important change The new rules remove some of the discretion HHS previously had, and now require HHS to impose fines.

In the final rules, HHS clarified how it will calculate and apply the tiered penalties. These clarifications, coupled with a recent up-tick in HIPAA rule enforcement activity, indicates now is the time for entities to understand fully and ensure compliance with their obligations under the HIPAA rules, including the new changes.

“From a fine perspective, occurrences of non-compliance with the HIPAA rules have the potential to get expensive very quickly,” said Rebecca Frigy, a health care attorney with Polsinelli Shughart. “For example, the new rules clarified if there is an event of noncompliance that affects multiple individuals, the number of HIPAA violations for which fines may be levied will be based on the number of individuals affected. If a breach affects 1,000 individuals, it will be viewed as 1,000 instances of non-compliance which may be fined.” Frigy said.

“Further, if an instance of non-compliance is on-going over a period of time, each day will be considered a separate instance of non-compliance,” state Frigy.

The civil-money penalties that can be imposed for each violation range anywhere from $100 to $50,000, depending on the entity’s level of culpability, the nature and extent of the violation, the resulting harm, an entity’s prior history of offenses or compliance, the financial condition of the entity, and other factors that may be considered relevant. The new rules also include penalty caps of $1.5 million for violations of identical provisions within the same calendar year.

“Covered entities and business associates need to take the necessary steps to ensure compliance by September 23, 2013,” Dunlap said. “Now is the time to start reviewing internal forms, revising policies and procedures, and making the necessary changes to comply with these rules. This isn’t something that can be put into place overnight and the consequences for noncompliance can be daunting.”

Polsinelli attorneys Erin Fleming Dunlap, Rebecca Frigy and Tom O'Donnell are excellent sources for further information on this topic, including sharing the legal perspectives on the following changes to the HIPAA rules:

What do covered entities and business associates need to do to comply with the final rules and why?
Changes affecting who is a business associate and new business associate obligations.
Modifications to the breach notification rule.
Changes to the privacy rule related to marketing, fundraising, research and the sales of protected health information.
Changes to the privacy rule patients’ rights.

About Polsinelli Shughart

With more than 600 attorneys, Polsinelli Shughart is a national law firm and a recognized leader in the areas of health care, financial services, real estate, life sciences and technology, energy and business litigation. Serving corporate, institutional and individual clients, our attorneys build enduring relationships by providing practical, business-driven legal advice with a commitment to helping clients achieve their objectives. The firm can be found online at Polsinelli Shughart PC. In California, Polsinelli Shughart LLP.