New HIPAA/HITECH Rules: 180 Day Countdown

Last week marked the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (“the Rules”).  The arrival of the effective date commences the 180-day period for covered entities to come into compliance with most of the Rule’s requirements.

The Rules and the HHS commentary are lengthy and complex.  In this post, we offer a detailed look at the Rules’ key changes that are likely to affect most covered entities.  We also discuss several additional requirements that will mostly affect covered health care providers and some non-covered entities.  To help organizations devise a compliance strategy, the blog post also suggests action items, where appropriate.

Key Dates:

• March 26, 2013:  The Rules became effective.
• September 23, 2013:  Covered entities must comply with most of the new Rules’ provisions.
• September 25, 2013:  Disclosures of PHI become subject to the new restrictions on sale of PHI.
• September 22, 2014:  Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.

While the Rules in some respects represent a major departure from the existing HIPAA and HITECH requirements, many of the new provisions accept without change the requirements that the HHS had previously proposed in the interim final HITECH Breach Notification Rule, in October 2009, and in the proposed Privacy, Security and Enforcement Rules updates in July 2010 (the “Interim Rules”).   Entities that have aligned their practices with the Interim Rule will, therefore, have fewer changes to implement.

Overview of the New Rules

The changes that the Rules bring for most organizations include:

•  The expansion of the definition of Business Associates to include subcontractors that access PHI;
• The imposition of direct liability under the Rules on Business Associates for compliance with certain HIPAA Privacy and Security Rule requirements;
• Additional and revised provisions that covered entities and Business Associates must include in their BAAs, and a requirement for all existing BAAs to comply with the new Rules by September 22, 2014;
• Additional disclosures in covered entities’ HIPAA Privacy Notices, including informing individuals of their right to be notified of breaches of their PHI;
• Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI, and a requirement to conduct a documented risk assessment in the event notification is not provided in reliance on the harm threshold; and
• An expansion of individuals’ rights to access their PHI.

Several other significant changes are primarily relevant to covered health care providers and certain non-covered third parties.  These changes include:

• Individuals’ enhanced ability to restrict disclosures of certain PHI; this revision affects mostly covered health care providers;
• Restrictions on the circumstances in which adherence programs can be conducted without individuals’ authorization; these changes are most relevant to pharmacies and adherence communications providers and their service providers, and non-covered organizations that sponsor adherence communications; and
• Clarification of the circumstances in which providers of patient health record portals are subject to HIPAA; these requirements primarily concern covered and non-covered portal owners, sponsors and operators.

To read the entire article: CLICK HERE

New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline By Boris Segalis on March 31, 2013