March 26 marked the official date that the HITECH Final Rule became effective. Published in the Federal Register on January 25, 2013, the Final Rule (also known as the Omnibus Rule) adds modifications to the Privacy, Security, Enforcement, and Breach Notification Rules under HITECH and HIPAA. Covered entities and business associates of all sizes will have until September 23, 2013 to come into compliance with most of the Final Rule’s provisions. The following is some of the highlighted changes seen in the Final Rule
As was made clear since the inception of HITECH in 2009, the most significant changes involve business associates who are now directly subject to the mandates of the HIPAA Privacy and Security Rules and HIPAA enforcement. The Final Rule expands HIPAA's coverage to directly regulate business associates and other "downstream" entities. The Final Rule explains that the expansion of the definition of business associate to include subcontractors was necessary to ensure privacy and security protections for PHI do not lapse when a business associate delegates authority to and shares PHI with a subcontractor. This expansion will likely be significant to businesses that are steps down the ladder from the covered entity that may not even know they are receiving PHI, such as document disposal or document storage companies. Also, business associates are now required to enter into agreements with their subcontractors. The Final Rule further clarifies that agreements between a business associate and a subcontractor must contain the same requirements as the BA agreement between the covered entity and the business associate.
One of the biggest changes for both covered entities and business associates is that HHS now has a substantial amount of discretion in calculating a compliance penalty. Much of these penalty changes have been driven by recent health data breaches. Specifically, HHS now has greater discretion to impose substantial penalties, which has already resulted in six and seven figure penalties or settlements.
Also highlighted in the Final Rule is the burden shift in data breach notification. Prior to the Final Rule, unauthorized disclosure of PHI didn’t trigger breach notification requirements unless the unauthorized conduct posed a “significant risk of financial, reputational or other harm.” The Final Rule has changed this threshold to where an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised.
Marketing and fundraising activities have also been impacted. Prior to HITECH, certain communications, including health-related communications, were excluded from the definition of marketing. The Final Rule dramatically changes the definition of marketing by requiring authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party. Regarding fundraising, the HIPAA Privacy Rule previously required that a covered entity make reasonable efforts to ensure individuals who opt-out do not receive further communications. The Final Rule toughens that standard by making any further fundraising communications with a person who has opted out a violation of the HIPAA Privacy Rule. A covered entity also is now required to include in each fundraising communication a clear and conspicuous opportunity for the individual to whom the PHI relates to opt out of receiving further fundraising communications.
Finally, running parallel with the Final Rule is the Department of Health and Human Services HIPAA Audit Program, which has recently completed its pilot program phase of auditing 115 random covered entities. The Audit Program is mandated under HITECH, and HHS has plans to make it a permanent fixture in the area of HIPAA and HITECH compliance. A final report on what HHS has learned and seen during the pilot phase will likely be released in the future. Notably, HHS has indicated that every covered entity and business associate is eligible for an audit.
As we anticipate audits becoming more common in the future, SmithAmundsen is in the process of rolling out its own HIPAA/HITECH Audit Evaluation and Compliance Service for covered entities and business associates of any size. The goal of this service is to evaluate a client’s HIPAA/HITECH policies and procedures and provide recommendations where necessary to bring the covered entity or business associate up to compliance with the law.