The long-awaited final Health Insurance Portability and Accountability Act (HIPAA) regulations released by the U.S. Department of Health and Human Services (HHS) in January become effective on March 26. According to the HHS, the regulations represent “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” The regulations are based on changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA).
New provisions
Although the new regs primarily affect the healthcare community, there are some things employers that sponsor HIPAA-covered plans need to consider:
- Privacy notice updates. The final regulations require several updates to the privacy notice required under the HIPAA privacy rule.
- Business associates. The new regulations change HIPAA rules by (1) expanding the definition of a business associate to include subcontractors and (2) altering what business associate agreements must contain.
- Breach notification requirements. The final regulations provide that an acquisition, access, use, or disclosure of protected health information (PHI) in an impermissible manner is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that PHI has been compromised based on a risk assessment of at least four factors set out in the regulations.
Other provisions and deadlines
The new regulations make other changes as well. For example, they increase penalties for noncompliance with HIPAA rules. They also expand individuals’ rights in several ways (e.g., by allowing patients to ask for an electronic copy of their medical records and setting new limits on how individuals’ information is used and disclosed for fundraising and marketing reasons).
The new regulations become effective on March 26, and covered entities and business associates generally must comply with the applicable requirements by September 23, 2013.