Which Law Made Significant Changes to Provisions in the HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) has undergone significant changes over the years. The Health Information Technology for Economic and Clinical Health Act (HITECH) made substantial changes to HIPAA provisions.

HITECH increased the penalties for non-compliance with HIPAA regulations, making it a more serious offense. The law also introduced new requirements for business associates, who are now directly liable for HIPAA compliance.

The HITECH Act strengthened HIPAA's provisions, particularly in terms of data breach notification and security measures. This includes the requirement for covered entities to notify affected individuals in the event of a data breach.

The HITECH Act also introduced new rules for the use and disclosure of protected health information (PHI), including the requirement for written business associate agreements.

Suggestion: Which of the following Is True regarding Hipaa Security Provisions

The Genetic Information Nondiscrimination Act of 2008 made significant changes to provisions in the HIPAA Privacy Rule. The Final Rule explicitly incorporates "genetic information" into the definition of PHI and prohibits the use or disclosure of genetic information for underwriting purposes to all health plans that are covered entities.

Check this out: Change Made to Hipaa by the Omnibus Rule of 2013

The Final Rule also modifies the requirements for authorizations related to research, allowing a covered entity to combine conditioned and unconditioned authorizations as long as the authorization clearly differentiates between the two and allows the individual to opt in to the unconditioned research activities.

Business associates are now explicitly defined to include entities that provide data transmission services, offer personal health records, and subcontractors, and direct liability applies to them for failing to comply with certain provisions. This includes failing to comply with business associate agreements, provide PHI to the Secretary upon demand, and provide an electronic copy of PHI to an individual or covered entity.

The Final Rule makes significant changes to requirements regarding covered entities' Notice of Privacy Practices, including the need to include statements about uses and disclosures that require authorization, fundraising communications, and the individual's right to restrict certain disclosures of PHI to a health plan.

For another approach, see: Hipaa Backup Requirements

As part of the HIPAA changes, the business associate relationship has undergone significant revisions. The Final Rule explicitly expands the definition of business associates to include Health Information Organizations, E-prescribing Gateways, and other entities that provide data transmission services for covered entities.

Business associates are now required to comply with certain Security Rule requirements, and direct liability applies to them for failing to do so. This means that business associates can be held accountable for their actions, just like covered entities.

The Final Rule provides for a one-year transition period, during which covered entities and business associates can continue to operate under certain existing contracts. This gives everyone some breathing room to adapt to the new rules.

Here are some specific provisions that create direct liability for business associates:

These changes are designed to strengthen the business associate relationship and ensure that PHI is handled securely and in accordance with HIPAA regulations.

The 2013 HIPAA Amendments were a significant update to the original Health Insurance Portability and Accountability Act of 1996. They went into effect on March 26, 2013.

The amendments were a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. This led to a number of sweeping changes to the HIPAA Rules.

One of the key changes was the expansion of the definition of a business associate to include their subcontractors that handle protected health information (PHI). This means that business associates are now directly subject to HIPAA with respect to the Security Rule.

The 2013 Amendments also implemented the Genetic Information Nondiscrimination Act of 2008 (GINA) by including genetic information in the HIPAA definition of health information. This prohibits health insurance issuers from using genetic information for underwriting purposes, with the exception of long-term care policies.

Industry-wide costs for first-year compliance with the 2013 Amendments are estimated to be between $115 million to $225 million, although industry analysts anticipate real costs to be exponentially higher.

A unique perspective: Hipaa Act

Penalties and liability have increased significantly under the 2013 Amendments. The maximum penalty for all violations of an identical provision in a calendar year is $1.5 million.

The Office of Civil Rights (OCR) assesses penalties based on several factors, including the nature and extent of the violation, the harm resulting from the violation, and the history of prior compliance. These factors can result in penalties higher than the $1.5 million limit.

A security breach, for example, could constitute both an impermissible use/disclosure and a violation of the requirement to institute appropriate safeguards, resulting in possible penalties of up to $3 million. The OCR also considers the financial condition of the covered entity or business associate when determining penalties.

Here's a breakdown of the penalty categories:

Covered entities and business associates are strongly encouraged to review the 2013 Amendments and begin working to achieve compliance with applicable provisions to mitigate statutory liability risks.

Civil monetary liability for HIPAA violations is a serious concern for covered entities and business associates. The 2013 Amendments significantly increased potential fines for these violations.

Penalties for HIPAA violations are assessed based on a tiered system, with increasing fines for more severe offenses. The system includes four categories: Did Not Know, Reasonable Cause, Willful Neglect-Corrected, and Willful Neglect-Not Corrected.

Here's a breakdown of the penalties for each category:

In determining the amount of penalty, the Secretary will consider factors such as the nature of the claims, the circumstances under which they were presented, the degree of culpability, and the financial condition of the person presenting the claims.

Under the 2013 Amendments, a formal investigation is required if a preliminary review indicates a possible violation due to willful neglect.

Preliminary review only needs to show a "possible" willful neglect, not a "probable" one. This is a key point to keep in mind.

OCR retains the discretion to decide whether to conduct a formal investigation, even if the preliminary review indicates a degree of culpability less than willful neglect.

Covered entities and business associates are now liable for acts of their business associates that are deemed to be agents. This is a significant change in the law.

Contractual provisions will no longer control in determining liability, as OCR justifies its interpretation under the federal common law of agency.

The HITECH Act made significant changes to the provisions in the HIPAA, particularly in regards to breach and notification. The Final Rule expanded the definition of "breach" to include any impermissible use or disclosure of PHI, which is presumed to be a "breach" unless a covered entity or business associate can demonstrate that there is a low probability that the information has been compromised.

The risk assessment is a crucial part of determining whether a breach occurred. The factors to consider in a risk assessment include the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

If a breach occurs, covered entities are required to notify each affected individual whose unsecured PHI has been compromised. This notification must be provided in a timely manner, and the covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach.

Here are the key factors to consider in a risk assessment:

If the breach involves more than 500 persons, OCR must be notified in accordance with instructions posted on its website. Covered entities must maintain supporting documentation, including documentation pertaining to the risk assessment, to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach.

The 2013 Amendments made some significant changes to the right to restrict disclosures and access to PHI. Covered entities are now required to restrict the disclosure of PHI about an individual to a health plan, upon request, if the disclosure is for payment or healthcare operations and is not required by law.

This restriction only applies to PHI that pertains solely to a healthcare item or service for which the individual has paid the covered entity in full. Covered healthcare providers don't need to create separate medical records or segregate PHI, but they must flag or note restrictions to prevent accidental disclosure.

Covered entities must provide a copy of PHI to individuals requesting it, in electronic form if it's readily producible. This means you can request your electronic health records from your healthcare provider, and they must provide them to you in a format you can understand.

You also have the right to direct your healthcare provider to transmit an electronic copy of your PHI to another entity or person you designate. This can be a family member, a friend, or even a personal health advocate.

Covered entities can't charge excessive fees for handling and reproducing PHI. The fees must be reasonable, cost-based, and separate the labor costs for copying PHI from other costs. This means you won't be hit with surprise fees when you request your medical records.

Finally, the 2013 Amendments have tightened up the timeline for accessing your PHI. Covered entities must provide access within 30 days, with a one-time extension of 30 additional days. This means you'll have faster access to your medical records, which can be a big help when you need to make informed decisions about your care.

Discover more: When Does a State or Federal Law Regulation Preempt Hipaa

Compliance deadlines for business associate compliance were set for September 26, 2013.

Covered entities and business associates, including their subcontractors, had to ensure compliance by this date. This included entering into written agreements. There was an exception for those with preexisting agreements prior to January 25, 2013. These parties were deemed compliant until the earlier of the date their agreement was renewed or modified, or September 24, 2014.

A different take: Hipaa Compliance Plan

The Final Rule explicitly includes subcontractors of business associates as business associates themselves.

This means that subcontractors are subject to the same requirements as business associates.

Subcontractors are defined as any person or entity delegated a function, activity, or service by a business associate.

Business associates must enter into agreements with subcontractors that meet the requirements for business associate agreements.

Covered entities and business associates can continue to operate under certain existing contracts for a one-year transition period.

This transition period is intended to alleviate the administrative burden of implementing the revised business associate agreement provisions.

For another approach, see: Hipaa Training Requirements

Compliance Deadlines are a crucial aspect of business operations, and it's essential to understand the specific deadlines that apply to your organization.

Covered entities and business associates must ensure compliance by September 26, 2013, including entering into written agreements.

This deadline applies to all business associates, including their subcontractors, who must also comply with the regulations.

However, there is an exception for covered entities and business associates that had preexisting business associate agreements prior to January 25, 2013.

In such cases, if the agreement is not renewed or modified prior to September 23, 2013, then the parties are deemed compliant until the earlier of the date that the agreement is renewed or modified, or September 24, 2014.

For more insights, see: Hipaa Compliance Work

The 2013 Amendments made significant changes to provisions in HIPAA, particularly when it comes to the sale and disclosure of Protected Health Information (PHI).

A key change was the prohibition on any disclosure in exchange for remuneration of PHI by a covered entity or business associate without an individual's authorization. This includes both financial and nonfinancial benefits.

The 2013 Amendments define "sale of PHI" broadly to mean any disclosure where the covered entity or business associate receives remuneration in exchange for the PHI. This broad scope applies to both financial and nonfinancial benefits.

Covered entities and business associates must obtain an individual's valid authorization for any disclosure of PHI that will result in remuneration. The authorization must explicitly state that the disclosure will result in remuneration.

There are several exceptions to this general authorization requirement, including disclosures for public health, treatment and payment purposes, and sale and merger transactions.

Here are some key exceptions to the prohibition on receiving remuneration for the disclosure of PHI:

The HIPAA law made significant changes to provisions related to research authorizations, which is great news for researchers and healthcare providers.

The Final Rule allows a covered entity to combine conditioned and unconditioned authorizations for research as long as the authorization clearly differentiates between the two components.

This means that researchers can now use a single authorization for multiple studies, making the process more efficient.

The authorization must clearly allow the individual the option to opt in to the unconditioned research activities, giving them more control over their data.

In the past, research authorizations had to be study-specific, but the Final Rule has modified this interpretation.

This change will help reduce administrative burdens and make it easier for researchers to conduct studies.

Explore further: Kaiser Hipaa Authorization

The Final Rule made significant changes to the requirements for Notices of Privacy Practices. Covered entities must now include certain statements in their Notice of Privacy Practices, such as those regarding uses and disclosures that require authorization.

A statement about fundraising communications and an individual's right to opt out of receiving such communications is also required. This means that covered entities must inform individuals about their right to decline receiving fundraising communications.

Covered entities must also provide information about an individual's right to restrict certain disclosures of Protected Health Information (PHI) to a health plan where the individual pays out of pocket in full for the health care item or service. This requirement only applies to health care providers.

Additional reading: What Is a Covered Entity in Hipaa

A statement of an affected individual's right to be notified following a breach of unsecured PHI is also a required part of the Notice of Privacy Practices. This ensures that individuals are informed about their rights in the event of a breach.

Here are the required statements in a Notice of Privacy Practices:

The Final Rule is effective on June 25, 2024. Compliance with the majority of its provisions will be required by December 23, 2024. This is a significant deadline for many organizations to ensure they are in compliance with the new regulations.

Changes to NPP requirements, on the other hand, have a longer compliance date of February 16, 2026. This is to align with the compliance date of recent Part 2 changes, which is also February 16, 2026.

The Final Rule is effective on June 25, 2024, which is a crucial date to mark in your calendar.

Compliance with the majority of its provisions will be required by December 23, 2024, so be sure to get started on those preparations.

Changes to NPP requirements have a compliance date of February 16, 2026, which is a bit later than the rest, but still important to keep in mind.

Regulated entities must now be aware of when information requests implicate reproductive health care, as these requests may trigger the New Prohibition and other requirements under the Final Rule.

The Final Rule has significant implications for patients, health care providers, and other regulated entities that maintain information related to reproductive health care.

Regulated entities need to review their policies and procedures to ensure compliance with the New Prohibition and other changes made in the Final Rule.