The HIPAA / HITECH omnibus rule published in the Federal Register late last week includes a number of changes that will require action by employers, health plans, and business associates in the coming months.  The new requirements take effect on March 26, although group health plans and business associates have until September 23, 2013, to comply with most of the new requirements. 

Covington’s InsidePrivacy blog has described key aspects of the final rule in a series of recent posts.  Of particular interest to employers, group health plans, and business associates, the final rule:

  • Expands the definition of “business associate” to include an entity that “creates, receives, maintains, or transmits” protected health information (“PHI”), even if the entity does not actually view the PHI but just stores or maintains it.  See InsidePrivacy HITECH Update #7.
  • Imposes a number of new obligations on business associates, such as compliance with the Security Rule with regard to electronic PHI, direct liability for certain failures to follow the Privacy Rule, and new requirements to report breaches to HHS.  See InsidePrivacy HITECH Update #7.
  • Requires business associates to enter into business associate agreements with their subcontractors, and imposes other new restrictions on subcontractors.  See InsidePrivacy HITECH Update #7.
  • Requires covered entities and business associates to update new and existing business associate agreements to reflect the new obligations.  See InsidePrivacy HITECH Update #6.
  • Expands the circumstances in which the impermissible use or disclosure of PHI constitutes a “breach” that requires a breach notification.  See InsidePrivacy HITECH Update #3.
  • Finalizes changes in the Privacy Rule prohibiting the use or disclosure of genetic information for underwriting purposes.  See InsidePrivacy HITECH Update #2.
  • Requires changes in a health plan’s notice of privacy practices to reflect the restrictions on use of genetic information and other new requirements.  See InsidePrivacy HITECH Update #2.

The final rule also leaves some significant issues for future rulemaking.  For example, the rule requires a business associate that uses or discloses PHI, or requests PHI from another covered entity, to limit the PHI to the minimum necessary to accomplish the purpose of the use, disclosure, or request.   HHS stated that it intends to offer further guidance on this “minimum necessary” standard.

Employers will need to review and revise the business associate agreements and notices of privacy practices for their group health plans to reflect the new requirements.  Employers should also review their health privacy and security procedures to make sure the procedures are sufficient to safeguard PHI and avoid the significant civil penalties for HIPAA violations.