The Department of Health & Human Services (HHS) released its biggest set of modifications to the HIPAA privacy and security rules with the January 17 unveiling of its long-awaited “HIPAA mega rule.”
The final omnibus rule enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law, according to an HHS press release. The rule is enforceable starting September 24.
Some of the biggest changes include the elimination of the “harm threshold” provision from the breach notification rule and holding third-party subcontractors who use and disclose PHI accountable to HIPAA rules and penalties.
Stiffer requirements for BAs
Effective September 24 subcontractors of business associates (BAs) who use and disclose PHI on behalf of the BA (or the direct subcontractor of the BA) are now BAs by definition and will be subject to civil penalties, compliance requirements, etc., according to Chris Apgar, CISSP, CEO & president of Apgar & Associates, LLC, of Portland, OR.
Apgar also notes that BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).
Before the HIPAA mega rule, if a healthcare provider contracted with a BA who handled their PHI, and that BA in turn hired a subcontractor who also used or disclosed PHI, that subcontractor would not be subject to HIPAA rules.
However, previous provisions allowed “privacy and security protections for protected health information (PHI) to lapse once a subcontractor is enlisted to assist in performing a function, activity, or service for the covered entity, while at the same time potentially allowing certain primary business associates to avoid liability altogether for the protection of the information the covered entity has entrusted to the business associate,” according to the final rule.
HHS noted in its press release this week that some of the largest breaches reported to HHS have involved BAs. In fact, the top three all included BAs:
- TRICARE Management Activity and BA Science Application International Corporation, 4.9 million patients, September 13, 2011
- Health Net, Inc. and BA IBM, 1.9 million patients, January 21, 2011
- New York City Health & Hospitals Corporation’s North Bronx Healthcare Network and BA GRM Information Management Systems, 1.7 million patients, December 23, 2010
Harm threshold lifted
In HHS’ interim final rule on breach notification, covered entities and BAs could get off the hook and not have to notify patients of a breach if they themselves determined a use or disclosure in question did not pose significant harm to the individual.
However, in the final rule released this week, HHS calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual.
In determining a breach, entities must conduct a risk assessment that considers at least the following factors:
- The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
“We believe that the use of these factors … will result in a more objective evaluation of the risk to the protected health information and a more uniform application of the rule,” according to the final rule.
The final rule also includes an expansion of individual rights by:
- Allowing patients to ask for a copy of their electronic medical record in an electronic form
- Giving individuals who pay by cash authority to instruct their provider not to share information about their treatment with their health plan
- Setting new limits on how information is used and disclosed for marketing and fundraising purposes
- Prohibiting the sale of an individuals’ health information without their permission
The final rule is a requirement of the HITECH Act, a provision of ARRA signed into law in February of 2009. It called for strengthened privacy and security provisions.
The final rule is called, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” lifted the “harm threshold.”
HHS originally sent the mega rule to the Office of Management & Budget in March of 2012.