Saturday, January 19, 2013

Updated HIPAA Final Rule Issued

As some readers may know, the Author holds an LLM in healthcare law and has spent much of his legal and professional career as a healthcare attorney and HIPAA Privacy, Security and Transactional Standards Consultant. He even knows what HIPAA stands for.

In fact, the Author spent almost five years with HIPAA as his primary focus.

The Author may be showing his age, but remember back to Garrett Morris on the original SNL cast and his english-challenged baseball player character, Chico Esquela. Chico had a signature line, "Baseball... been berra berra good... to me."

So, for what it is worth, "HIPAA been berra berra good.. to me."

Below is an article from the American Health Lawyers Association and the Author gives full credit to the AHLA for the content.

If anyone has any questions about the rule, please contact the author. But give him some time to wade through a few of the 563 pages. Reading all 563 pages of regulations and comments is his pennance for spending five years of his meagre life on one freakin' law.



HIPAA Final Omnibus Rule: More Protections for Patients, Expanded Liability for Covered Entities and Business Associates By Trish Markus*
On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services (OCR) issued its long-awaited final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act. To be published in the Federal Register on January 25, the final rule becomes effective on March 26, 2013, and compliance will be required by September 23, 2013.
At 563 pages, the final rule addresses four major topics:
  1. Revisions to numerous provisions of the HIPAA privacy and security rules (and conforming changes to the HIPAA enforcement rule);
  2. Substantial revisions to the HIPAA enforcement rule incorporating the HITECH Act's increased civil monetary penalty tiered structure;
  3. Significant revisions to the breach notification rule; and
  4. Modifications to the HIPAA privacy rule required by the Genetic Information Nondiscrimination Act.
A few highlights of the final rule include:
  • Until the September 23, 2013 compliance date, covered entities and business associates must comply with the breach notification requirements of the HITECH Act in accordance with the interim final rule.
  • The determination whether breach notification is required has moved from a subjective analysis focusing on the risk of harm to the individual to a more objective assessment focusing on the risk that the personal health information (PHI) was compromised. The final rule effectively shifts the burden of proof to the covered entity or business associate: on and after September 23, 2013, an impermissible use or disclosure of PHI will be presumed to be a breach, unless the disclosing covered entity or business associate demonstrates there is a low probability that the PHI was compromised. Under this new standard, breach notification is required only if it is determined that probability of compromise is higher than "low." This determination should be evaluated based upon:
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood that the information may be re-identified;
    • The unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed;
    • Whether the PHI was actually accessed or viewed; and
    • The extent to which the recipient, if a covered entity or business associate, took appropriate action to mitigate the breach.
  • A covered entity now may combine individuals' conditioned and unconditioned authorizations for research into a single authorization, so long as the authorization specifies which research components are conditioned and which are unconditioned and clearly permits individuals to opt in to the unconditioned research activities.
  • Research authorizations no longer need be study specific; rather, they now may be used for future research, so long as the authorization describes such research purposes sufficiently to allow the individual to reasonably expect that his or her PHI might be used or disclosed for future research.
The final rule also:
  • Makes business associates and subcontractors who use PHI in performing duties for covered entities and business associates directly liable for complying with many of the HIPAA privacy and security rule requirements;
  • Confirms that a covered entity or business associate is liable for violations due to the acts or omissions of an agent acting within the scope of agency, and notes that the federal common law of agency is the standard for determining the covered entity's or business associate's responsibility; and
  • Provides that most health plans may not use genetic information for underwriting purposes.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)