What the New HIPAA Regulations Mean for You

February 5, 2013
Harter Secrest & Emery LLP

The burdens imposed by HIPAA regulations, already daunting, have just become even more onerous. But they cannot be ignored.

On January 25, 2013, the new HIPAA final “omnibus” regulations (the “Regulations”) were published in the Federal Register. These Regulations require the most sweeping HIPAA compliance changes since the HIPAA Security Rules were effective in 2005. Among other things, the new Regulations provide that:

  • Covered Entities (including providers and health plans) are required to modify and redistribute the Covered Entity’s Notice of Privacy Practices/Privacy Notice;
  • Business Associates are directly liable for compliance with certain portions of both the HIPAA Privacy and Security Rules, which will require modifications to existing business associate agreements, and the adoption of standards regarding Business Associates who subcontract part of their services to other organizations;
  • The breach notification requirements for unsecured protected health information which have been in place for a few years have been modified to replace the “harm” threshold for notification with a more objective standard in which breach notification is necessary in all situations except where there is a demonstration of a “low probability” that the protected health information has been compromised (or a specific HIPAA exception applies);
  • Individuals now have specific rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • The limitations regarding the use and disclosure of protected health information for fundraising and marketing purposes have been enhanced, including strengthened limitations on the sale of protected health information without individual authorization;
  • The Regulations adopt the changes to the HIPAA Enforcement Rules to incorporate the increased civil monetary penalties for HIPAA violations, which in some cases may reach $1.5 million per violation;
  • The HIPAA Privacy Rules have been modified to incorporate provisions of the federal Genetic Information Nondiscrimination Act (“GINA”), which prohibits most health plans from using or disclosing genetic information for underwriting purposes; and
  • The Regulations have been modified in order to foster research activities, facilitate the disclosure of child immunization records to schools, and to enable access to decedent information to family members.

With some exceptions—pertaining mainly to business associate agreements—all Covered Entities and Business Associates must comply with these Regulations by September 23, 2013.

Because the new HIPAA regulations are incredibly voluminous, this summary is only intended to provide an overview of some important elements. HSE’s Health Care attorneys welcome the opportunity to help you and your organization comply with these new Regulations. Please contact any member of HSE’s Health Care Practice Group at (585) 232-6500.