HIPAA Deadline Looms: September 23, 2013
The Omnibus HIPAA rulemaking published January 25, 2013 ("Omnibus Rule") will become effective for most purposes on September 23, 2013. The Omnibus rule changes compliance obligations for covered entities and directly extends them to business associates. The following highlights 10 key changes:
- Notices of Privacy Practices. The Omnibus Rule creates "material changes" to a covered entity's policies and procedures. Revised notices therefore must be published. Covered entities with Web sites must prominently display the revised notice on the site, and electronic versions of the revised notice must be made available. Revised notices also must be posted prominently and written copies made available at points of service. At a minimum, revised notices will reflect changes to policies and procedures concerning breach notification, disclosures requiring authorization, the right to opt out of fundraising activities, and the right to restrict disclosures to health plans about care paid for out of pocket.
- Breach Notification. Absent existing exceptions, unauthorized use, access to or disclosure of PHI creates a presumption that a data breach has occurred and that notification must be provided to subject individuals. This presumption may be overcome only by a documented determination of a low probability that the PHI at issue has been compromised. Harm to the individual or others is no longer required for a breach to occur or notification obligations to arise.
- Business Associates. Business associates are now directly subject to most of the HIPAA privacy rule and all of the operative sections of the security rule. The class of business associates also has grown to include entities that "maintain" PHI, such as storage facilities or cloud service providers. Business associate agreements must now exact a promise to comply with the security rule, to provide notification of a data breach, and to require a written agreement with subcontractors that receive PHI that is at least as demanding as the agreement between business associate and covered entity.
- Individual Access. Covered entities must provide access to electronic PHI in digital form either to the subject individual or to a designated third party. The covered entity must make electronic PHI available in the format requested if it is readily producible by the covered entity. If the requested format is not readily producible, then an agreed format must be negotiated. Electronic PHI must be made available within 30 days; an extension of time is not allowed.
- Restriction on Disclosure. Unless otherwise required by law, a covered entity must agree to a request not to disclose PHI to a health plan if the PHI concerns care paid for entirely out of pocket by the individual.
- Immunizations. Disclosures to schools of student immunization no longer require written authorization, although oral or written parental consent must be obtained.
- Sale of PHI. Written authorization to sell PHI must be obtained, absent an exception. A sale results either from direct or indirect remuneration in exchange for PHI, and the authorization must recite the fact of the remuneration to the covered entity.
- Marketing. Written authorization is required for marketing activity for which the covered entity receives remuneration. The authorization must recite the fact of the remuneration to the covered entity.
- Decedents. PHI may be disclosed as appropriate to friends and family who were involved in the care or payment for care of a deceased individual. Protection of a decedent's PHI ends after 50 years.
- Fundraising. Covered entities may use and disclose individuals' demographic information and dates of care for fundraising purposes so long as fundraising material includes information about how an individual can opt out of further fundraising communications. The requirements for opting must be simple and easy, like an e-mail or toll-free phone call. Requiring the individual to write a letter is considered too burdensome.
For further information or questions regarding HIPAA deadlines please contact the Schwabe attorney with whom you work or Kelly Hagan at 503-796-2423 or firstname.lastname@example.org.