• DHHS Strengthens HIPAA Privacy and Security Protections
  • February 21, 2013 | Author: Cathy Deubel Salenko
  • Law Firm: Best Best & Krieger LLP - Sacramento Office
  • The US Department of Health and Human Services (DHHS) recently issued a final rule strengthening the health information privacy and security protections established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In a press release, DHHS described the new rule as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." Among other changes, the new rule expands the definition of a "business associate" of a HIPAA covered entity, extends liability for violation of many of HIPAA's requirements directly to business associates, and modifies the rules governing the content of business associate agreements.

    Covered entities, business associates and business associate subcontractors should review and update their policies, privacy notices and business associate agreements to ensure compliance with the new rules. The final rule will become effective on March 26, 2013. However, covered entities and business associates will have until September 23, 2013 to come into compliance with most of the final rule’s provisions. Existing business associate contracts will be grandfathered through September 22, 2014, subject to certain conditions, and all business associate agreements will need to comply with the new rules by September 22, 2014.

    Until now, a business associate was defined as a person or entity, other than a member of a covered entity's workforce, that performs certain functions on behalf of, or provides certain services to, a covered entity involving the use or disclosure of individually identifiable health information. This could include providers of legal, accounting, consulting, management, administrative, or financial services. The expanded definition of a business associate now includes any "subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate" no matter how far downstream from the HIPAA covered entity. Thus, both business associates and business associate subcontractors are now potentially subject to penalties for violations of the Privacy or Security Rules, which can be severe. For example, DHHS recently publicized two settlements in excess of $1.5 million each for violations of the Security Rule arising out the loss of unencrypted portable devices containing protected health information.

    Other significant changes to the rules include: a modification to the standard applied in determining whether a breach has occurred; modifications strengthening enforcement and penalty provisions; and a variety of changes governing the use or disclosure of protected health information impacting marketing, fundraising and research, and information concerning immunizations and decedents.