Much of the long-awaited final rule, authorized under the HITECH Act, is quite similar to proposed rules and interim final rules issued during 2009 and 2010 covering privacy, security, breaches and enforcement.
A major change in the final rule is in the breach notification section, where the “harm threshold,” a subjective measure of determining whether a breach has or could cause significant harm to one or more individuals and must be reported, has been replaced with a more objective risk assessment process to determine if protected information has been compromised.
The final rule is available here in a prepublication format that totals 563 pages. It will be published in the Federal Register on Jan. 25 in shorter form, but still a long rule that will take time to understand and interpret. The rule has an effective date of March 26, 2013, and compliance date of Sept. 23, 2013.
Covered entities have one year from the compliance date, 18 months total from the effective date, to modify business associate agreements to match new requirements.
Provisions in the final rule include:
* Setting four-tier financial penalty structure for breaches deemed serious enough to warrant a federal-imposed penalty. Based on culpability, fines range from $100 to $50,000 per violation with a $1.5 million cap on violations of an identical provision within a calendar year.
* Making business associates and subcontractors comply with HIPAA rules in the same manner covered entities must; making BAs and subcontractors directly liable for HIPAA violations--even if a BA failed to enter into a formal contract with a subcontractor--and making covered entities and business associates legally liable for the acts of their business associates. The BA for a business associate would be a subcontractor. The BA--not the covered entity--is responsible for having a subcontractor appropriately safeguard information, but the covered entity is responsible for the BA’s actions.
* Expanding the definition of business associates to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity and requiring routine access to PHI, or personal health record vendors offering PHRs to individuals on behalf of a covered entity. PHRs offered directly only to individuals are not covered.
* Clarifying that PHI stored in photocopiers, faxes and other office equipment that retain data, whether intentionally or not, is subject to the privacy and security rules, and PHI should be wiped before a device is removed from the office.
* Applying to business associates the minimum necessary standard when using or disclosing PHI, or when requesting PHI from another covered entity or business associate.
* Enabling patients to ask for a copy of their electronic medical record in an electronic form, with fees charged not greater than labor costs.
* Enabling patients paying with cash to instruct providers to not make information about their treatment available to insurers. Separate or segregated records are not required, but some type of flag or other notification of restrictions in the record are necessary.
* Enabling patients to easily opt out of receiving fundraising and marketing solicitations.
* Prohibiting the sale of an individuals’ health information without their express consent, with exemptions when the information is used for public health activities or research purposes.