DISCLAIMER: This article should not be taken as legal advice, instead it is a basic introduction to some changes that have been promulgated to the HIPAA/HITECH Acts final rules.
A Significant modification to the existing HIPAA/HITECH Rules was made which came into effect on March 26, 2013. The Covered Entities have until September 23, 2013 to become compliant with the revised rules. Let’s start with some changes that are going to make the heaviest impact:
Business Associates are now considered Covered Entities and full force of HIPAA/HITECH Act have been enforced on them as well. This requires the Business Associates Agreements to be updated to reflect this change. The BAA’s that had been implemented prior to this final rule became effective can be revised within the next 18 months as opposed to all new BAAs have to be in place for new Business Associates after the effective date to be updated within 6 months (the Sept. 23, 2013 cut off date).
Breach Notification standards have been revised. The Harm Standard, as it was commonly known, has been redefined with a new name or title “adverse to the individual”. Each potential breach needs to be evaluated or assessed based on four factors: 1. what information was breached? 2.to whom the information was released? 3. was it actually accessed, used, or disclosed, and 4. what mitigating steps were taken on the incidence. This standard does not only provide some guidance regarding if a breach is reportable, but also enforces CEs to establish a process to establish a risk for every potential breach. The law does require proper assessment for each breach incident and does not allow the process to be automatic.
Patients Right to Access Their PHI has been modified as well. The patients have the same rights as before but they can ask their PHI (Protected Health Information) to be transmitted to them in an unsecured way, and the CE after informing the individual of the risk of privacy breach can transmit it based on the individuals demand. CE’s do need to document this discussion for future reference and for their defense in case of an audit or litigation. The important point to note here is that this applies to individual whose PHI is being transmitted and not to professional exchange of PHI, in which case it should be properly encrypted.
We will continue posting further updates to this article to highlight more significant and not so significant modifications to the HIPAA/HITECH laws.