HIPAA Final Rule - What's a Covered Entity Supposed to Do?

Part One of a Four Part Series

January 24, 2013
Legal Updates

The HIPAA Final Rule, which will be published in tomorrow's Federal Register, modifies many provisions of the HIPAA regulations.  Although many of these modifications were anticipated, one has caught some by surprise. 

Breach Notification Rule Revision

One of the most significant revisions, and one that some covered entities hoped would not occur, is the elimination of the "significant harm" threshold from the definition of Breach. 

Under the current Breach Notification Rule, covered entities and business associates are required to notify individuals, the Department of Health and Human Services, and, at times, the media, if a Breach of PHI has occurred.  In determining whether a Breach occurred under the current regulations, a covered entity must conduct a risk assessment to determine if the unpermitted use or disclosure creates a significant risk of financial, reputational or other harm to the individual. 

Under the Final Rule, an unpermitted use or disclosure of PHI that does not meet one of the three narrow exceptions is presumed to be a Breach unless the covered entity's risk assessment results in a determination that a low probability exists that the PHI involved was compromised.

This revision is significant because it will result in covered entities making more notifications of Breaches. This has two likely effects.  First, HIPAA compliance costs will necessarily increase as more Breaches are identified and handled.  Second, handling the fallout from a Breach upfront in business associate agreements will receive increased attention.  Covered entities and business associates will need to review, and likely, revise their breach notification policies and risk assessment processes to align with the final rule's requirements. 

In addition to this important revision, the Final Rule expanded two patient rights that covered entities will want to quickly consider and address in order to be in compliance by September 23, 2013.

Right to Request Restrictions

Currently, individuals have the right to request restrictions to the use and disclosure of their PHI.  Covered entities are not currently required to agree to a restriction.  The Final Rule, however, now requires covered entities to agree to restrict disclosures of an individual's PHI to a health plan with respect to any PHI pertaining to items or services for which the individual has paid for in full.  This provision generated much concern in the industry when it was introduced in the July 2010 proposed rules because of its operational difficulties.  The preamble to the Final Rule provides guidance with respect to these difficulties including issues regarding bundled payments and pre-certification requirements. 

Covered entities will need to review their systems and capabilities to create appropriate and reasonable safeguards to enable it to comply with restrictions requested under this expanded patient right.

Right to Receive PHI in an Electronic Form

Under the Final Rule, covered entities that maintain PHI electronically are required to provide individuals with electronic access to PHI as may be requested by the individual if the PHI readily producible in the requested form. 

Covered entities maintaining electronic records will need to review their systems and develop procedures to provide PHI in an electronic form that most individuals will find acceptable.