On January 18, 2013, nearly 3 years after its initial proposed rule, the US Department of Health and Human Services (HHS) issued the long-awaited and much-anticipated HIPAA “omnibus” rule, extending the scope of the privacy law beyond providers to their business associates and subcontractors and adding increased penalties. Regulated entities must be in compliance with the new rules by September 22, 2013, although covered entities and business associates will have up to 1 year after the 180-day compliance date to modify existing contracts to comply with these revised rules. Oncology practices should begin examining their policies now to ensure a seamless transition to these new rules.
Among the most dramatic changes to existing law is that HIPAA’s privacy and security requirements will now directly apply to business associates. Business associates will now include health information organizations, e-prescribing gateways, other entities that provide data transmission services for covered entities and that require access on a routine basis, entities that offer a personal health record to individuals on behalf of a covered entity, and subcontractors. Penalties for noncompliance will range depending on the degree of culpability, including the number of individuals affected and whether there is a history of noncompliance.
Central to the new regulations (which total a whopping 563 pages) is the sharing of patient-protected health information (PHI). Patients are given new control over their PHI, including allowing patients to request a copy of their electronic medical record in an electronic format and permitting patients to instruct their provider not to share information about treatment with their health plan when the individual pays for that care out of pocket.
In addition, the final rule expands the definition of a “breach” under HIPAA, thus eliminating the “harm” standard, which previously allowed entities to avoid breach notification if they could demonstrate that the breach posed no significant risk of harm to the individual. Under the new rule, any impermissible use or disclosure of PHI is presumed a breach, unless a low probability that information has been compromised can be demonstrated.
Oncology practices are now tasked with the arduous effort of implementing what the HHS is calling “the most sweeping changes to the HIPAA privacy and security rules since they were first implemented.”
Ross D. Margulies, JD, MPH, is an Associate at Foley Hoag, LLP, Washington, DC.
Jayson Slotnik, JD, MPH, is a Partner, Health Policy Strategies, LLC, Washington, DC.