HIPAA Rules... Finally!
The below is client alert from our fellow Womble attorney Jill M. Girardeau that I wanted to share with you.
On Thursday, the Office for Civil Rights of the U.S. Department of Health and Human Services released a final rule containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the "Final Rule"). The Final Rule will be published in the Federal Register on January 25, 2013. We are conducting a thorough review of the Final Rule and will provide a comprehensive summary once our review is complete. In the meantime, we thought the following information may be helpful to you.
The Final Rule is effective on March 26, 2013, and Covered Entities and Business Associates must comply with the Final Rule by September 23, 2013.
The Breach Notification Rule has been modified. Until now, an impermissible use or disclosure of Protected Health Information ("PHI") was a Breach only if there was a significant risk of harm. Now, an impermissible use or disclosure of PHI is presumed to be a Breach unless the Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI has been compromised.
A subcontractor of a Business Associate that creates, receives, maintains, or transmits PHI on behalf of the Business Associate is now itself a Business Associate. As a result, these subcontractors are subject to the HIPAA provisions applicable to Business Associates.
A Covered Entity and a Business Associate (and a Business Associate and its subcontractor) may continue to operate under an existing Business Associate Agreement ("BAA") for a certain amount of time if (1) prior to January 25, 2013, the BAA complied with then-current HIPAA rules and (2) the BAA is not renewed or modified from March 26, 2013 until September 23, 2013. If these conditions are met, the parties can operate under the existing BAA until the earlier of (1) the date the BAA is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.
The Final Rule takes a different approach to marketing than the proposed rules from 2010. In short, individual authorization is required for all treatment and health care operations communications if the Covered Entity receives financial remuneration from a third party whose product or service is marketed in the communications.
Stay tuned for a more in-depth analysis of the Final Rule.