Tick, Tock: Less than 60 Days to Comply with Updated Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Rules
There are now less than 60 days left for covered entities and business associates to implement provisions set forth in the final omnibus HIPAA/HITECH rules issued by the U.S. Department of Health and Human Services (HHS) in January 2013. Preparation will require updating of applicable policies, procedures, and training by September 23, 2013. Business associate agreements (BAAs) entered into on or after January 25, 2013 must also be updated by September 23, 2013. Given increased enforcement activity and breach risk, many covered entities are updating BAAs executed before January 25, 2013 now, prior to the later deadline of September 22, 2014. In addition, all of the Security Rule and most of the Privacy Rule will now apply directly to business associates, requiring them to implement appropriate administrative and security safeguards. Those same requirements must also be applied to subcontractors. Among the most impactful of the changes was HHS’s decision to lower the standard for breach notification by eliminating the “harm threshold”. Now, rather than weighing the potential harm to the individual to determine if notification is required, unless one of the three narrow exceptions to the rules apply or the covered entity completes the required risk assessment to demonstrate a “low probability” of risk that the information was actually compromised, there will be a presumption of breach. The result of this lowered standard will be an increase in breach notifications, so covered entities should scrutinize applicable terms in their BAAs, update their incident response procedures, and consider appropriate insurance to address potential costs.