HIPAA mega rule breakdown

HCPRO Website, January 25, 2013

The Department of Health & Human Services (HHS) released its biggest set of modifications to the HIPAA privacy and security rules with the January 17 unveiling of its long-awaited “HIPAA mega rule.” 

The final omnibus rule enhances a patient’s privacy protections, provides individuals’ new rights to their health information, and strengthens the government’s ability to enforce the law, according to an HHS press release. The rule is enforceable starting September 24.

Some of the biggest changes include the elimination of the “harm threshold” provision from the breach notification rule and holding third-party subcontractors who use and disclose PHI accountable to HIPAA rules and penalties.

Stiffer requirements for BAs

Effective September 24, subcontractors of business associates (BA) who use and disclose PHI on behalf of the BA (or the direct subcontractor of the BA) are now BAs by definition and will be subject to civil penalties, compliance requirements, etc., according to Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC, of Portland, OR.

Apgar also notes that BAs, covered entities, and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).

Before the HIPAA mega rule, if a healthcare provider contracted with a BA who handled the PHI, and that BA in turn hired a subcontractor who also used or disclosed PHI, that subcontractor would not be subject to HIPAA rules.

However, previous provisions allowed “privacy and security protections for protected health information (PHI) to lapse once a subcontractor is enlisted to assist in performing a function, activity, or service for the covered entity, while at the same time potentially allowing certain primary business associates to avoid liability altogether for the protection of the information the covered entity has entrusted to the business associate,” according to the final rule.

HHS noted in its press release this week that some of the largest breaches reported to HHS have involved BAs. In fact, the top three all included BAs:

  1. TRICARE Management Activity and BA Science Application International Corporation, 4.9 million patients, September 13, 2011
  2. Health Net, Inc. and BA IBM, 1.9 million patients, January 21, 2011
  3. New York City Health & Hospitals Corporation’s North Bronx Healthcare Network and BA GRM Information Management Systems, 1.7 million patients, December 23, 2010

Continue reading on the HIPAA update blog.

Most Popular