On January 17, 2013, the Department of Health and Human Services (HHS) issued its final rules governing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification. The regulations significantly change some provisions of the existing rules. “Covered Entities”  and “Business Associates” must comply with these new provisions by September 2013.

The new rules will require changes to the notice of privacy practices as well as changes to HIPAA policies and procedures. The direct liability of business associates under HIPAA has now been cemented in place. In addition, covered entities and business associates face new risks from unauthorized disclosures. 

The final rule defines breach to mean the improper acquisition, access, use, or disclosure of protected health information “which compromises the security or privacy of the protected health information.” Under the existing rules, notification rests upon a “significant risk of financial, reputational, or other harm to the individual.” The final rule presumes that any impermissible use or disclosure is a breach that compromises the security or privacy of the information. The covered entity or business associate must demonstrate that there is a low probability that the PHI has been “compromised” and that notification is unnecessary. Worried that the existing standard was too subjective, HHS will now require an assessment of whether unauthorized recipients have accessed or had the opportunity to access PHI, rather than on the risk of harm to an individual.

A summary of these final rules will be posted later.

In responding to concerns about the cost of revising notices of privacy practices, HHS minimizes the regulatory impact but also clarifies how existing and future notices should be made available. Here is their commentary on the matter:

“In response to several comments expressing concern about printing costs for new [Notices of Privacy Practices – NPP], we clarify that providers are not required to print and hand out a revised NPP to all individuals seeking treatment; providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients. As a result, we do not believe that the current requirement is overly burdensome to providers, nor is it overly costly.

We also clarify that while health care providers are required to post the NPP in a clear and prominent location at the delivery site, providers may post a summary of the notice in such a location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP.

To the extent that some covered entities have already revised their NPPs in response to the enactment of the HITECH Act or State law requirements, we clarify that as long as a covered entity’s current NPP is consistent with this final rule and individuals have been informed of all material revisions made to the NPP, the covered entity is not required to revise and distribute another NPP upon publication of this final rule.

Finally, we note that to the extent a covered entity is required to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print, or audio.”