On Jan. 25, 2013, the U.S. Health and Human Services Department issued long-awaited omnibus regulations under the Health Insurance Portability and Accountability Act that expand patient-privacy protections and increase the regulatory burdens and associated costs to affected businesses.
HIPAA now extends to business associates. As originally drafted, the law applied only to certain "covered entities" such as health care providers and health plans, including most employee group plans. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act - the HITECH Act - that extended HIPAA to "business associates" of covered entities. These are entities that create, maintain or use patient information to perform services for covered entities.
The new regulations require business associates to put in place specific administrative, physical and technical safeguards to protect patient information. They also extend HIPAA to subcontractors of business associates. Thus, the new rules dramatically expand the circle of HIPAA coverage. Any business that creates, receives or uses patient information on behalf of covered entities or other business associates must comply or face civil penalties.
A covered entity or business associate that violates HIPAA may be fined from $100 to $50,000 per violation. If the entity acts with willful neglect, the Office of Civil Rights must impose a fine of $10,000 to $50,000 per violation. The commentary to the new rules confirms that a single breach may result in multiple violations, thereby increasing the risk to businesses for privacy violations.
The rules also increase the risk of penalties by lowering the standard for reporting breaches to patients and the Health and Human Services Department. Under the former rule, covered entities were not required to report breaches that did not pose a significant risk of harm to the patient. This "no harm, no foul" rule drew criticism from privacy advocates. Under the new rules, a privacy breach is presumed to be reportable unless the covered entity or business associate can demonstrate there is a "low probability that the protected health information has been compromised." This standard will almost certainly result in more reports, increased patient complaints, additional government inquiries and potentially more penalties.
HHS also modified many of the existing rules affecting items such as information about deceased individuals, a patient's right to access information, limits on disclosures to insurance companies, and the sale of patient information. Affected businesses will need to review and modify their existing policies, forms and some contracts to bring them into compliance.
The federal Office of Management and Budget estimates that the total cost to implement the new rules will be between $114 million and $225 million during the first year. Having addressed HIPAA issues regularly, I am confident that the government's estimates are grossly understated.
Fortunately, Health and Human Services has given covered entities and business associates an extra 180 days - until Sept. 23, 2013 - to comply with most of the new rules. Between now and then, businesses should carefully consider whether and in what capacity they might receive patient information and how they will comply with the new rules.