Numerous Privacy Rule Changes Will Impact Operations, Forms, Policies and Procedures.However, covered entities and business associates generally will want to incorporate additional protections not included in the HHS form. HHS has posted a sample revised business associate agreement (available here). Furthermore, business associates and covered entities generally will need to revise business associate agreement forms and renegotiate existing business associate agreements (subject to the grandfathering provisions noted below, which extend the deadline to September 23, 2014, for certain existing agreements). As a result, business associates need to ensure they have effective HIPAA compliance programs in place. The Final Rule also modifies the requirements for the content of business associate agreements. Among other things, the revised definition treats certain subcontractors of the business associate as direct business associates, with all the same compliance obligations and liability exposures. The Final Rule implements numerous changes extending direct liability for HIPAA compliance to business associates, and affirms that covered entities and business associates are generally liable for acts of business associate “agents.” It also expands the definition of business associates. Significant Impact on Business Associates Business Associate Agreements Need to Be Revised.In addition, breach notification policies, procedures and protocols will need to be revised.
As a result, affected entities should make a concerted effort to encrypt PHI, since HIPAA breach notification requirements do not apply to PHI that has been encrypted in accordance with HHS guidance. These changes are likely to increase breach notifications.
The Final Rule requires entities to consider at least four “objective” factors in conducting their risk assessments. Under the Final Rule, any impermissible use or disclosure of protected health information (PHI) is presumed to be a breach requiring notification, unless the covered entity or business associate demonstrates through a risk assessment that there is a “low probability that the PHI has been compromised” or unless an exception applies. The Final Rule eliminates the “significant risk of harm” threshold for breach notification.
The Final Rule represents a material development in the area of health care privacy, and has important operational consequences for covered entities and business associates. On January 25, 2013, the Department of Health and Human Services (HHS) published the highly anticipated Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule (the “Final Rule”).
0 kommentar(er)
