The New 2013 HIPAA Regulations and You, Part 1: A Summary
Written by: Cindy Monak-Gagnon, RN, Clinical Designer & Peter Arbuthnot, Regulatory Analyst
March 26 is noted for a few things in history. It marks the development of the first polio vaccine, the 1956 premiere of comedian Red Buttons on television, and the birthday of playwright Tennessee Williams. But for health care operators, March 26, 2013 has now taken on a much more important meaning, with the advent of several new HIPAA privacy regulations under its published Final Rule -- and a countdown toward a September 24 deadline to implement many of them.
Three of the key changes you need to be aware of include the need for revised Business Associate Agreements, a stronger Breach Notification Rule with stricter enforcement requirements discussed in detail in a separate blog article, and a new Notice of Privacy Practices requirement. These and other new HIPAA rules usher in a new era for providers, and this blog will break down what some of the key ones mean for you.
New Business Associate Agreements: Know Your Partners
Under the new rules, the definition of a Business Associate has been expanded. From now on, the inherent privacy obligations of a Business Associate has expanded to include its subcontractors, no matter how far the chain of PHI extends, as well as organizations that maintain or access PHI on a routine basis. This does not mean that a covered entity must have agreements with subcontractors at all levels; however, it does mean that it must have agreements with each of its subcontractors, and business associates must in turn do the same with its subcontractors.
This is one regulation where an exception exists to the six-month requirement for implementation. If you have existing Business Associate Agreements prior to January 25, 2013, these contracts may continue to be honored until they expire or renew, or until September 24, 2014, whichever comes first.
Breach Notification Rules and Enforcement
The 2013 HIPAA regulations also usher in a higher standard for breaches of PHI, along with stiffer enforcement. Before this rule, there was no presumption of a breach unless there was significant risk present but now the burden is on the facility to show that there is a low probability of harm based on a ‘risk assessment.’ This is an important rule change, the details and ramifications of which are discussed in a separate blog (link).
New Notice of Privacy Practices
Is it OK to take a picture of a resident and post it on your Facebook page? Is it OK to leave your work computer in the back seat of your car? How do you deal with the proliferation of mobile devices in your organization? The nature of healthcare privacy has changed over the last several years, and now under the new 2013 regulations, your Notice of Privacy Practices (NPP) must change to address key situations involving access to PHI.
New policies should include allowing or disallowing access to descendents and allowing private pay residents to block disclosures. Take the opportunity to train staff again about protected health information, about using mobile devices in the work environment, and about protecting shared data. And if you don’t have a social media policy yet, you had best get one.
What This Means for You
This is far from a complete summary of the new 2013 regulations, which also touch on areas ranging from the sale of PHI to new limits on PHI for deceased individuals: you can obtain more detail on the Final Rule from the US Health and Human Services website and other sources.
Meanwhile, these new regulations mean that providers need to have their privacy officer examine what they implemented 6 or more years ago and do a gap analysis to see what has changed and what needs to be done to improve on what they already have in place. Are your networks secure? Do you have anti-virus software in place? How complex are your passwords? How often are they changed? Is "data at rest" adequately protected, and are encryption schemes used for data on laptops or mobile devices? The Feds mean business, and there are no more excuses for not understanding the latest HIPAA rules related to Privacy and Security.