The “final” privacy regulations (Final Rule) under the Health Insurance Portability and Accountability Act (HIPAA) apply to certain medical data held by health care providers, insurance companies and health plans.
They become effective March 26, and, in general, covered entities and business associates are required to comply by Sept. 23.
Under the Final Rule, “business associates” of health care providers and health plans will be held liable directly under the HIPAA security rules. In general, a business associate is a person or entity performing services for covered entity that involves access to protected health information (PHI). A person or business becomes a business associate by operation of the law. Data storage companies, law firms and other service providers can be considered business associates.
Business associates are liable for, among other things:
• Unlawful uses and disclosures of PHI.
• Failure to provide breach of privacy notifications.
• Failure to provide access to a copy of electronic PHI to the covered entity, the individual, or the individual’s designee.
• Failure to disclose PHI to the Secretary of Health and Human Services in HIPAA investigations.
• Failure to provide an accounting of disclosures.
• Failure to comply with the HIPAA Security Rules.
The Final Rule establishes a legal presumption that impermissible uses and disclosures of PHI are privacy breaches. Covered entities can rebut that presumption by engaging in a risk assessment to determine whether there is a low probability that PHI has been compromised.
A risk assessment must examine at least the following factors:
• The nature and extent of the PHI involved.
• The unauthorized person to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated.
If the covered entity cannot demonstrate a low probability of compromise, notification is required.
The penalties for a violation of the privacy and security rules include:
• $100-$50,000 per violation when a entity or business associate “did not know” and, by exercising reasonable diligence, would not have known of a violation.
• $1,000-$50,000 per violation when a violation was due to reasonable cause and not to willful neglect.
• $10,000-$50,000 per violation when the violation was due to willful neglect and was timely corrected.
• At least $50,000 for each violation when the violation was due to willful neglect and was not timely corrected.
Examples of willful neglect include:
• Failure to respond to an individual’s request that it restrict its uses and refusing to accept requests for restrictions from individual patients.
• Loss of an unencrypted laptop that contained health information and deciding not to provide notification in an effort to avoid public relations issues.
It is important to review your current policies, business associate agreements and notifications in order to ensure compliance with these new rules or face potential penalties.
James Mulroy is managing partner of the Memphis office of Jackson Lewis LLP.