HIPAA ONE YEAR LATER: IS YOUR LAW FIRM COMPLYING?
Vol. 54 No. 3 Pg. 6
New Hampshire Bar Journal
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0 Charla Bizios Stevens and Hannah E. Zaitlin.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Since it was enacted in 1996, discussion and confusion concerning the Health Insurance Portability and Accountability Act ("HIPAA") has been ongoing, but as of late the conversation has shifted to the interpretation and application of the HIPAA final omnibus rule issued by the U.S. Department of Health and Human Services ("HHS") on January 17, 2013 (the "Final Rule")  The Final Rule implemented changes to, and in some instances finalized, HHS rules previously issued pursuant to Subtitle F of Title II of HIPAA, known as the Administrative Simplification ("AS") provisions. The Final Rule reflects mandates under recent legislation including the Health Information Technology for Economic and Clinical Health ("HITECH") Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008,  and it has been promoted as enhancing patient privacy protections, providing individuals new rights to their health information, and strengthening the government's authority to enforce HIPAA and HITECH.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Since nearly a year has passed since the compliance date for most provisions of the Final Rule, this article focuses on assisting lawyers and law firms looking to evaluate the sufficiency of their compliance efforts to date. This article also underscores the potential impact of the Final Rule on lawyers and law firms in light of recent enforcement activity by the Office of Civil Rights ("OCR") of the HHS, the federal agency charged with enforcement and administration of HIPAA
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0To fully appreciate how or if the Final Rule applies to you or your law firm (or, for that matter, your clients), a general understanding of HIPAA and its regulatory regime is in order. As noted above, the regulatory regime arises from the AS provisions which required HHS to establish national standards for electronic healthcare transactions; national identifiers for providers, health insurance plans, and employers; national standards to protect the privacy and security of personal health information; and civil money penalties for violations of the AS. Accordingly, the HHS published The Federal Standards for the Privacy of Individually Identifiable Health Information (the "Privacy Rule") in December of 2000 (modified in 2002); the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") in February 2003; the HIPAA Enforcement Rule (the "Enforcement Rule") in February 2006; and interim final regulations for Notification in the Case of Breach of Unsecured Protected Health Information in 2009 (the "Breach Notification Rule"; the Privacy Rule, the Security Rule, the Enforcement Rule, and the Breach Notification Rule, each as modified and/or finalized by the Final Rule, are referred to collectively as the "HIPAA Rules").
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The AS provisions and the HIPAA Rules apply to three types of entities which are known as "covered entities:" healthcare providers who conduct covered transactions electronically, health plans, and health care clearinghouses. A healthcare provider (e.g., physician, chiropractor, dentist, nursing home, pharmacy) is only a "covered entity", and thus required to comply with HIPAA, if it transmits information about covered transactions electronically.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Covered transactions include those in which so-called protected health information ("PHI") is transmitted to carry out financial or administrative activities related to healthcare (e.g., billing, confirmation of coverage). PHI is defined as individually identifiable health information transmitted or maintained in any form or medium (including electronically ("ePHI")), including demographic data, that relates to: (a) an individual's past, present or future physical or mental health or condition, (b) the provision of health care to the individual, or (c) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The overarching objective of the AS provisions and the HIPAA Rules is to require covered entities (which could be an individual or a business entity) to protect the privacy and security of PHI and provide individuals with certain rights with respect to their health information. The Final Rule sought to strengthen these protections and rights by, in pertinent part, significantly expanding the accountability and obligations of certain entities that do business with covered entities - so-called "business associates" and their subcontractors.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Specifically, the HITECH Act and the Final Rule require business associates to comply with the Security Rule. The Final Rule broadened the definition of a "business associate" and implemented Section 13404 of HITECH which makes certain requirements of the Privacy Rule applicable to business associates and creates direct liability for noncompliance by business associates with regard to those requirements. In contrast, prior to the Final Rule, a business associate's obligations arose solely under the terms of its business associate agreement (a "BAA") with a covered entity and therefore the business associate was only potentially subject to contractual remedies for breach of the BAA.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The Final Rule also requires updated provisions in BAAs and now requires business associates to have BAAs with its subcontractors. BAAs must provide that the business associate (or subcontractor, as applicable): (1) shall abide by the Security Rule concerning ePHI and applicable provisions of the Privacy Rule; (2) shall report breaches of unsecured PHI to the covered entity (or business associate, as applicable) as required by the Privacy Rule and Breach Notification Rule, (3) certify that, if used, a subcontractor will agree to the same requirements that apply to the business associate regarding the handling of protected health information; (4) will terminate a business associate contract...