As we’ve discussed in previous articles, and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift. In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media. Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013. In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline.
Relevant Compliance Deadlines
The U.S. Department of Health and Human Services (HHS) released the Updated Regulations on January 25, 2013. They later became effective on March 26, 2013. Generally speaking, there are two important deadlines that covered entities, business associates and subcontractors need to understand and meet:
September 23, 2013 – Covered entities, business associates and subcontractors must comply with the Updated Regulations by September 23, 2013. HHS will have direct enforcement authority over business associates and subcontractors after this date. This means that, from September 23, 2013 forward, in addition to covered entities, business associates and subcontractors will be directly liable under HIPAA for, among other things, impermissible uses and disclosures of PHI, failure to provide appropriate and timely breach notification, failure to account for disclosures of PHI, failure to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI on its behalf, and failure to comply with the HIPAA security rule, as required by the Updated Regulations. It is therefore essential that covered entities, business associates and subcontractors revise their HIPAA policies and procedures by September 23, 2013.
September 22, 2014 – Any business associate agreement (BAA) or subcontractor agreement that was modified or executed after the March 26, 2013 effective date must fully comply with the Updated Regulations. However, if a BAA or subcontractor agreement meets the following three criteria, the Updated Regulations allow a 1-year grace period: (1) the agreement was in place by January 25, 2013 (the date HSS published the Updated Regulations in the Federal Registrar); (2) it complies with the previous version of the HIPAA regulations; and (3) it was not modified on or after March 26, 2013. If each of these requirements is met, an existing BAA or subcontractor agreement does not have to comply with the Updated Regulations until September 22, 2014.
Five Steps to Efficiently Update and Implement HIPAA Policies and Procedures
One of my favorite professors in pharmacy school teaches all first-year pharmacy students the “salami method” to studying. “Getting through pharmacy school is a lot like eating a salami,” he says, “if you try to do it all in one sitting, you’re never going to finish. But, if you develop a game plan, and attack it in manageable bites, you can get through it.” Preparing for the September 23, 2013 compliance deadline is no different; there’s a lot of work to do, but you can accomplish the necessary updates as long as you develop an efficient strategy and stick to the game plan.
Generally speaking, we’ve followed a 5-step salami method revision process to help bring our clients’ HIPAA policies and procedures and BAAs into compliance with the Updated Regulations. Investing the time now to perform these steps will help your organization avoid the considerable new fines, as authorized by HITECH, for failing to comply with the Updated Regulations by September 23, 2013.
- LEARN and understand the new requirements contained in the Updated Regulations.
- IDENTIFY gaps by comparing the new requirements contained in the Updated Regulations with your organization’s current HIPAA policies and procedures.
- DEVELOP and implement a plan to bring your policies and procedures into compliance with the Updated Regulations.
- EDUCATE your workforce on what they need to do differently based on the Updated Regulations and explain your organization’s updated HIPAA policies and procedures.
- REINFORCE new HIPAA policies and procedures by periodically educating your current workforce members and by training each new workforce member prior to his or her first day on the job.
Updating your HIPAA Policies and Procedures and BAAs
Whether you’re a business associate or subcontractor developing HIPAA policies and procedures for the first time, or you’re a covered entity whose policies and procedures merely require updating, it is important that you take whatever steps are necessary to become fully compliant with the Updated Regulations by September 23, 2013. Your organization should also draft a BAA that it is comfortable with. Finally, you should determine how and when you will educate new and current employees on the sweeping changes contained in the Updated Regulations.
In the past several months, we have conducted comprehensive revisions of dozens of HIPAA policies and procedures and drafted and/or reviewed many BAA and subcontractor agreements. Here are some of the items we’ve been focusing on:
- Business Associate PHI Disclosure Policies. Covered Entities should draft a policy that makes it mandatory to first execute a BAA before disclosing any PHI to a business associate. The policy should include, at a minimum, the definitions of a business associate and subcontractor, a detailed list of mandatory BAA provisions, a requirement that subcontractors of business associates enter into subcontractor agreements before receiving or creating PHI on behalf of the covered entity, and a clearly defined procedure for drafting and executing new BAAs.
- Business Associate Agreements. Covered entities, business associates and subcontractors should become familiar with the provisions and obligations that must be in every BAA. You may also want to draft a “form” BAA that contains either “pro-covered entity” or “pro-business associate/subcontractor” breach notification provisions. Accomplishing these goals will both reduce the time it takes to negotiate BAAs, and prevent you from executing a BAA you may later regret.
- Breach Notification Policy. Every covered entity, business associate and subcontractor should have a breach notification policy. As we have discussed in previous articles, the Updated Regulations replace the old “risk of harm” standard with a presumption that a breach has occurred; notification is now required unless the covered entity, business associate or subcontractor can demonstrate that “there is a low probability that the PHI has been compromised.”
- Employee Training Programs. Covered entities, business associates and subcontractors should develop training programs to educate their workforce on what they need to do differently under, and how they can help assure compliance with the Updated Regulations.
- Other General Observations. In addition to the “big” changes contained in the Updated Regulations (e.g. business associates and subcontractors are now directly liable under HIPAA, and the updated definition of what constitutes a “breach”), the Updated Regulations contain many other subtle (and not-so-subtle) changes. For instance, the Updated Regulations contain many new definitions. They also modify many PHI disclosure rules; update when PHI may be used for marketing purposes; and clarify when organizations must honor an individual’s request to restrict disclosures of his or her PHI. Finally, the Updated Regulations also require business associates and subcontractors to track certain disclosures of PHI. Each of these updates (and many more!) must be accounted for when updating organizations’ HIPAA policies and procedures.
This article is by no means comprehensive. There are many additional new provisions contained in the Updated Regulations that covered entities, business associates and subcontractors need to review and understand. If you haven’t done so already, it’s important that you work with your organization’s Privacy and/or Security Officer(s) and your general or outside counsel to develop and implement a plan to review and revise your organizations HIPAA policies and procedures. There’s still time to complete these steps before the September 23, 2013 compliance deadline, but the clock is ticking!
If you need assistance developing, implementing, reviewing or revising your HIPAA policies and procedures or BAAs, please contact a member of Cozen O’Connor’s Health Law team.
*Special thanks to Sandra Hill, a Summer Associate at Cozen O’Connor, for helping draft this article.
 Generally speaking, the new fines authorized under the Updated Regulations are based on an organization’s degree of culpability. After HITECH, HHS may now issue fines ranging from $100 per violation, where the organization did not know, and could not have known of the violation, up to $50,000 per violation with an annual cap of $1.5 million where violation was due to willful neglect and was not corrected within 30 days. See 45 C.F.R. § 160.404(b)(2).