Skip Navigation


Bookmark and ShareThursday January 3, 2013

Delayed HIPAA/HITECH Final Rules promise big changes

By Tom Dumez, President of Prime Compliance

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July 2010. The Office of Management and Budget (OMB) received the much delayed U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called “Omnibus Final Rulemaking.” One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucracy, and political influences. For covered entities (CEs, which are your clients), business associates (BAs, which is you), and their agents and subcontractors (the people you outsource a covered service to), things are changing.

The original NPRM read:“The HHS OCR will issue final rules to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH, Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expected the rules to be finalized in early 2012. Right.

We knew the NPRM would contain changes to four of the HIPAA/HITECH related rules. The rules to be included were the following: Genetic Information Non-Discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM. The HITECH changes address areas such as BAs, enforcement, electronic access (accounting of disclosures), marketing, fundraising, no sale of personal health information (PHI) and the right to request restrictions.

Among the biggest changes will be those related to BAs, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BAs accountable to consumers and to HHS for protecting the privacy and security of PHI. These sections also make them directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules. As it specifically relates to those in the document destruction business (as a BA), the NPRM originally proposed the following:

  1. Requiring that BAs comply with the technical, administrative and physical safeguard requirements under the Security Rule
  2. Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule
  3. Clarifying BAs are liable regardless of whether they have an agreement in place with the CE
  4. Defining subcontractors as Bas, clarifying that BA liability flows to all subcontractors
  5. Higher fines for failing to secure PHI

My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BAs and CEs. There are rules that BAs will be expected to follow that have historically only applied to CEs. The four items above will impact BAs. However, these are also simply good business practices. More regulations, more liability, more responsibility, and more risk. A real world, relevant training program for your employees is paramount.


Comments: 2 | Reply

   Patrick DeVries, CSDS    January 8, 2013 6:03 pm | Reply | 0 Agree | Flag Abusive

A North Idaho non-profit was recently fined $50,000 for a breach that affected less than 500 people. In addition to their other costs, this was very expensive. As a BA performing services for a CE, the financial responsibilities are mounting. Once these rules are final and become the norm, we should see some real interest in taking all the steps necessary to protect our clients records. Insurance costs will rise as we embrace the coverages necessary to protect our clients and our interests in this changing arena. Thanks for the info. - Pat DeVries

   Andrew Sokol, CSDS    January 2, 2013 1:53 pm | Reply | 0 Agree | Flag Abusive

Thanks for the update, Tom. One of these days they will finalize the rules. The bottom line is to do the right thing when it comes to handling our client's documents. - Andy Sokol

Submit your Comment

All comments are moderated. Your comment will appear in the order received after being approved.

(comment length available: )

Enter Verification Code:
Captcha Code
Type the characters you see in the picture above.

By submitting a comment, you agree to the terms and conditions governing this blog. Any information, including but not limited to remarks, suggestions, ideas, personal information or other submissions, communicated to NAID through this website is the exclusive property of NAID. Your name will appear along with your comment if/when they appear on the website.

Return to Current Blog