Finally Final! HIPAA Privacy and Security Regulations Released

Finally Final! HIPAA Privacy and Security Regulations Released

The Department of Health and Human Services (HHS) released some long-awaited (and long over-due) final regulations under HIPAA (the Health Insurance Portability and Accountability Act).

The release updated various HIPAA requirements including privacy, security, enforcement and breach notification. Employers, Plan Sponsors as well as Covered Entities, will likely require a great deal of time to analyze and digest the 500+ pages (3 columned final printing reduced to 138 pages, linked here). Meanwhile, these Covered Entities, including self-funded group health plans, should prepare for changes that will be necessary as a result of these new rules. The changes will result in updating HIPAA policies and procedures, Business Associate Agreements (BAAs), privacy notices and workforce training.

Effective March 26, 2013, Covered Entities must generally comply with the new rules by September 23, 2013 – which is the maximum 180 day compliance period. Transition rules are included that allow valid BAAs in place on or before January 25, 2013 to be compliant.


HIPAA’s administrative simplification rules have evolved since their initial release in 1996 and several rounds of governmental guidance have addressed how HIPAA protects individual’s personal health information (PHI).  Including:

  • The privacy and security rules became effective for most Covered Entities (including health providers, health plans and health data clearinghouses) in 2003 and 2005, depending on how large the plan was). These foundational rules provide the basic structure of how Covered Entities must treat and protect PHI, in all formats.
  • The Health Information Technology for Economic and Clinical Health Act (HITECH) extended certain HIPAA provisions and penalties to Covered Entities’ business associates directly just as they would apply to the Covered Entity. Included in this category are third party administrators, contractors and subcontractors as well as other vendors. HITECH also added new breach notification requirements and individual policy rights, and it strengthened enforcement with significantly increased penalties for HIPAA violations. (AP Benefit Advisors’ client’s HIPAA BAAs were updated in January/February of 2010 to account for this.)
  • The Genetic Information Nondiscrimination Act (GINA) imposed specific privacy requirements in connection with the use of genetic information. For a full background on GINA, see our March 2009 Compliance Chronicle.
  • Proposed regulations released in 2011 regarding the accounting and disclosure rules would change the time frames allotted to provide accounting of disclosures and allow individuals to receive reports showing who accessed their PHI.

Highlights from the Final Regulations

  • The new regulations require compliance by September 23, 2013.
  • BAAs will need to be updated to reflect the new liability, with the exception of the aforementioned valid BAAs in effect before January 25, 2013 (which must be revised by 09/22/2014).
  • The sale of PHI without an individual’s permission will be prohibited, with the exception of some applicable circumstances.
  • Additional limits on the use of PHI will be imposed for marketing and fundraising purposes.
  • Permission to give a child’s immunization proof to a school will be made easier.
  • The ability for certain family members to access a descendant’s PHI will be expanded.
  • Changes to the analysis for determining whether a HIPAA breach must be reported.
  • GINA standards prohibiting the use or disclosure of genetic information for underwriting purposes must be adopted.
  • Individual rights will be expanded.
  • Adoption of the increased and tiered civil monetary penalties provided by the HITECH Act.

Notably, these rules do not appear to include 2011 proposed regulations on accounting of disclosures and an individual’s right to receive an access report.

What’s next for employer plan sponsors?

These regulations are detailed and affect a broad range of HIPAA issues. HHS has characterized these rules as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”

Accordingly, employers and plan sponsors must review, and possibly update, their HIPAA policies and procedures, BAAs and Privacy Notices to confirm that they meet the new mandates by the (absolute) deadline – September 23, 2013. In addition, plan sponsors should conduct workforce training to update individuals with access to PHI on the new rules.