On January 25, 2013, Health and Human Services (HHS), the
federal agency in charge of implementing the Health Information
Privacy and Accountability Act of 1996 (HIPAA) issued regulations
modifying the HIPAA Privacy and Security enforcement rules. These
regulations finalized the amendments to HIPAA that were made by the
Health Information Technology for Economic and Clinical Health Act
(HITECH Act), modifying the HITECH Act's interim-breach
notification rules and modifying the HIPAA Privacy Rules to
implement the Genetic Information Nondiscrimination Act of 2008
The final rules went into effect on March 26, 2013; covered
entities and business associates must comply with the final rule by
September 23, 2013. Now is the time to make the necessary
change to your HIPAA Privacy and Security compliance materials.
Modifications to the proposed HITECH rules include: 1)
confirmation that business associates are now directly liable for
compliance with the HIPAA Privacy and Security Rules and are
subject to HHS enforcement; 2) strengthening the limitations on the
use and disclosure of protected health information (PHI) for
marketing and fundraising purposes and prohibiting the sale of PHI
without the individual's authorization; 3) expanding
individuals' rights to receive electronic copies of their PHI
and restrict disclosures to a health plan concerning services for
which the individual has already paid in full; 4) modifications to
covered entities' privacy notices; 5) increasing fines for
noncompliance; and 6) changing the definition of "breach"
by replacing the harm threshold with a more objective standard.
To implement GINA, the HIPAA rules are modified to
prohibit most plans from using or disclosing genetic information
for underwriting purposes.
The January regulations require changes to privacy notices,
business associate agreements, authorization forms, training, HIPAA
Privacy policies, and HIPAA Security policies, as well as add a new
privacy-agreement requirement between business associates and any
subcontractors. They will also affect how a covered entity
can use information to fundraise and will cause business
associate's subcontractors to implement their own HIPAA
How To Comply
For those of our clients (group health plans, healthcare
providers and business associates) who previously purchased the
firm's HIPAA Privacy and possibly HIPAA Security compliance
packages, you must amend these by September 23, 2013. We have
prepared updated materials that you can use to amend your existing
For those covered entities, business associates and
subcontractors who have not yet completed your HIPAA Privacy and
Security compliance, we have updated Privacy and Security
compliance packages that you can purchase. These packages
include step-by-step instructions, forms, and flat-rate legal
advice so that the end result is a compliance package which you can
price in advance and rely upon to meet all your HIPAA requirements.
The flat fee includes telephone interviews with a Fisher &
Phillips attorney, analysis of any existing compliance documents
and security measures, review of the uses, storage, disposal and
disclosures of PHI, and a determination of the scope of required
Privacy and Security compliance.
Fisher & Phillips will provide all necessary customized
written documents, policies and procedures, and training materials,
including the following, where necessary: 1) Notice of Privacy
Practices; 2) HIPAA Privacy and Security policies and procedures
manuals; 3) HIPAA compliant Authorization forms; 4) HIPAA Privacy
Official and Security Official job descriptions; 5) group health
plan amendments; 6) employer certification of compliance; 7) HIPAA
training materials; 8) a model business associate agreement for use
by covered entities and their business associates; and 9) a model
privacy agreement for use by business associates and their
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A recent decision issued on April 10, 2015, by the U.S. Sixth Circuit Court of Appeals (EEOC v. Ford Motor Co.), serves as a useful reminder to employers dealing with telecommuting requests from employees.