January 30, 2013
Authored by: Chris Rylands and Serena Yee
We’ve already explored the changes from the new HIPAA/HITECH omnibus final rule in detail in our client alert. However, we wanted to highlight a few important provisions (and one perhaps not as important) of the rule and provide some additional commentary.
First, as noted in the alert, business associate agreements generally do not need to be amended for the final rules until September 23, 2014. However, if the agreement is renewed or extended (other than as part of an evergreen renewing contract), it must be amended at that time. The key condition, however, is that the agreement must have been in place by January 25, 2013 (the date the regulations were published in the Federal Register). If it was not, then the deadline is a full year earlier, or September 23, 2013. HHS recently posted some sample business associate contract language on its website here.
Additionally, as has been widely reported, the “harm standard” for breaches has been replaced with factors HHS viewed as more objective. Specifically, in the preamble, they state:
“[T]the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”
Therefore, any impermissible use or disclosure (which also encompasses any impermissible access or acquisition) is a breach unless the plan (really, the plan administrator) can demonstrate otherwise. HHS