“THE LEGAL CORNER”
By Sam A. Moak
New HIPAA Rule
The information in this column is not intended as legal advice but to provide a general understanding of the law. Any readers with a legal problem, including those whose questions are addressed here, should consult an attorney for advice on their particular circumstances.
The U.S. Department of Health and Human Services has adopted a new rule concerning privacy and security for health information, to take into account changes that have occurred in health care since enactment of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Some of the key features in the 563 page final rule are outlined below.
Privacy notices given by covered entities, such as health-care providers and health plans, must now include a statement about a patient’s right to restrict the disclosure of his or her health information when paying out of pocket for the service.
“Downstream” business associates of covered entities are also covered by the new HIPAA rule. Thus, such subcontractors as billing and phone services, document and data storage companies, and other such entities whose functions involve the disclosure of protected health information are subject to liability for violations and the potential for agency enforcement action and penalties. This aspect of the new rule was meant to prevent covered entities from effectively skirting their HIPAA obligations by farming tasks out to subcontractors.
Before the new rule, a breach had to be reported to a patient if it posed a significant risk of financial, reputational, or other harm to the individual. Now, if health information is compromised, a data breach is presumed, with the attendant notification requirements, unless there is a low probability that the protected information was in fact compromised. Factors to consider as to whether a breach must be reported are the nature and extent of the information, the person to whom the data was disclosed, whether that person actually viewed it, and whether the risk was mitigated in some manner.
While patients already had a right to a copy of their health records, the new rule changed the default form of production from a hard copy to an electronic copy when the information is maintained electronically. Entities may charge a reasonable fee for providing the information, and now the information must be provided within 30 days of the request.
While we have dealt with HIPAA for quite sometime now, I still review Medical Powers of Attorney or Powers of Attorney for Health-care that do not address HIPAA. This could present a very difficult problem if a loved one is hospitalized and unable to direct their own care or authorize someone to do so for them, giving them authority to access any and all of their HIPAA protected health-care information.
It is another example of why you should have an attorney familiar with this area of law review your incapacity documents. Do not wait until it is too late to have them updated. The new final rule took effect on March 26, 2013, and compliance with all applicable requirements must occur by September 23, 2013.
Sam A. Moak is an attorney with the Huntsville law firm of Moak & Moak, P.C. He is licensed to practice in all fields of law by the Supreme Court of Texas, is a Member of the State Bar College, and is a member of the Real Estate, Probate and Trust Law Section of the State Bar of Texas.