The HIPAA amendments are scheduled to come into force at the end of September 2013 as a result of a retrospective review of the Act in accordance with the Executive Order 13563, which mandates the review to reduce costs and increase the flexibility of extant human subject’s protection legislations. The resultant amendments to HIPAA are being instituted to align it with the Health Information Technology for Economic and Clinical Health Act (HITECH). The purpose is “to strengthen the privacy and security protection for individuals”, to modify the rules relating to “Breach notification”, and protect “genetic information” in line with the “Genetic Information Nondiscrimination Act of 2008(GINA). These amendments are expected to improve the effectiveness and flexibility of HIPAA and enhance workability of the provisions vis-à-vis the regulated health care bodies. Health care professionals must demonstrate compliance with effect from 23rd September 2013.
The final rule makes four amendments to HIPAA. Modifications have been made to:
Amendment to Privacy, Security, Enforcement Rules:
Under the pre-amended rule, business entities were held responsible for the actions of their associates. The new rule makes the associates directly responsible for their actions and must demonstrate compliance with the rules of HIPAA. The limitations imposed on covered entities on the use and disclosure of health information, held by them in electronic formats, has been enhanced. These entities cannot disclose protected information without the authorization of the information owner (the individual to whom the protected information pertains). The privacy practices of the covered entities and individual authorization rules must be modified to facilitate research and meet other statutory requirements under the amended HIPAA. Finally, the entities must adopt the amended, enhanced HITECH Act.
Breach Notification Rules
The earlier breach notification rules were modified with a view to reduce the “harm” threshold and provide an objective standard for dealing with breaches. The amended rule includes subcontractors in the definition of Business associates who share health information of the covered entity and fixes the responsibility the use or breach of privacy, security of individual health information on such “business associates”.
Genetic Information Nondiscrimination Act (GINA)
This amendment makes stipulations on use or disclosure of genetic information to health plans. The new privacy protection clarifies that genetic information is health information and prohibits groups that market health plans, health insurance and other Medicare supplemental policies from indiscriminately accessing genetic information for underwriting purposes.
These are largely provisions that simplify the administration of HIPAA, and facilitates the establishment of national standards for health care transactions.