HIPAA Mega Rule: Tips for Health Care Providers


Nearly three years after enacting many provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Congress passed the HITECH omnibus final rule, or “Mega Rule,” that finalizes many interim HIPAA Security and Privacy Rules for covered entities such as healthcare providers and health plans.  

            The 563-page pre-publication contains several important updates to patient privacy rules that affect your practice including finalizing several breach notification rules, changing the definition of a business associate, and strengthening enforcement rules for covered entities.

1. Breach
            One of the most significant changes by the Mega Rule is that when there is an impermissible access, acquisition, use or disclosure of protected health information it is presumed to be a breach. Prior to the Mega Rule, a disclosure of protected health information was only considered a breach requiring patient notification where there posed a significant risk of financial, reputational or other harm to the individual. Now a covered entity must demonstrate that there is a low probability that the information has been compromised in order to prove there is a breach that does not require patient notification. A covered entity must now consider four factors in assessing the probability of a breach, including:

            It is extremely important that a covered entity have a documented analysis of the above factors for each instance of an unauthorized disclosure. Each covered entity should also ensure it has policies and procedures in place to document each disclosure. HIPAA now imposes monetary penalties for violations caused by a covered entity or business associate’s willful neglect.

            Recently, a $50,000 fine was levied on an Idaho Hospice provider based on the theft of a laptop containing 441 patients’ unencrypted health information. This is the first ever settlement by HHS of a breach involving fewer than 500 individuals. Importantly, there was no indication that any PHI was improperly viewed or accessed but the Hospice had not conducted a risk analysis to safeguard the electronic protected health information and had not adopted policies or procedures to address mobile device security.

2. Business Associates

            The Mega Rule now requires business associates to be responsible for HIPAA compliance. The Mega Rule now includes subcontractors in the definition of “business associate” as well as those parties in control of protected health information for more than a transitory amount of time. While conduits of patient protected health information such as the U.S. Postal Service or ISP providers are not business associates, those entities that store or protect protected health information on more than a temporary basis are considered business associates, even if they do not actually view the information. As a result, covered entities must update their business associate agreements to require business associates to enter into HIPAA compliant contracts with their subcontractors.

3. Fundraising and marketing

            The Mega Rule requires fundraising communications to include a clear and conspicuous opportunity to opt out of receiving further communications. The Mega Rule also makes clear that covered entities may also use the treating physician’s name, department of service information, health insurance status and outcome information in crafting their fundraising documents. While covered entities cannot sell patient information for fundraising and marketing purposes, they may continue to receive financial remuneration to provide refill reminders or to send out other communications about a drug or biologic currently prescribed for the patient as long as it’s reasonably related to the covered entity’s costs associated with making the communication.

4. Notice of Privacy Practices
            A covered entity’s notice of privacy practices should be updated to address the changes of the Mega Rule, including:

5. Protection of protected health information

            Covered entities must also agree to restrict disclosures of protected health information about an individual, upon demand, if:

            Finally, if an individual requests protected health information that is maintained electronically, the covered entity must provide the individual with electronic access in a form and format requested by the individual, if the information is readily producible in such format.

            While these tips address the most vital changes to HIPAA, virtually all health care providers must review their privacy and security policies to determine what changes need to be made to address the requirements of their individual practices.

            This article is for informational purposes only. It is not intended to give legal advice for particular situations or subjects.