On January 17, 2013, a moment highly anticipated by the health care industry finally arrived. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its Final Rule implementing changes to the regulations of the Health Insurance Portability and Accountability Act of 1996, 45 CFR Parts 160 and 164 (HIPAA). These changes were mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The Final Rule addresses not only privacy and security rules governing protected health information (PHI) but also enforcement rules, breach notification rules, and the genetic privacy provisions of the Genetic Information Nondiscrimination Act (GINA) as they apply to PHI maintained by health plans. The effective compliance date of the Final Rule is September 23, 2013.
The Final Rule may impact attorneys with elder law practices in several ways. Many issues facing their clients may be health-related, and these clients may wish to understand how the privacy of their health information is protected. Elder law practitioners will need to understand how HIPAA, as amended by the Final Rule, restricts uses and disclosures of PHI, the types of entities it governs, and the protections it requires for electronic PHI. In addition, counseling such clients may require attorneys to obtain copies of medical records. Attorneys who represent health care providers or other entities covered under HIPAA (covered entities) and who must obtain access to PHI as part of that representation will be treated as “business associates” under HIPAA. Pursuant to the Final Rule, attorneys who are business associates are now directly regulated by and liable under HIPAA.