The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as "covered entities," as well as their subcontractors and vendors as "business associates" (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information ("PHI"), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI.

On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. They involve a number of sweeping expansions to the existing HIPAA Rules including: (1) a broader definition of “business associates” (“BAs”) to include downstream subcontractors that handle protected health information (“PHI”) on behalf of BAs; (2) increased penalties for noncompliance, with a maximum penalty of $1.5 million per violation; (3) expanded individual rights, including the right to request electronic medical records; and (4) new limitations on the use of PHI for marketing and fundraising, or the sale of PHI; among other broad changes.   Read the full text here.  Duane Morris is preparing a fuller description of the 2013 HIPAA Amendments that will be distributed shortly. Please do not hesitate to contact Lisa Clark, lwclark@duanemorris.com, Neville Bilimoria, NMBilimoria@duanemorris.com, or your contact at Duane Morris for more information.  Thanks to Elinor Hart, EHart@duanemorris.com, for her prompt assistance with this breaking development.   

‘Mobile health’ (mHealth), which is defined loosely as health care delivered wirelessly, is set to transform health care.  A perfect example is the Ford Motor Company’s ‘Car That Cares,’ which it announced at the 2012 International Consumer Electronics Show in Las Vegas in January. 

Expansion of CMS Never Events:  They’re Not Just For Medicare Or Just For Hospitals Anymore

In 2005 when “Never Events” were proposed for hospitals through the Deficit Reduction Act, no one knew what the overall effect would be on hospitals or patient care.  CMS later developed these and implemented these Never Events under the authority of the DRA to prevent Medicare payment to hospitals for certain “never events” or hospital acquired conditions (HACs) which were conditions that were high volume, involved higher payment, and which could be easily preventable.  Now, hospitals and other health care providers have to worry about Never Events in the Medicaid space.