Senior Communications Manager
Wiley Rein’s Kirk Nahra Discusses Revised Health Care Privacy Rules
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted in a January 24 Bloomberg BNA article about health care privacy rule changes that were finalized this month by the U.S. Department of Health and Human Services (HHS).
The revisions expanded the applicability of the Health Insurance Portability and Accountability Act’s (HIPAA) rules beyond health care providers, doctors and insurance companies, to also cover their business associates.
“The biggest impact will be on business associates (and their downstream contractors), who will have to comply with the full HIPAA Security Rule as well as facing enforcement risk related to the business associate contractual requirements under the Privacy Rule,” Mr. Nahra told Bloomberg BNA.
He added that “as a general matter, the omnibus regulation breaks little new ground” for entities that were already covered by the HHS privacy rules, “beyond the specific requirements” of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) law. Those organizations “will need to make modest changes, in areas ranging from privacy notices to marketing practices to authorization forms,” he said.
HHS also modified the standard under which covered organizations must notify individuals and the agency of any breaches to their unsecured protected health data. That change was significant, and “clearly and explicitly recognized that the HITECH law does not require notification any time a breach possibility exists,” Mr. Nahra said. But “this change (while important) likely will not have a significant impact on the situations in which notice is provided.”
The new standard includes a risk assessment analysis approach that “certainly will impose some additional rigor,” he added. “But it is likely that most breaches will end up with the same result—notification to individuals where there is a good reason to think that some kind of reasonable harm can come to the individual from the particular situation.”
Mr. Nahra noted that “HHS included in its commentary various cost estimates about both the benefits of the new rules and some of the costs.” While it is difficult “to identify specific cost benefits, some of the cost estimates for compliance are exceedingly low, almost bizarrely low,” he said. For example, “the new rule discusses the need for revised privacy notices in several places, and identifies a variety of situations where new notices will be provided and distributed (in addition to the notices already being long and complicated). Yet, HHS estimates that it will take covered entities one third of one hour to revise a privacy notice.”