Per the AHIMA Analysis of the HIPAA Mega Rule of January 25, 2013 the Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements were:
- Business associates must follow the Security Rule for electronic protected health information.
- Business associates have business associate agreements with their subcontractors who must also follow the security rule for electronic protected health information (PHI).
- Covered entities do not have business associate agreements with business associates’ contractors.
- Marketing requires an authorization.
- Financial remuneration is defined.
- Exceptions to marketing are still in place.
- Business associates must obtain authorizations prior to marketing.
- Grandfather clause for business associate agreement transition
- Prohibits the Sale of PHI without patient authorization
- Allows for Compound authorizations for research
- Allows for Authorizing for use or disclosure of future research data
- Any individually identifiable health information of a person deceased more than 50 years is no longer considered PHI under the Privacy Rule.
- Covered entities are now permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE.
- Covered entities can disclose proof of immunization to a school where state or other law requires it prior to admitting a student. Written authorization is no longer required, but an agreement must still be obtained, which can be oral.
- Covered entities must provide the recipient of any fundraising communication with a clear and;conspicuous opportunity to opt out of receiving any further fundraising communications and that the;individual’s choice to opt out is treated as a revocation of authorization under the privacy rule.
- The Notice of Privacy Practices must be revised and redistributed.
- Required restriction to health plan
- Access to electronic PHI
- Form and format of electronic copies
- Fees for paper and electronic copies
- Timeliness for paper and electronic records
- The Breach Notification Rule’s “harm” threshold is removed and replaced with a more objective standard.
- Title I of GINA required the Secretary to revise the HIPAA Privacy Rule.
- Genetic information is health information.
- Genetic information may not be used or disclosed for underwriting purposes.
- Excludes long-term care plans from the underwriting prohibition