Under a transition rule, existing Business Associate Agreements do not need to be amended until September 22, 2014. The transition rule applies only to updating the agreements; the parties must operate as required under the updated HIPAA rules beginning in September 2013. Any new Business Associate Agreement must include the new requirements.

Information Breaches

The new HIPAA rule assumes that all impermissible uses and disclosures of protected health information (PHI) are breaches which require notification to various parties. However, if the plan can show that after completing a risk assessment it is confident that there is a low probability that PHI has been compromised notification is not required.

A risk assessment would look at:

• The nature and extent of the PHI involved, including the types of identifiers disclosed and the likelihood of re-identification;
• The unauthorized person(s) who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

If the plan cannot demonstrate that there is a low probability of compromise to the PHI, notification is required. Notification is always required to the affected individuals, and may be required to the Department of Health and Human Services (HHS) and the media if the breach is significant enough. Note that the government believes that many forms of health information can be sensitive, not just information about sexually transmitted diseases, mental health diseases or substance abuse. In addition, violations of the minimum necessary rules could result in breaches requiring notification. Encryption generally means there is a low probability of exposure.

The obligation to determine whether a breach has occurred and to notify individuals remains with the plan. However, the plan can delegate these functions to a BA (such as a third party administrator).

Written notification by first-class mail is the general, default rule. However, individuals who affirmatively agree to receive notice by e-mail may be notified accordingly. In limited cases, individuals may be notified orally or by telephone.

Penalties

The updated penalties are large:

• "Did not know" penalty - amount not less than $100 or more than $50,000 per violation when it is established the plan or BA did not know and, by exercising reasonable diligence would not have known, of a violation;
• "Reasonable cause" penalty - amount not less than $1,000 or more than $50,000 per violation when it is established the violation was due to reasonable cause and not to willful neglect;
• "Willful neglect-corrected" penalty - amount not less than $10,000 or more than $50,000 per violation when it is established the violation was due to willful neglect and was timely corrected;
• "Willful neglect-not corrected" penalty - amount not less than $50,000 for each violation when it is established the violation was due to willful neglect and was not timely corrected.

Willful neglect includes extreme carelessness. Examples include:

• A plan disposed of several hard drives containing electronic PHI in an unsecured dumpster. An HHS investigation reveals the plan had failed to implement any policies and procedures to reasonably and appropriately safeguard PHI during the disposal process.
• An employee lost an unencrypted laptop or smart phone that contained unsecured PHI. An HHS investigation reveals the employer feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required.

The maximum penalty per violation type is $1,500,000 in a calendar year.